(bug?) Adding policies programatically don't work as expected with subjectPriority

[ajfranzoia]

There appears to be an inconsistency in how subject priority is handled when policies are loaded from CSV files versus when they are added programmatically using addPolicy() and addGroupingPolicy() methods.

I have created a sample demonstration PR here: #500

Test Cases Demonstrating the Issue

I've added three test cases to demonstrate the problem:

1. TestSubjectPriority with CSV converted to addPolicy/addGroupingPolicy - "TestSubjectPriority" case but converts CSV policies to programmatic calls
2. TestSubjectPriority simpler with CSV - "TestSubjectPriority" with simpler policies from CSV file
3. TestSubjectPriority simpler with addPolicy - "TestSubjectPriority" with simpler policies added programmatically

Expected Behavior

The programatically cases should have the same behavior as the ones from the policies loaded via CSV

Current Behavior

The tests show that:

• CSV loading works correctly: Users get the expected permissions based on subject priority
• Programmatic addition may not work correctly: The same policies added via addPolicy() and addGroupingPolicy() may not produce the same results

Configuration Details

Model Configuration (examples/subject_priority_model.conf):

[policy_effect]
e = subjectPriority(p.eft) || deny

Simple Test Case (examples/subject_priority_policy_simple.csv):

p, group, data1, read, deny
p, user, data1, read, allow
g, user, group

Expected Result: user should be allowed to read data1 because the direct allow policy takes priority over the inherited deny policy from the group role.

Environment

• Node.js Casbin version: 5
• Node.js version: 22

Could this be related to casbin/casbin#1058?

[ajfranzoia]

cc @hsluoyz @JalinWang @tangyang9464 let me know if you need additional info or any other reproducible test case