[Bug] Confusing result of evaluation of a policy containing an OR not wrapped in parentheses

[maxtwardowski]

Describe the bug
The enforcer seems to ignore the remaining components of the matcher when one of its evaluated expressions contains an x || y condition. However, it works as intended when the condition is wrapped in parentheses (x || y). The issue is not reproducible in the live editor but I've created a Go repl.it for a simple repro.

To Reproduce

1. Create a model.conf file with content as follows:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub_rule, obj_rule, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = eval(p.sub_rule) && eval(p.obj_rule) && (p.act == '*' || r.act == p.act)

2. Create a policy.conf file with an expression containing an OR (||) - for simplicity let's just have a dummy || false:

p, r.sub.Role == 'admin' || false, r.obj.ResourceType == 'users', write

3. Execute the code below - check whether admin can write resource of type definitely NOT users:

package main

import (
	"fmt"
        "embed"

        "github.com/casbin/casbin/v2"
        casbin_fs_adapter "github.com/naucon/casbin-fs-adapter"
        "github.com/pkg/errors"
)

//go:embed model.conf policy.conf
var f embed.FS

type subject struct {
	Role string
}

type object struct {
	ResourceType string

	Role string
}

func main() {
        model, err := casbin_fs_adapter.NewModel(f, "model.conf")
	if err != nil {
		panic(err)
	}
	policies := casbin_fs_adapter.NewAdapter(f, "policy.conf")

	e, err := casbin.NewEnforcer(model, policies)
	if err != nil {
		panic(errors.Wrap(err, "failed to initialize casbin enforcer"))
	}

        s := subject{Role: "admin"}
        o := object{ResourceType: "definitely NOT users"}
        a := "write"

        res, err := e.Enforce(s, o, a)
	if err != nil {
		panic(errors.Wrap(err, "failed to authorize resource access"))
	}

        fmt.Println("enforce res:", res)
}

4. The result of the Enforce call is true even though it clearly should be false since 'users' != 'definitely NOT users'
5. Now change the policy so that the condition is wrapped in parentheses i.e.:
   p, (r.sub.Role == 'admin' || false), r.obj.ResourceType == 'users', write
6. The result of the Enforce is false as expected.

Expected behavior
Parentheses shouldn't matter in this case IMHO - the current behavior is quite confusing especially that it doesn't affect AND conditions.

[casbin-bot]

@tangyang9464 @closetool @sagilio

[hsluoyz]

@Abingcbc @abichinger @sagilio @nodece

[Abingcbc]

@maxtwardowski There are some bugs in your reproduction progress.

invalid request size: expected 2, got 3

I will use your example https://replit.com/@MaxTwardowski1/Casbin-OR-bug-repro?v=1 as a test case :)

[maxtwardowski]

@maxtwardowski There are some bugs in your reproduction progress.

invalid request size: expected 2, got 3

I will use your example https://replit.com/@MaxTwardowski1/Casbin-OR-bug-repro?v=1 as a test case :)

@Abingcbc Oops, I must've pasted some wrong model file... Fixed!