Combine priority and deny-override models

Hi Dev team,

you’ve recently added explicit priority model support in 1.9.0, many thanks for that.

Is there any chance to support two policy effects at once? For example Priority model with deny override. Something like:

[policy_effect]
e = (priority(p.eft) || deny) || (!some(where (p.eft == deny))) 

The value of support such a combined policy effect is that users can have multiple groups assigned with a different eff (allow, deny) and not be dependant on policy position in the file. Please see the example below.

model.conf

[request_definition]
r = sub, obj, act

[policy_definition]
p = priority, sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = priority(p.eft) || deny

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

policy.csv

p, 10, data1_deny_group, data1, write, deny
p, 10, data1_allow_group, data1, write, allow

g, alice, data1_deny_group
g, alice, data1_allow_group

enforcement result of e.Enforce(“alice”, “data1”, “write”) will be false, because both groups have the same priority and in this case, Casbin takes the first one, that is deny.

However, if we switch policy and have a policy file like:

policy.csv

p, 10, data1_allow_group, data1, write, allow
p, 10, data1_deny_group, data1, write, deny

g, alice, data1_deny_group
g, alice, data1_allow_group

The result of enforcement - e.Enforce(“alice”, “data1”, “write”)
will be Allow, as first is allow policy.

In such cases, when there’re multiple groups with the same priority, combine Priority and deny-override models. For example, when enforcement happens, casbin can realize that there’re multiple matching policies with the same priority, and in such cases it can additionally apply a deny-override effect?