policyeval: do full evaluate on matched users when handling new policy

maunium · Oct 3, 2024 · 329bf60 · 329bf60
1 parent 3488431
commit 329bf60
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/policyeval/evaluate.go b/policyeval/evaluate.go
@@ -65,7 +65,8 @@ func (pe *PolicyEvaluator) EvaluateAddedRule(ctx context.Context, policy *policy
 	pe.protectedRoomsLock.RUnlock()
 	for _, userID := range users {
 		if policy.Pattern.Match(string(userID)) {
-			pe.ApplyPolicy(ctx, userID, policylist.Match{policy})
+			// Do a full evaluation to ensure new policies don't bypass existing higher priority policies
+			pe.EvaluateUser(ctx, userID)
 		}
 	}
 }