policies/authz.rego

package croplogic.authz

import rego.v1

default allow := false

allow if {
  decision.allow
}

decision := feature_decision(input.feature)

batch_decision := {
  "features": {
    feature: result |
    feature := input.features[_]
    result := feature_decision(feature)
  },
}

feature_decision(feature) := {
  "allow": true,
  "matched_rules": [],
  "deny_rules": [],
  "allow_rules": [],
} if {
  not has_feature_rule(feature)
}

feature_decision(feature) := result if {
  has_feature_rule(feature)
  rule := feature_rule(feature)
  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
  count(deny_rules) == 0
  result := {
    "allow": true,
    "matched_rules": matched,
    "deny_rules": deny_rules,
    "allow_rules": allow_rules,
  }
}

feature_decision(feature) := result if {
  has_feature_rule(feature)
  rule := feature_rule(feature)
  matched := [matched_rule | matched_rule := rule; action_match(matched_rule)]
  deny_rules := [matched_rule | matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]
  allow_rules := [matched_rule | matched_rule := matched[_]; object.get(matched_rule, "allow", false)]
  count(deny_rules) > 0
  result := {
    "allow": false,
    "matched_rules": matched,
    "deny_rules": deny_rules,
    "allow_rules": allow_rules,
  }
}

action_match(rule) if {
  count(object.get(rule, "actions_any", [])) == 0
}

action_match(rule) if {
  requested_action := lower(sprintf("%v", [object.get(input, "action", "view")]))
  action := object.get(rule, "actions_any", [])[_]
  lower(sprintf("%v", [action])) == requested_action
}
UPDATE 2026-04-09 23:25:59 +03:30			`package croplogic.authz`

			`import rego.v1`

			`default allow := false`

			`allow if {`
			`decision.allow`
			`}`

			`decision := feature_decision(input.feature)`

			`batch_decision := {`
			`"features": {`
			`feature: result \|`
			`feature := input.features[_]`
			`result := feature_decision(feature)`
			`},`
			`}`

			`feature_decision(feature) := {`
			`"allow": true,`
			`"matched_rules": [],`
			`"deny_rules": [],`
			`"allow_rules": [],`
			`} if {`
			`not has_feature_rule(feature)`
			`}`

			`feature_decision(feature) := result if {`
			`has_feature_rule(feature)`
			`rule := feature_rule(feature)`
			`matched := [matched_rule \| matched_rule := rule; action_match(matched_rule)]`
			`deny_rules := [matched_rule \| matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]`
			`allow_rules := [matched_rule \| matched_rule := matched[_]; object.get(matched_rule, "allow", false)]`
			`count(deny_rules) == 0`
			`result := {`
			`"allow": true,`
			`"matched_rules": matched,`
			`"deny_rules": deny_rules,`
			`"allow_rules": allow_rules,`
			`}`
			`}`

			`feature_decision(feature) := result if {`
			`has_feature_rule(feature)`
			`rule := feature_rule(feature)`
			`matched := [matched_rule \| matched_rule := rule; action_match(matched_rule)]`
			`deny_rules := [matched_rule \| matched_rule := matched[_]; not object.get(matched_rule, "allow", false)]`
			`allow_rules := [matched_rule \| matched_rule := matched[_]; object.get(matched_rule, "allow", false)]`
			`count(deny_rules) > 0`
			`result := {`
			`"allow": false,`
			`"matched_rules": matched,`
			`"deny_rules": deny_rules,`
			`"allow_rules": allow_rules,`
			`}`
			`}`

			`action_match(rule) if {`
			`count(object.get(rule, "actions_any", [])) == 0`
			`}`

			`action_match(rule) if {`
			`requested_action := lower(sprintf("%v", [object.get(input, "action", "view")]))`
			`action := object.get(rule, "actions_any", [])[_]`
			`lower(sprintf("%v", [action])) == requested_action`
			`}`