From 882b450ef1f3445ebe9e253de9d6bcc93b22de1c Mon Sep 17 00:00:00 2001
From: Nagoor Shaik <nshaik@redhat.com>
Date: Mon, 22 Sep 2025 12:56:03 +0530
Subject: [PATCH] fix authentication map allow conditional check

Signed-off-by: Nagoor Shaik <nshaik@redhat.com>
---
 ansible_base/authentication/utils/claims.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ansible_base/authentication/utils/claims.py b/ansible_base/authentication/utils/claims.py
index 8f2e21413..eff0c1e64 100644
--- a/ansible_base/authentication/utils/claims.py
+++ b/ansible_base/authentication/utils/claims.py
@@ -120,10 +120,11 @@ def create_claims(authenticator: Authenticator, username: str, attrs: dict, grou
         rule_responses.append({mpk: has_permission, 'enabled': auth_map.enabled})
 
         understood_map = False
-        if auth_map.map_type == 'allow' and not has_permission:
-            # If any rule does not allow we don't want to return this to true
-            access_allowed = False
-            understood_map = True
+        if auth_map.map_type == 'allow':
+            if not has_permission:
+                # If any rule does not allow we don't want to return this to true
+                access_allowed = False
+                understood_map = True
         elif auth_map.map_type == 'is_superuser':
             is_superuser = has_permission
             understood_map = True