Loading conflicting grants from same level.

[PrashamTrivedi]

Two grants are loaded from database.

const role1 = {
    role: 'role1',
     resource: 'person',
     action: ['create', 'view', 'treat'],
     attributes: ['*']
}

and

const role2 = {
    role: 'role2',
    resource: 'person',
    action: ['update', 'greet', '!create'],
    attributes: ['*'],
}

With following test code.

const grantsToLoad = [role1, role2]
ac.setGrants(grantsToLoad)

const roles = ac.getRoles()
const permission = await ac.can(roles).execute('create').on('person')
expect(permission.granted).toEqual(false)

I expect create to be denied as it being explicitly mentioned in action of role2. But the desired result is the permission to create is granted. Thus explicit denial is not taken into consideration.

The code behind this behavior is in filter of getUnionAttrsOfRolesSync where role2 is being filtered out in favor of positive action.

role-acl/src/utils/common.ts

Lines 366 to 377 in 321d013

	public static getUnionAttrsOfRolesSync(grants: any, query: IQueryInfo): string[] {
	const matchingGrants = (this.getUnionGrantsOfRolesSync(grants, query))
	.filter((grant) => {
	return this.anyMatch(query.resource, grant.resource)
	&& this.anyMatch(query.action, grant.action);
	});
	return (this.filterGrantsAllowingSync(matchingGrants, query))
	.map((grant) => {
	return ArrayUtil.toStringArray(grant.attributes);
	}).reduce(Notation.Glob.union, []);
	}

[koladilip]

This can be solved using deny feature, currently, this library is not supporting it. "!create" doesn't mean deny create in current implementation but it just means that that role is not granting (but also not denying) "create" action and the other role is granting so the final result is granted.

I hope this clarifies.