JS policy, how to apply them


I’m actually trying to apply to a client a JS policy. This policy just checking the email of the user and deny the permission if it’s not ending with ‘@email.com’.
Here’s the JS code :

var context = $evaluation.getContext();
var identity = context.getIdentity();
var attributes = identity.getAttributes();
var email = attributes.getValue(‘email’).asString(0);

if (email.endsWith(’@email.com’)) {

I have also created a permission (simply named ‘first_permission’) and associate my JS policy to that permission. This permission is associated with Default resource. I didn’t change the default resource at all. When I’m doing a test of this configuration with ‘evaluate’ with a user that should be denied it works well.

The problem is here when I now try to access the resource (so with the URL of that resource) with the same user, the access is permitted and still can access to that resource.
I don’t have any idea of why this user can access the resource when the evaluate’s result is what I expected. I look forward to any explanation or help with this problem.
Also, I have tried to add a scope to that resource and that didn’t change anything.

Best regards.