Fix bug in AccessControl check when user does not have any roles

internal/permissions/ruleset_checks.go

@@ -10,16 +10,15 @@ package permissions
 //  - can anyone perform an operation on this specific resource
 //  - can anyone perform an operation on any resource of the type (wildcard)
 func (set RuleSet) Check(res Resource, op Operation, roles ...uint64) (v Access) {
-	if len(roles) == 0 {
-		return Deny
-	}
 
 	if !res.IsValid() {
 		return Deny
 	}
 
-	if v = set.checkResource(res, op, roles...); v != Inherit {
-		return
+	if len(roles) > 0 {
+		if v = set.checkResource(res, op, roles...); v != Inherit {
+			return
+		}
 	}
 
 	if v = set.checkResource(res, op, EveryoneRoleID); v != Inherit {
@@ -72,7 +71,7 @@ func (set RuleSet) check(res Resource, op Operation, roles ...uint64) (v Access)
 				continue
 			}
 
-			v = set[i].Access
+			v = set[i].Access // set to Allow
 
 			// Return on first Deny
 			if v == Deny {

internal/permissions/ruleset_checks_test.go

@@ -134,6 +134,7 @@ func TestRuleSet_Check(t *testing.T) {
 			DenyRule(role2, resService1, opAccess),
 			// 2nd level
 			DenyRule(EveryoneRoleID, resService2, opAccess),
+			AllowRule(EveryoneRoleID, resThing13, opAccess),
 			AllowRule(role1, resService2, opAccess),
 			// 3rd level
 			DenyRule(EveryoneRoleID, resThingWc, opAccess),
@@ -154,6 +155,8 @@ func TestRuleSet_Check(t *testing.T) {
 			{[]uint64{role2}, resService2, opAccess, Deny},
 			{[]uint64{role1}, resThing42, opAccess, Allow},
 			{[]uint64{role2}, resThing42, opAccess, Deny},
+			{[]uint64{}, resThing42, opAccess, Deny},
+			{[]uint64{}, resThing13, opAccess, Allow},
 		}
 	)