feat: fix CheckLoginPermission() logic

2025-07-03 04:10:20 +08:00 · 2023-10-13 15:41:23 +08:00
parent 80a8000057
commit ec0a8e16f7
3 changed files with 45 additions and 13 deletions
--- a/object/check.go
+++ b/object/check.go
@ -361,6 +361,8 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 		return false, err
 	}

+	allowPermissionCount := 0
+	denyPermissionCount := 0
 	allowCount := 0
 	denyCount := 0
 	for _, permission := range permissions {
@ -368,8 +370,13 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 			continue
 		}

-		if permission.isUserHit(userId) {
-			allowCount += 1
+		if !permission.isUserHit(userId) {
+			if permission.Effect == "Allow" {
+				allowPermissionCount += 1
+			} else {
+				denyPermissionCount += 1
+			}
+			continue
 		}

 		enforcer := getPermissionEnforcer(permission)
@ -391,8 +398,18 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 		}
 	}

+	// Deny-override, if one deny is found, then deny
 	if denyCount > 0 {
 		return false, nil
+	} else if allowCount > 0 {
+		return true, nil
+	}
+
+	// For no-allow and no-deny condition
+	// If only allow permissions exist, we suppose it's Deny-by-default, aka no-allow means deny
+	// Otherwise, it's Allow-by-default, aka no-deny means allow
+	if allowPermissionCount > 0 && denyPermissionCount == 0 {
+		return false, nil
 	}
 	return true, nil
 }