diff --git a/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego b/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego index 6cba1b6..17e2f39 100644 --- a/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego +++ b/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego @@ -4,6 +4,10 @@ # description: This can lead to wrong set access rights # authors: # - Jurre Tanja +# - Bart Zantingh +# related_resources: +# - https://docs.mendix.com/refguide/access-rules/ +# - https://docs.mendix.com/refguide/dev-best-practices/#security # custom: # category: Maintainability # rulename: AvoidDefaultReadWriteAccess @@ -11,7 +15,7 @@ # rulenumber: 002_0008 # remediation: Set default access rights to Read only or None. # input: .*/DomainModels\$DomainModel\.yaml -package app.mendix.domain_model.avoind_default_readwrite_access +package app.mendix.domain_model.avoid_default_readwrite_access import rego.v1 @@ -22,22 +26,23 @@ default allow := false allow if count(errors) == 0 errors contains error if { - entity := input.Entities[_] + some entity in input.Entities entity_name := entity.Name # Bind the specific access rule we are evaluating - access_rule := entity.AccessRules[_] + some access_rule in entity.AccessRules # Only consider access rules with ReadWrite default rights access_rule.DefaultMemberAccessRights == "ReadWrite" # Now collect roles only from THIS access_rule roles := access_rule.AllowedModuleRoles + role_names := [name | - role := roles[_] - parts := split(role, ".") - name := parts[count(parts) - 1] + some role in roles + name := split(role, ".")[1] ] + roles_list := concat(", ", role_names) error := sprintf(