fix: least privilege permission

rbac/custom_functions.go

@@ -81,10 +81,14 @@ func matchResourceSelectorPair(pair resourcePair) bool {
 		if len(pair.selectors) == 0 {
 			// An attribute was provided but there's no selector to match it against
 			//
-			// Essentially, what's happening here is that the permission was not restrictive enough.
-			// The selector in the permission doesn't care about this attribute.
-			// So it's authorized.
-			return true
+			// Essentially, what's happening here is that the permission is not specific enough.
+			//
+			// Example:
+			// Request: (playbook:run, subject:john, object:playbook.name='foo')
+			// Should fail when a playbook and config is passed (because the permission has not specified the config)
+			//
+			// The request must have been: (playbook:run, subject:john, object:playbook.name='foo'&config:bar)
+			return false
 		}
 
 		// Must match one of the selectors

rbac/custom_functions_test.go

@@ -150,7 +150,7 @@ func Test_matchResourceSelector(t *testing.T) {
 		},
 		{
 			name: "2 attributes, 1 selector, match",
-			want: true,
+			want: false,
 			args: args{
 				attr: models.ABACAttribute{
 					Connection: models.Connection{