In my hyperledger-composer application, access control rules with a condition of the following type:

(r.someArray.indexOf(p.getIdentifier()) > -1)

do not work.

Here is an example of such an ACL-rule:

rule SuperiorsHaveReadAccessToTheirTeamMembers {
    description: "Allow superiors read access to data on their team members"
    participant(p): "org.comp.app.Employee"
    operation: READ
    resource(r): "org.comp.app.Employee"
    condition: (r.superiors.indexOf(p.getIdentifier()) > -1)
    action: ALLOW
}

for clarification:

participant Employee extends User {
  o String company optional
  --> Employee[] superiors optional
}

So the access control rule above simply states that Employee A has READ Access to Employee B if and only if Employee B's array-attribute "superiors" contains Employee A (i.e. if Employee A is the superior of Employee B).

However, it doesn't work. Employee A does not have READ access to Employee B. All the other access control rules of this kind do not work either.

Is this a bug in hyperledger-composer?

no, its not a bug. Its, again, because you're working with an array of resource objects, as you've modeled it. indexOf works on the string Object. It works for me as follows:

rule SuperiorsHaveReadAccessToTheirTeamMembers {
    description: "Allow superiors read access to data on their team members"
    participant(p): "org.comp.app.Employee"
    operation: READ
    resource(r): "org.comp.app.Employee"
    condition: (r.authorized &&    r.authorized.toString().indexOf(p.getIdentifier()) > -1)
    action: ALLOW

}

Also, remember how indexOf works: it will 'pass' on the first match. It may be better to have an authorized field, and store shortened (string) ids in (say) a field eg. String[] authorized optional - and in this case your original rule would then work first time.