fix: Set hit rule to first matched allow rule for allow-and-deny effe…

…ct (#124)

src/Effector/DefaultEffector.php

@@ -75,9 +75,14 @@ public function mergeEffects(string $expr, array $effects, array $matches, int $
                 }
 
                 if ($eft == Effector::ALLOW) {
+                    // set hit rule to first matched allow rule, maybe overridden by the deny part
+                    if ($result == Effector::INDETERMINATE) {
+                        $explainIndex = $i;
+                    }
                     $result = Effector::ALLOW;
                 } elseif ($eft == Effector::DENY) {
                     $result = Effector::DENY;
+                    // set hit rule to the (first) matched deny rule
                     $explainIndex = $i;
                     break;
                 }

tests/EnforcerTest.php

@@ -326,9 +326,9 @@ public function testEnforceRbacWithDeny()
     public function testEnforceExRbacWithDeny()
     {
         $e = new Enforcer($this->modelAndPolicyPath . '/rbac_with_deny_model.conf', $this->modelAndPolicyPath . '/rbac_with_deny_policy.csv');
-        $this->assertEquals($e->enforceEx('alice', 'data1', 'read'), [true, []]);
-        $this->assertEquals($e->enforceEx('bob', 'data2', 'write'), [true, []]);
-        $this->assertEquals($e->enforceEx('alice', 'data2', 'read'), [true, []]);
+        $this->assertEquals($e->enforceEx('alice', 'data1', 'read'), [true, ['alice', 'data1', 'read', 'allow']]);
+        $this->assertEquals($e->enforceEx('bob', 'data2', 'write'), [true, ['bob', 'data2', 'write', 'allow']]);
+        $this->assertEquals($e->enforceEx('alice', 'data2', 'read'), [true, ['data2_admin', 'data2', 'read', 'allow']]);
         $this->assertEquals($e->enforceEx('alice', 'data2', 'write'), [false, ['alice', 'data2', 'write', 'deny']]);
     }