ACL permissions are not correctly inherited. #3454

Closed
jacobkiers opened this Issue Jan 16, 2013 · 1 comment

Comments

Projects
None yet
2 participants
Contributor

jacobkiers commented Jan 16, 2013

I was playing with the ACL component today, when I encountered something that I did not expect.

I added a Role and a hierarchy of Resources. Then I allow()'ed a read permission halfway through the hierarchy, and expected that permission to be inherited by the child Resources.

This seems not to be the case. As you can see, assertion 2 fails, whereas I expected it to pass, because the 'read' permission was set on the higher-level 'customer1' resource.

Documentation excerpt (from ZF2 ACL docs):

Zend\Permissions\Acl\Acl provides an implementation whereby rules need
only be assigned from general to specific, minimizing the number of rules
needed, because resources and roles inherit rules that are defined upon
their ancestors.

Output:

1. Expect: allowed; Got: allowed
2. Expect: allowed; Got: denied

Code:

// This is about the simplest reproduction I could create.
use \Zend\Permissions\Acl\Acl,
    \Zend\Permissions\Acl\Resource\GenericResource,
    \Zend\Permissions\Acl\Role\GenericRole;

$user = new GenericRole('user1');
$customer1 = new GenericResource('customer1');
$group = new GenericResource('group1');
$phonenumber1 = new GenericResource('phonenumber1');

$acl = new Acl();
$acl->addRole($user);
$acl->addResource($group);
$acl->addResource($customer1, $group);

$acl->addResource($phonenumber1, $customer1);

// Default policy is to deny everything
$acl->deny();
$acl->allow($user, $customer1, 'read');

echo '1. Expect: allowed; Got: '. ($acl->isAllowed($user, $customer1, 'read') ? 'allowed' : 'denied') . PHP_EOL;
echo '2. Expect: allowed; Got: '. ($acl->isAllowed($user, $phonenumber1, 'read') ? 'allowed' : 'denied') . PHP_EOL;

@jacobkiers jacobkiers added a commit to jacobkiers/zf2 that referenced this issue Jan 18, 2013

@jacobkiers jacobkiers Added test for #3454. 07e4245
Contributor

jacobkiers commented Jan 18, 2013

I've just written a test to verify this behaviour, and found that this only happens when a global deny() policy is set first:

$acl->deny();
$acl->allow($user1, $customer1, 'read');

However, when the global deny policy is omitted, everything works as advertised:

$acl->allow($user1, $customer1, 'read');

IMHO, this is still buggy behaviour, so I will see whether I can write a patch. For the test, see the attached PR (just the failing test for now).

This was referenced Jan 18, 2013

@jacobkiers jacobkiers added a commit to jacobkiers/zf2 that referenced this issue Jan 18, 2013

@jacobkiers jacobkiers Fix #3454.
The fix involves forcing a loop through the parent resources when the
current resource is 'TYPE_DENIED'. The loop stops when we are already at
the top-level resource.
3c88e7b

@weierophinney weierophinney added a commit that referenced this issue Jan 18, 2013

@weierophinney weierophinney Merge branch 'hotfix/3479'
Close #3479
Fixes #3454
c0e2d53

@weierophinney weierophinney added a commit to zendframework/zend-permissions-acl that referenced this issue May 15, 2015

@jacobkiers @weierophinney jacobkiers + weierophinney Added test for zendframework/zendframework#3454. 9a32682

@weierophinney weierophinney added a commit to zendframework/zend-permissions-acl that referenced this issue May 15, 2015

@jacobkiers @weierophinney jacobkiers + weierophinney Fix zendframework/zendframework#3454.
The fix involves forcing a loop through the parent resources when the
current resource is 'TYPE_DENIED'. The loop stops when we are already at
the top-level resource.
df92e6d

@weierophinney weierophinney added a commit to zendframework/zend-permissions-acl that referenced this issue May 15, 2015

@weierophinney weierophinney Merge branch 'hotfix/3479' df5b9c3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment