@@ -193,22 +193,33 @@ func (s *service) authorizeResource(ctx context.Context, op *authz.Policy, resou
193193 // for example admin in project1, then apply RBAC enforcement
194194 m := entities .CurrentMembership (ctx )
195195
196- // iterate through all resource memberships and find any that matches
196+ var matchingResources []* entities.ResourceMembership
197+ // First, collect all memberships that match the requested resource type and ID
197198 for _ , rm := range m .Resources {
198199 if rm .ResourceType == resourceType && rm .ResourceID == resourceID {
199- pass , err := s .enforcer .Enforce (string (rm .Role ), op )
200- if err != nil {
201- return handleUseCaseErr (err , s .log )
202- }
203-
204- if pass {
205- s .log .Debugw ("msg" , "authorized using user membership" , "resource_id" , resourceID .String (), "resource_type" , resourceType , "role" , rm .Role , "membership_id" , rm .MembershipID , "user_id" , m .UserID )
206- return nil
207- }
200+ matchingResources = append (matchingResources , rm )
208201 }
209202 }
210203
211204 var defaultMessage = fmt .Sprintf ("you do not have permissions to access to the %s associated with this resource" , resourceType )
205+ // If no matching resources were found, return forbidden error
206+ if len (matchingResources ) == 0 {
207+ return errors .Forbidden ("forbidden" , defaultMessage )
208+ }
209+
210+ // Try to enforce the policy with each matching role
211+ // If any role passes, authorize the request
212+ for _ , rm := range matchingResources {
213+ pass , err := s .enforcer .Enforce (string (rm .Role ), op )
214+ if err != nil {
215+ return handleUseCaseErr (err , s .log )
216+ }
217+
218+ if pass {
219+ s .log .Debugw ("msg" , "authorized using user membership" , "resource_id" , resourceID .String (), "resource_type" , resourceType , "role" , rm .Role , "membership_id" , rm .MembershipID , "user_id" , m .UserID )
220+ return nil
221+ }
222+ }
212223
213224 // If none of the roles pass, return forbidden error
214225 return errors .Forbidden ("forbidden" , defaultMessage )
0 commit comments