Fix subject priority for programmatically added policies

Copilot · nomeguy · Copilot · commit b2a65ded3e7c · 2025-11-11T18:06:30.000Z
Call sortPoliciesBySubjectHierarchy() after adding/removing/updating policies to ensure correct ordering when using subject priority effect

Co-authored-by: nomeguy &lt;85475922+nomeguy@users.noreply.github.com&gt;
diff --git a/src/internalEnforcer.ts b/src/internalEnforcer.ts
@@ -54,6 +54,11 @@ export class InternalEnforcer extends CoreEnforcer {
 
     if (sec === 'g' && ok) {
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyAdd, ptype, [rule]);
+      // Sort policies by subject hierarchy after adding grouping policy
+      this.model.sortPoliciesBySubjectHierarchy();
+    } else if (sec === 'p' && ok) {
+      // Sort policies by subject hierarchy after adding policy
+      this.model.sortPoliciesBySubjectHierarchy();
     }
     return ok;
   }
@@ -95,6 +100,11 @@ export class InternalEnforcer extends CoreEnforcer {
     const [ok, effects] = await this.model.addPolicies(sec, ptype, rules);
     if (sec === 'g' && ok && effects?.length) {
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyAdd, ptype, effects);
+      // Sort policies by subject hierarchy after adding grouping policies
+      this.model.sortPoliciesBySubjectHierarchy();
+    } else if (sec === 'p' && ok) {
+      // Sort policies by subject hierarchy after adding policies
+      this.model.sortPoliciesBySubjectHierarchy();
     }
     return ok;
   }
@@ -141,6 +151,11 @@ export class InternalEnforcer extends CoreEnforcer {
     if (sec === 'g' && ok) {
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyRemove, ptype, [oldRule]);
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyAdd, ptype, [newRule]);
+      // Sort policies by subject hierarchy after updating grouping policy
+      this.model.sortPoliciesBySubjectHierarchy();
+    } else if (sec === 'p' && ok) {
+      // Sort policies by subject hierarchy after updating policy
+      this.model.sortPoliciesBySubjectHierarchy();
     }
 
     return ok;
@@ -178,6 +193,11 @@ export class InternalEnforcer extends CoreEnforcer {
     const ok = await this.model.removePolicy(sec, ptype, rule);
     if (sec === 'g' && ok) {
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyRemove, ptype, [rule]);
+      // Sort policies by subject hierarchy after removing grouping policy
+      this.model.sortPoliciesBySubjectHierarchy();
+    } else if (sec === 'p' && ok) {
+      // Sort policies by subject hierarchy after removing policy
+      this.model.sortPoliciesBySubjectHierarchy();
     }
     return ok;
   }
@@ -218,6 +238,11 @@ export class InternalEnforcer extends CoreEnforcer {
     const [ok, effects] = this.model.removePolicies(sec, ptype, rules);
     if (sec === 'g' && ok && effects?.length) {
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyRemove, ptype, effects);
+      // Sort policies by subject hierarchy after removing grouping policies
+      this.model.sortPoliciesBySubjectHierarchy();
+    } else if (sec === 'p' && ok) {
+      // Sort policies by subject hierarchy after removing policies
+      this.model.sortPoliciesBySubjectHierarchy();
     }
     return ok;
   }
@@ -256,6 +281,11 @@ export class InternalEnforcer extends CoreEnforcer {
     const [ok, effects] = this.model.removeFilteredPolicy(sec, ptype, fieldIndex, ...fieldValues);
     if (sec === 'g' && ok && effects?.length) {
       await this.buildIncrementalRoleLinks(PolicyOp.PolicyRemove, ptype, effects);
+      // Sort policies by subject hierarchy after removing filtered grouping policies
+      this.model.sortPoliciesBySubjectHierarchy();
+    } else if (sec === 'p' && ok) {
+      // Sort policies by subject hierarchy after removing filtered policies
+      this.model.sortPoliciesBySubjectHierarchy();
     }
     return ok;
   }
diff --git a/test/enforcer.test.ts b/test/enforcer.test.ts
@@ -761,7 +761,6 @@ test('TestSubjectPriorityWithDomain', async () => {
 
 test('TestSubjectPriority simpler with CSV', async () => {
   const e = await newEnforcer('examples/subject_priority_model.conf', 'examples/subject_priority_policy_simple.csv');
-  fs.writeFileSync('/tmp/csv_policies.txt', JSON.stringify(e.getPolicy(), null, 2));
   // user should be allowed to read data1 because the direct allow policy takes priority over the inherited deny policy from the group role
   testEnforceEx(e, 'user', 'data1', 'read', [true, ['user', 'data1', 'read', 'allow']]);
 });
@@ -771,7 +770,6 @@ test('TestSubjectPriority simpler with addPolicy', async () => {
   await e.addPolicy('group', 'data1', 'read', 'deny');
   await e.addPolicy('user', 'data1', 'read', 'allow');
   await e.addGroupingPolicy('user', 'group');
-  fs.writeFileSync('/tmp/addpolicy_policies.txt', JSON.stringify(e.getPolicy(), null, 2));
   // user should be allowed to read data1 because the direct allow policy takes priority over the inherited deny policy from the group role
   testEnforceEx(e, 'user', 'data1', 'read', [true, ['user', 'data1', 'read', 'allow']]);
 });
