feat: add GetAllUsers() API to separate users from roles (#1652)

hsluoyz · hsluoyz · commit 1aba8b9b0d8d · 2026-01-06T15:49:32.000+08:00
diff --git a/enforcer_interface.go b/enforcer_interface.go
@@ -101,6 +101,7 @@ type IEnforcer interface {
 	GetAllNamedActions(ptype string) ([]string, error)
 	GetAllRoles() ([]string, error)
 	GetAllNamedRoles(ptype string) ([]string, error)
+	GetAllUsers() ([]string, error)
 	GetPolicy() ([][]string, error)
 	GetFilteredPolicy(fieldIndex int, fieldValues ...string) ([][]string, error)
 	GetNamedPolicy(ptype string) ([][]string, error)
diff --git a/enforcer_synced.go b/enforcer_synced.go
@@ -285,6 +285,13 @@ func (e *SyncedEnforcer) GetAllNamedRoles(ptype string) ([]string, error) {
 	return e.Enforcer.GetAllNamedRoles(ptype)
 }
 
+// GetAllUsers gets the list of users that show up in the current policy.
+func (e *SyncedEnforcer) GetAllUsers() ([]string, error) {
+	e.m.RLock()
+	defer e.m.RUnlock()
+	return e.Enforcer.GetAllUsers()
+}
+
 // GetPolicy gets all the authorization rules in the policy.
 func (e *SyncedEnforcer) GetPolicy() ([][]string, error) {
 	e.m.RLock()
diff --git a/management_api.go b/management_api.go
@@ -76,6 +76,23 @@ func (e *Enforcer) GetAllNamedRoles(ptype string) ([]string, error) {
 	return e.model.GetValuesForFieldInPolicy("g", ptype, 1)
 }
 
+// GetAllUsers gets the list of users that show up in the current policy.
+// Users are subjects that are not roles (i.e., subjects that do not appear as the second element in any grouping policy).
+func (e *Enforcer) GetAllUsers() ([]string, error) {
+	subjects, err := e.GetAllSubjects()
+	if err != nil {
+		return nil, err
+	}
+
+	roles, err := e.GetAllRoles()
+	if err != nil {
+		return nil, err
+	}
+
+	users := util.SetSubtract(subjects, roles)
+	return users, nil
+}
+
 // GetPolicy gets all the authorization rules in the policy.
 func (e *Enforcer) GetPolicy() ([][]string, error) {
 	return e.GetNamedPolicy("p")
diff --git a/management_api_test.go b/management_api_test.go
@@ -41,6 +41,7 @@ func TestGetList(t *testing.T) {
 	testStringList(t, "Objects", e.GetAllObjects, []string{"data1", "data2"})
 	testStringList(t, "Actions", e.GetAllActions, []string{"read", "write"})
 	testStringList(t, "Roles", e.GetAllRoles, []string{"data2_admin"})
+	testStringList(t, "Users", e.GetAllUsers, []string{"alice", "bob"})
 }
 
 func TestGetListWithDomains(t *testing.T) {
@@ -50,6 +51,7 @@ func TestGetListWithDomains(t *testing.T) {
 	testStringList(t, "Objects", e.GetAllObjects, []string{"data1", "data2"})
 	testStringList(t, "Actions", e.GetAllActions, []string{"read", "write"})
 	testStringList(t, "Roles", e.GetAllRoles, []string{"admin"})
+	testStringList(t, "Users", e.GetAllUsers, []string{})
 }
 
 func testGetPolicy(t *testing.T, e *Enforcer, res [][]string) {

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ func TestGetList(t *testing.T) {`
`41`	`41`	`testStringList(t, "Objects", e.GetAllObjects, []string{"data1", "data2"})`
`42`	`42`	`testStringList(t, "Actions", e.GetAllActions, []string{"read", "write"})`
`43`	`43`	`testStringList(t, "Roles", e.GetAllRoles, []string{"data2_admin"})`
	`44`	`+ testStringList(t, "Users", e.GetAllUsers, []string{"alice", "bob"})`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`func TestGetListWithDomains(t *testing.T) {`
`@@ -50,6 +51,7 @@ func TestGetListWithDomains(t *testing.T) {`
`50`	`51`	`testStringList(t, "Objects", e.GetAllObjects, []string{"data1", "data2"})`
`51`	`52`	`testStringList(t, "Actions", e.GetAllActions, []string{"read", "write"})`
`52`	`53`	`testStringList(t, "Roles", e.GetAllRoles, []string{"admin"})`
	`54`	`+ testStringList(t, "Users", e.GetAllUsers, []string{})`
`53`	`55`	`}`
`54`	`56`
`55`	`57`	`func testGetPolicy(t testing.T, e Enforcer, res [][]string) {`