glm-5.1
ac28c9308c
The resource access check in checkAccess() was bypassed when identity.resources was undefined because the condition evaluated to false, falling through to . Changed to with an explicit check inside the block, implementing default-deny semantics per ADR-006. Added 7 test cases covering: - undefined resources with resourceType set (denied) - empty resources with resourceType set (denied) - non-matching resource type (denied) - matching type but wrong action (denied) - matching type and action (granted) - no resourceType/resourceAction set (granted) - matching resources with extra scopes (granted)