feat: fix CheckLoginPermission() logic

object/check.go

@@ -361,6 +361,8 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 		return false, err
 	}
 
+	allowPermissionCount := 0
+	denyPermissionCount := 0
 	allowCount := 0
 	denyCount := 0
 	for _, permission := range permissions {
@@ -368,8 +370,13 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 			continue
 		}
 
-		if permission.isUserHit(userId) {
-			allowCount += 1
+		if !permission.isUserHit(userId) {
+			if permission.Effect == "Allow" {
+				allowPermissionCount += 1
+			} else {
+				denyPermissionCount += 1
+			}
+			continue
 		}
 
 		enforcer := getPermissionEnforcer(permission)
@@ -391,8 +398,18 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 		}
 	}
 
+	// Deny-override, if one deny is found, then deny
 	if denyCount > 0 {
 		return false, nil
+	} else if allowCount > 0 {
+		return true, nil
+	}
+
+	// For no-allow and no-deny condition
+	// If only allow permissions exist, we suppose it's Deny-by-default, aka no-allow means deny
+	// Otherwise, it's Allow-by-default, aka no-deny means allow
+	if allowPermissionCount > 0 && denyPermissionCount == 0 {
+		return false, nil
 	}
 	return true, nil
 }

object/permission.go

@@ -424,10 +424,10 @@ func (p *Permission) GetId() string {
 }
 
 func (p *Permission) isUserHit(name string) bool {
-	targetOrg, _ := util.GetOwnerAndNameFromId(name)
+	targetOrg, targetName := util.GetOwnerAndNameFromId(name)
 	for _, user := range p.Users {
 		userOrg, userName := util.GetOwnerAndNameFromId(user)
-		if userOrg == targetOrg && userName == "*" {
+		if userOrg == targetOrg && (userName == "*" || userName == targetName) {
 			return true
 		}
 	}
@@ -436,7 +436,7 @@ func (p *Permission) isUserHit(name string) bool {
 
 func (p *Permission) isResourceHit(name string) bool {
 	for _, resource := range p.Resources {
-		if name == resource {
+		if resource == "*" || resource == name {
 			return true
 		}
 	}