diff --git a/core/policy/service.go b/core/policy/service.go index a223e7d8f..fa45a96f5 100644 --- a/core/policy/service.go +++ b/core/policy/service.go @@ -317,9 +317,14 @@ func (s *Service) validateApprover(expr string) error { return nil } - // skip validation if expression is accessing arbitrary value + // skip validate approver step in case the expression uses arbitrary appeal values + // which are only available at the time of appeal creation. if strings.Contains(expr, "$appeal.resource") || - strings.Contains(expr, "$appeal.creator") { + strings.Contains(expr, "$appeal.creator") || + strings.Contains(expr, "$appeal.role") || + strings.Contains(expr, "$appeal.permissions") || + strings.Contains(expr, "$appeal.details") || + strings.Contains(expr, "$appeal.labels") { return nil }