Policy Enforce explain not logging for model with RBAC with deny override

[aryalrabin]

The model with deny override not logging Hit Policy when the request policy is evaluated to true.

2023-03-21 21:33:56 INFO  PolicyEngine:33 - Empty Policy added [[alice, data1, read, allow], [bob, data2, write, allow], [data2_admin, data2, read, allow], [data2_admin, data2, write, allow], [alice, data2, write, deny]]
2023-03-21 21:34:58 INFO  jcasbin:99 - Request: [alice, data1, read] ---> true
2023-03-21 21:34:58 INFO  jcasbin:101 - Hit Policy: []

The model

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

The Policy

p, alice, data1, read, allow
p, bob, data2, write, allow
p, data2_admin, data2, read, allow
p, data2_admin, data2, write, allow
p, alice, data2, write, deny

g, alice, data2_admin

[casbin-bot]

@tangyang9464 @imp2002

[aryalrabin]

However for a model without override deny. The Hit Policy is logged

2023-03-21 21:41:24 INFO  PolicyEngine:33 - Empty Policy added [[alice, data1, read, allow], [bob, data2, write, allow], [data2_admin, data2, read, allow], [data2_admin, data2, write, allow], [alice, data2, write, deny]]
2023-03-21 21:41:30 INFO  jcasbin:99 - Request: [alice, data1, read] ---> true
2023-03-21 21:41:30 INFO  jcasbin:101 - Hit Policy: [alice, data1, read, allow]

The Model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

[github-actions[bot]]

:tada: This issue has been resolved in version 1.32.3 :tada:

The release is available on:

• GitHub release
• v1.32.3

Your semantic-release bot :package::rocket: