refactor: add policy type reference check like Go Casbin

Copilot · hsluoyz · Copilot · commit 2cebcf542c1b · 2025-12-08T11:09:07.000Z
Check if matcher contains policy type tokens (e.g., p_, p2_) before evaluating, consistent with Go Casbin implementation.

Co-authored-by: hsluoyz &lt;3787410+hsluoyz@users.noreply.github.com&gt;
diff --git a/src/coreEnforcer.ts b/src/coreEnforcer.ts
@@ -490,6 +490,8 @@ export class CoreEnforcer {
     let effectDone = false;
     if (hasPolicies) {
       // Iterate through all policy types (p, p2, p3, etc.)
+      // This allows a single matcher to reference multiple policy types
+      // For example: m = r.sub == p.sub && ... || r.sub == p2.sub && ...
       for (const ptype of policyTypes) {
         if (effectDone) {
           break;
@@ -500,6 +502,12 @@ export class CoreEnforcer {
           continue;
         }
 
+        // Check if the matcher expression contains references to this policy type
+        // This is consistent with Go Casbin's behavior
+        if (!expString.includes(`${ptype}_`)) {
+          continue;
+        }
+
         const policyLen = policyDef.policy.length;
 
         // Iterate through all policies of this type
diff --git a/test/test_exact_issue_scenario.test.ts b/test/test_exact_issue_scenario.test.ts
@@ -0,0 +1,38 @@
+import { newModel, newEnforcer, StringAdapter } from '../src';
+
+describe('Exact issue scenario', () => {
+  test('Matcher only references p (not p2) - like issue screenshot', async () => {
+    // This is the EXACT scenario from the issue screenshot
+    // Matcher ONLY references p, not p2
+    const modelText = `
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+p2 = sub, act
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
+`;
+
+    const policyText = `
+p, alice, data1, read
+p2, bob, write-all-objects
+`;
+
+    const m = newModel(modelText);
+    const a = new StringAdapter(policyText);
+    const e = await newEnforcer(m, a);
+
+    // Test 1: alice with p policy - should work
+    await expect(e.enforce('alice', 'data1', 'read')).resolves.toBe(true);
+
+    // Test 2: bob with p2 policy - won't work because matcher doesn't reference p2
+    // This matches Go Casbin's behavior
+    await expect(e.enforce('bob', 'data1', 'write-all-objects')).resolves.toBe(false);
+  });
+});
