From 8d4084d2e4b0d49d644b0fdf5b4770a8680264b1 Mon Sep 17 00:00:00 2001
From: jurretanjamx <71489868+jurretanjamx@users.noreply.github.com>
Date: Fri, 2 Jan 2026 15:29:32 +0100
Subject: [PATCH] Refactor access rule evaluation for ReadWrite rights

---
 ..._avoid_read_write_default_access_rule.rego | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego b/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego
index af39b2e..6cba1b6 100644
--- a/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego
+++ b/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego
@@ -24,12 +24,21 @@ allow if count(errors) == 0
 errors contains error if {
 	entity := input.Entities[_]
 	entity_name := entity.Name
-	roles := entity.AccessRules[_].AllowedModuleRoles
-	role_names := [name | role := roles[_]; parts := split(role, "."); name := parts[count(parts) - 1]]
-	roles_list := concat(", ", role_names)
 
-	# Check for ReadWrite access
-	entity.AccessRules[_].DefaultMemberAccessRights == "ReadWrite"
+	# Bind the specific access rule we are evaluating
+	access_rule := entity.AccessRules[_]
+
+	# Only consider access rules with ReadWrite default rights
+	access_rule.DefaultMemberAccessRights == "ReadWrite"
+
+	# Now collect roles only from THIS access_rule
+	roles := access_rule.AllowedModuleRoles
+	role_names := [name |
+		role := roles[_]
+		parts := split(role, ".")
+		name := parts[count(parts) - 1]
+	]
+	roles_list := concat(", ", role_names)
 
 	error := sprintf(
 		"[%v, %v, %v] ReadWrite access rules found in entity %v for roles %v",