[Permissions] Ambiguous conditional decision behavior with empty anyOf
criteria
#9280
Labels
bug
Something isn't working
anyOf
criteria
#9280
Conditional policy decisions with empty
anyOf
criteria have ambiguous behavior depending on how they are evaluated (either applied to resources in memory or converted to a database query).Expected Behavior
The result should be the same regardless of how conditions are evaluated.
Current Behavior
Actions are denied when applying these conditions to resources in memory.
Actions are allowed when converting these conditions to a query.
Possible Solution
Add validation and possibly update static types to prevent empty
allOf
/anyOf
criteria.Steps to Reproduce
Context
The permission framework allows rules to define
apply
)toQuery
)Rules can be joined together using
anyOf
andallOf
within aPermissionCriteria
object. When applyingPermissionCriteria
to resources in memory, the framework is responsible for evaluating these logical operators. When convertingPermissionCriteria
to a query, the plugin that owns the related resource type is responsible for evaluating these logical operators.The framework will use
Array.prototype.every
to evaluateallOf
andArray.prototype.some
to evaluateoneOf
. However, the behavior of these APIs is not obvious for empty arrays —[].every(() => false) === true
while[].some(() => false) === false
. Instead of requiring every plugin to align with this behavior, we should prevent policies from returning conditional decisions with empty criteria.Your Environment
The text was updated successfully, but these errors were encountered: