fix: prevent model sharing across enforcers

rg2011 · rg2011 · commit 0b2019576dfd · 2026-02-04T23:38:06.000+01:00
diff --git a/src/model/Model.lua b/src/model/Model.lua
@@ -23,20 +23,20 @@ function Model:new()
     local o = {}
     setmetatable(o, self)
     self.__index = self
-    self.model = {}
-    self.sectionNameMap = {
+    o.model = {}
+    o.sectionNameMap = {
         ["r"] = "request_definition",
         ["p"] = "policy_definition",
         ["g"] = "role_definition",
         ["e"] = "policy_effect",
         ["m"] = "matchers"
     }
 
-    self.requiredSections = {"r", "p", "e", "m"} -- Minimal required sections for a model to be valid
-    self.modCount = 0   -- used by CoreEnforcer to detect changes to Model
+    o.requiredSections = {"r", "p", "e", "m"} -- Minimal required sections for a model to be valid
+    o.modCount = 0   -- used by CoreEnforcer to detect changes to Model
 
     -- PolicyOperations: [key] = POLICY_ADD/POLICY_REMOVE and value = string(key)
-    self.PolicyOperations = {
+    o.PolicyOperations = {
         POLICY_ADD = "POLICY_ADD",
         POLICY_REMOVE = "POLICY_REMOVE"
     }
diff --git a/tests/main/enforcer_spec.lua b/tests/main/enforcer_spec.lua
@@ -516,6 +516,54 @@ describe("Enforcer tests", function ()
         assert.is.False(e:enforce("bogus", "data2", "write")) -- Non-existent subject
     end)
 
+    it("multiple newEnforcerFromText with distinct definitions", function ()
+        local model1 = [[
+            [request_definition]
+            r = path, method
+
+            [policy_definition]
+            p = path, method
+
+            [policy_effect]
+            e = some(where (p.eft == allow))
+
+            [matchers]
+            m = r.path == p.path && r.method == p.method
+        ]]
+
+        local policy1 = [[
+            p, /alpha, GET
+        ]]
+
+        local model2 = [[
+            [request_definition]
+            r = user, path, method
+
+            [policy_definition]
+            p = user, path, method
+
+            [policy_effect]
+            e = some(where (p.eft == allow))
+
+            [matchers]
+            m = r.user == p.user && r.path == p.path && r.method == p.method
+        ]]
+
+        local policy2 = [[
+            p, alice, /alpha, GET
+        ]]
+
+        local e2 = Enforcer:newEnforcerFromText(model2, policy2)
+        assert.is.True(e2:enforce("alice", "/alpha", "GET"))
+
+        local e1 = Enforcer:newEnforcerFromText(model1, policy1)
+        assert.is.True(e1:enforce("/alpha", "GET"))
+
+        local ok, res = pcall(e2.enforce, e2, "alice", "/alpha", "GET")
+        assert.is.True(ok)
+        assert.is.True(res)
+    end)
+
     
     it("regexMatch test", function ()
 
