Fix level validation for attribute access on record literals #1505
Description
Before opening, please confirm:
- I have searched for duplicate or closed issues.
- I have read the guide for submitting bug reports.
- I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
Bug Category
Schemas and Validation
Describe the bug
If I use level validation at level 0 on
permit(principal, action, resource) when {
{a: true, b: principal.jobLevel}.a
};
I don't get any errors even though the principal.jobLevel access should require level 1.
Note that record literals aren't entirely broken. This seems to be more related to the attribute access operation causing level checking to ignore the other attribute.
For example, there is an error reported for the original policy if we use has a instead of .a, and there is also an error reported for the following policy checking equality of record literals.
permit(principal, action, resource) when {
{a: true, b: principal.jobLevel} == {a: true, b: 0}
};
When fixing this, be careful to handle a record literal containing an entity literal correctly. This policy should not error even though User::"bob".jobLevel would be an error
permit(principal, action, resource) when {
{a: principal, b: User::"bob"}.a.jobLevel == 0
};
Expected behavior
.
Reproduction steps
.
Code Snippet
// Put your code below this line.Log output
// Put your output below this line
Additional configuration
No response
Operating System
No response
Additional information and screenshots
No response