refactor: simplify action matching logic in authorization model

BryanttV · BryanttV · commit ddcc6d5ad7d1 · 2025-09-15T13:27:01.000-05:00
diff --git a/openedx_authz/management/commands/model.conf b/openedx_authz/management/commands/model.conf
@@ -12,18 +12,4 @@ g2 = _, _
 e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
 
 [matchers]
-# Authorization matching logic
-#
-# SCOPE MATCHING:
-# - g(r.sub, p.sub, r.scope): check if subject has role in requested scope
-# - g(r.sub, p.sub, "*"): check if subject has global role
-#
-# OBJECT MATCHING:
-# - keyMatch(r.obj, p.obj): matches object IDs using exact match or regex patterns
-#
-# ACTION MATCHING:
-# - r.act == p.act: exact action match
-# - g2(p.act, r.act): policy action implies requested action via grouping
-#
-# All conditions must be true for a policy to match
-m = (g(r.sub, p.sub, r.scope) || g(r.sub, p.sub, "*")) && keyMatch(r.obj, p.obj) && (r.act == p.act || g2(p.act, r.act))
+m = (g(r.sub, p.sub, r.scope) || g(r.sub, p.sub, "*")) && keyMatch(r.obj, p.obj) && g2(p.act, r.act)
