Fix level checking for access on an if expression #1507
Description
Before opening, please confirm:
- I have searched for duplicate or closed issues.
- I have read the guide for submitting bug reports.
- I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
Bug Category
Schemas and Validation
Describe the bug
It looks like the guard of an if expression is being considered when level checking any access on an if expression. Only the branches should be considered (though the guard should of course be checked independently).
For example, and error is reported for this policy
permit(principal, action, resource) when {
(
if principal.jobLevel == 0 then
principal
else
principal
).jobLevel == 0
};
I think this happens because it looks at the guard where there was already an attribute access, and then reports an error when it sees another access in the outer expression
Expected behavior
.
Reproduction steps
.
Code Snippet
// Put your code below this line.Log output
// Put your output below this line
Additional configuration
No response
Operating System
No response
Additional information and screenshots
No response