Add documentation and examples for enforceEx() with RBAC models

[Copilot]

Users were confused about how enforceEx() works with RBAC models, specifically whether it checks grouping policies. The method works correctly but lacked documentation explaining its behavior with role-based permissions.

Changes

Documentation (README.md)

• Added section explaining enforceEx() return value structure
• Clarified that matched rules show the role's policy, not the user's, when access is granted via role inheritance

Example (examples/rbac_with_enforce_ex.js)

• Demonstrates direct vs role-based permission checking
• Shows how to interpret matched rules for debugging/auditing

Tests (test/enforcer.test.ts)

• Added TestEnforceExWithRBACModel verifying RBAC role matching returns correct policy rules

Code Documentation (src/coreEnforcer.ts)

• Enhanced JSDoc for enforceEx() and enforceExSync() with examples

Key Behavior

// Policy: p, admin, data1, read
// Grouping: g, alice, admin

const [allowed, rule] = await enforcer.enforceEx('alice', 'data1', 'read');
// Returns: [true, ['admin', 'data1', 'read']]
//                 ^^^^^^^ matched rule shows role's policy, not user's

The matched rule indicates which policy allowed access, useful for audit trails in RBAC systems where a single user may have permissions through multiple roles.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Why I can't use enforcer to judge the req using the rbac modle? </issue_title>
<issue_description>I save the policy in the mysql , and I have init the enforcer by rbac_model.conf . but I find it doesn't successed , it was return true only
when sub, obj,act are same in the p policy in the db , doesn't check the g policy, how can I modify my code to achieve the result of rbac?

export const authorizeUser = async (
  sub: string,
  obj: string,
  act: string
) => {
  const enforcer = await CasbinManager.getEnforcer();
  // console.log("sub: ", sub, "dom: ", dom, "obj: ", obj, "act: ", act);
  // console.log(await enforcer?.getPolicy());
  // console.log(await enforcer?.getGroupingPolicy());
  const res = enforcer?.enforceEx(
    sub,
    obj,
    act
  );
  console.log(await res);
  return true;
};

[request_definition]
r = sub,  obj, act

[policy_definition]
p = sub,  obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub)  && r.obj == p.obj && r.act == p.act

```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes Why I can't use enforcer to judge the req using the rbac modle?  #470

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}