fix: change is_admin from array to function

ZohebShaikh · ZohebShaikh · commit d21b0aa581ee · 2025-12-09T10:24:52.000Z
diff --git a/policy/diamond/policy/admin/admin.rego b/policy/diamond/policy/admin/admin.rego
@@ -3,7 +3,11 @@ package diamond.policy.admin
 import data.diamond.policy.token
 import rego.v1
 
-is_admin[subject] := "super_admin" in data.diamond.data.subjects[subject].permissions
+default is_admin(_) := false
+
+is_admin(subject) if {
+	"super_admin" in data.diamond.data.subjects[subject].permissions
+}
 
 beamline_admin_for_subject[subject_name] contains beamline if {
 	some subject_name, subject in data.diamond.data.subjects
@@ -13,7 +17,7 @@ beamline_admin_for_subject[subject_name] contains beamline if {
 	some beamline in role_beamlines
 }
 
-admin := is_admin[token.claims.fedid] # regal ignore:rule-name-repeats-package
+admin := is_admin(token.claims.fedid) # regal ignore:rule-name-repeats-package
 
 beamline_admin := input.beamline in object.get(beamline_admin_for_subject, token.claims.fedid, [])
 
diff --git a/policy/diamond/policy/admin/admin_test.rego b/policy/diamond/policy/admin/admin_test.rego
@@ -33,7 +33,7 @@ diamond_data := {
 }
 
 test_is_admin_for_admin if {
-	admin.is_admin.carol with data.diamond.data as diamond_data
+	admin.is_admin("carol") with data.diamond.data as diamond_data
 }
 
 test_beamline_admin_for_subject_for_beamline_admin if {
@@ -45,11 +45,11 @@ test_beamlines_admin_for_subject_for_group_admin if {
 }
 
 test_is_admin_for_non_admin if {
-	not admin.is_admin.alice with data.diamond.data as diamond_data
+	not admin.is_admin("alice") with data.diamond.data as diamond_data
 }
 
 test_is_admin_for_beamline_admin_not_admin if {
-	not admin.is_admin.bob with data.diamond.data as diamond_data
+	not admin.is_admin("bob") with data.diamond.data as diamond_data
 }
 
 test_beamline_admin_for_subject_for_non_beamline_admin if {
diff --git a/policy/diamond/policy/proposal/proposal.rego b/policy/diamond/policy/proposal/proposal.rego
@@ -13,7 +13,7 @@ on_proposal(subject, proposal_number) if {
 default access_proposal(_, _) := false
 
 # Allow if subject has super_admin permission
-access_proposal(subject, proposal_number) if admin.is_admin[subject] # regal ignore:external-reference
+access_proposal(subject, proposal_number) if admin.is_admin(subject) # regal ignore:external-reference
 
 # Allow if subject is on proposal
 access_proposal(subject, proposal_number) if on_proposal(subject, proposal_number)
diff --git a/policy/diamond/policy/session/session.rego b/policy/diamond/policy/session/session.rego
@@ -24,7 +24,7 @@ on_session(subject, proposal_number, visit_number) if {
 default access_session(_, _, _) := false
 
 # Allow if subject has super_admin permission
-access_session(subject, proposal_number, visit_number) if admin.is_admin[subject] # regal ignore:external-reference
+access_session(subject, proposal_number, visit_number) if admin.is_admin(subject) # regal ignore:external-reference
 
 # Allow if subject is admin for beamline containing session
 access_session(subject, proposal_number, visit_number) if {

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ diamond_data := {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`test_is_admin_for_admin if {`
`36`		`- admin.is_admin.carol with data.diamond.data as diamond_data`
	`36`	`+ admin.is_admin("carol") with data.diamond.data as diamond_data`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`test_beamline_admin_for_subject_for_beamline_admin if {`
`@@ -45,11 +45,11 @@ test_beamlines_admin_for_subject_for_group_admin if {`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`test_is_admin_for_non_admin if {`
`48`		`- not admin.is_admin.alice with data.diamond.data as diamond_data`
	`48`	`+ not admin.is_admin("alice") with data.diamond.data as diamond_data`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`test_is_admin_for_beamline_admin_not_admin if {`
`52`		`- not admin.is_admin.bob with data.diamond.data as diamond_data`
	`52`	`+ not admin.is_admin("bob") with data.diamond.data as diamond_data`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`test_beamline_admin_for_subject_for_non_beamline_admin if {`