From 9171ceed6b2503709f7e6c295002a8572af1e652 Mon Sep 17 00:00:00 2001
From: Bart Zantingh <162321204+bartzantingh@users.noreply.github.com>
Date: Mon, 2 Feb 2026 12:02:02 +0100
Subject: [PATCH] Update 002_0008_avoid_read_write_default_access_rule.rego

Change object iteration from 'obj[_]' to 'some...in...'; preferred style for readability according to https://docs.styra.com/regal/rules/style/prefer-some-in-iteration

Change creating role names list to immediately get second value from split list, instead of assigning them separately to another variable ('parts'). AllowedModuleRoles are always formatted as {moduleName}.{userRoleName}, so when split the user role name is always the second value in the split list.

Correct spelling mistake in package name

Add related resources (links to Mendix docs) to metadata for future reference
---
 ...08_avoid_read_write_default_access_rule.rego | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego b/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego
index 6cba1b6..17e2f39 100644
--- a/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego
+++ b/rules/002_domain_model/002_0008_avoid_read_write_default_access_rule.rego
@@ -4,6 +4,10 @@
 # description: This can lead to wrong set access rights
 # authors:
 # - Jurre Tanja <jurre.tanja@mendix.com>
+# - Bart Zantingh <bart.zantingh@nl.abnamro.com>
+# related_resources:
+# - https://docs.mendix.com/refguide/access-rules/
+# - https://docs.mendix.com/refguide/dev-best-practices/#security
 # custom:
 #  category: Maintainability
 #  rulename: AvoidDefaultReadWriteAccess
@@ -11,7 +15,7 @@
 #  rulenumber: 002_0008
 #  remediation: Set default access rights to Read only or None.
 #  input: .*/DomainModels\$DomainModel\.yaml
-package app.mendix.domain_model.avoind_default_readwrite_access
+package app.mendix.domain_model.avoid_default_readwrite_access
 
 import rego.v1
 
@@ -22,22 +26,23 @@ default allow := false
 allow if count(errors) == 0
 
 errors contains error if {
-	entity := input.Entities[_]
+	some entity in input.Entities
 	entity_name := entity.Name
 
 	# Bind the specific access rule we are evaluating
-	access_rule := entity.AccessRules[_]
+	some access_rule in entity.AccessRules
 
 	# Only consider access rules with ReadWrite default rights
 	access_rule.DefaultMemberAccessRights == "ReadWrite"
 
 	# Now collect roles only from THIS access_rule
 	roles := access_rule.AllowedModuleRoles
+
 	role_names := [name |
-		role := roles[_]
-		parts := split(role, ".")
-		name := parts[count(parts) - 1]
+		some role in roles
+		name := split(role, ".")[1]
 	]
+
 	roles_list := concat(", ", role_names)
 
 	error := sprintf(