Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

ZF2 ACL full access #4226

Merged
merged 2 commits into from Apr 16, 2013

Conversation

Projects
None yet
4 participants

Hello, I want to check if role has full access in ZF2 ACL, but I can't

$acl->allow('admin_role'); // set full access
$isAllowed = $acl->isAllowed('admin_role'); // check if role has full access
//$isAllowed equals false

Contributor

macnibblet commented Apr 15, 2013

Then you are doing something wrong

This code is taken direct from the AclTest.php

// Add some roles to the Role registry
$this->_acl->addRole(new Role\GenericRole('guest'))
           ->addRole(new Role\GenericRole('staff'), 'guest')  // staff inherits permissions from guest
           ->addRole(new Role\GenericRole('editor'), 'staff') // editor inherits permissions from staff
           ->addRole(new Role\GenericRole('administrator'));

// Guest may only view content
$this->_acl->allow('guest', null, 'view');

// Staff inherits view privilege from guest, but also needs additional privileges
$this->_acl->allow('staff', null, array('edit', 'submit', 'revise'));

// Editor inherits view, edit, submit, and revise privileges, but also needs additional privileges
$this->_acl->allow('editor', null, array('publish', 'archive', 'delete'));

// Administrator inherits nothing but is allowed all privileges
$this->_acl->allow('administrator');

// Access control checks based on above permission sets

$this->assertTrue($this->_acl->isAllowed('guest', null, 'view'));
$this->assertFalse($this->_acl->isAllowed('guest', null, 'edit'));
$this->assertFalse($this->_acl->isAllowed('guest', null, 'submit'));
$this->assertFalse($this->_acl->isAllowed('guest', null, 'revise'));
$this->assertFalse($this->_acl->isAllowed('guest', null, 'publish'));
$this->assertFalse($this->_acl->isAllowed('guest', null, 'archive'));
$this->assertFalse($this->_acl->isAllowed('guest', null, 'delete'));
$this->assertFalse($this->_acl->isAllowed('guest', null, 'unknown'));
$this->assertFalse($this->_acl->isAllowed('guest'));

$this->assertTrue($this->_acl->isAllowed('staff', null, 'view'));
$this->assertTrue($this->_acl->isAllowed('staff', null, 'edit'));
$this->assertTrue($this->_acl->isAllowed('staff', null, 'submit'));
$this->assertTrue($this->_acl->isAllowed('staff', null, 'revise'));
$this->assertFalse($this->_acl->isAllowed('staff', null, 'publish'));
$this->assertFalse($this->_acl->isAllowed('staff', null, 'archive'));
$this->assertFalse($this->_acl->isAllowed('staff', null, 'delete'));
$this->assertFalse($this->_acl->isAllowed('staff', null, 'unknown'));
$this->assertFalse($this->_acl->isAllowed('staff'));

$this->assertTrue($this->_acl->isAllowed('editor', null, 'view'));
$this->assertTrue($this->_acl->isAllowed('editor', null, 'edit'));
$this->assertTrue($this->_acl->isAllowed('editor', null, 'submit'));
$this->assertTrue($this->_acl->isAllowed('editor', null, 'revise'));
$this->assertTrue($this->_acl->isAllowed('editor', null, 'publish'));
$this->assertTrue($this->_acl->isAllowed('editor', null, 'archive'));
$this->assertTrue($this->_acl->isAllowed('editor', null, 'delete'));
$this->assertFalse($this->_acl->isAllowed('editor', null, 'unknown'));
$this->assertFalse($this->_acl->isAllowed('editor'));

$this->assertTrue($this->_acl->isAllowed('administrator', null, 'view'));
$this->assertTrue($this->_acl->isAllowed('administrator', null, 'edit'));
$this->assertTrue($this->_acl->isAllowed('administrator', null, 'submit'));
$this->assertTrue($this->_acl->isAllowed('administrator', null, 'revise'));
$this->assertTrue($this->_acl->isAllowed('administrator', null, 'publish'));
$this->assertTrue($this->_acl->isAllowed('administrator', null, 'archive'));
$this->assertTrue($this->_acl->isAllowed('administrator', null, 'delete'));
$this->assertTrue($this->_acl->isAllowed('administrator', null, 'unknown'));
$this->assertTrue($this->_acl->isAllowed('administrator'));

// Some checks on specific areas, which inherit access controls from the root ACL node
$this->_acl->addResource(new Resource\GenericResource('newsletter'))
           ->addResource(new Resource\GenericResource('pending'), 'newsletter')
           ->addResource(new Resource\GenericResource('gallery'))
           ->addResource(new Resource\GenericResource('profiles', 'gallery'))
           ->addResource(new Resource\GenericResource('config'))
           ->addResource(new Resource\GenericResource('hosts'), 'config');
$this->assertTrue($this->_acl->isAllowed('guest', 'pending', 'view'));
$this->assertTrue($this->_acl->isAllowed('staff', 'profiles', 'revise'));
$this->assertTrue($this->_acl->isAllowed('staff', 'pending', 'view'));
$this->assertTrue($this->_acl->isAllowed('staff', 'pending', 'edit'));
$this->assertFalse($this->_acl->isAllowed('staff', 'pending', 'publish'));
$this->assertFalse($this->_acl->isAllowed('staff', 'pending'));
$this->assertFalse($this->_acl->isAllowed('editor', 'hosts', 'unknown'));
$this->assertTrue($this->_acl->isAllowed('administrator', 'pending'));

// Add a new group, marketing, which bases its permissions on staff
$this->_acl->addRole(new Role\GenericRole('marketing'), 'staff');

// Refine the privilege sets for more specific needs

// Allow marketing to publish and archive newsletters
$this->_acl->allow('marketing', 'newsletter', array('publish', 'archive'));

// Allow marketing to publish and archive latest news
$this->_acl->addResource(new Resource\GenericResource('news'))
           ->addResource(new Resource\GenericResource('latest'), 'news');
$this->_acl->allow('marketing', 'latest', array('publish', 'archive'));

// Deny staff (and marketing, by inheritance) rights to revise latest news
$this->_acl->deny('staff', 'latest', 'revise');

// Deny everyone access to archive news announcements
$this->_acl->addResource(new Resource\GenericResource('announcement'), 'news');
$this->_acl->deny(null, 'announcement', 'archive');

// Access control checks for the above refined permission sets

$this->assertTrue($this->_acl->isAllowed('marketing', null, 'view'));
$this->assertTrue($this->_acl->isAllowed('marketing', null, 'edit'));
$this->assertTrue($this->_acl->isAllowed('marketing', null, 'submit'));
$this->assertTrue($this->_acl->isAllowed('marketing', null, 'revise'));
$this->assertFalse($this->_acl->isAllowed('marketing', null, 'publish'));
$this->assertFalse($this->_acl->isAllowed('marketing', null, 'archive'));
$this->assertFalse($this->_acl->isAllowed('marketing', null, 'delete'));
$this->assertFalse($this->_acl->isAllowed('marketing', null, 'unknown'));
$this->assertFalse($this->_acl->isAllowed('marketing'));

$this->assertTrue($this->_acl->isAllowed('marketing', 'newsletter', 'publish'));
$this->assertFalse($this->_acl->isAllowed('staff', 'pending', 'publish'));
$this->assertTrue($this->_acl->isAllowed('marketing', 'pending', 'publish'));
$this->assertTrue($this->_acl->isAllowed('marketing', 'newsletter', 'archive'));
$this->assertFalse($this->_acl->isAllowed('marketing', 'newsletter', 'delete'));
$this->assertFalse($this->_acl->isAllowed('marketing', 'newsletter'));

$this->assertTrue($this->_acl->isAllowed('marketing', 'latest', 'publish'));
$this->assertTrue($this->_acl->isAllowed('marketing', 'latest', 'archive'));
$this->assertFalse($this->_acl->isAllowed('marketing', 'latest', 'delete'));
$this->assertFalse($this->_acl->isAllowed('marketing', 'latest', 'revise'));
$this->assertFalse($this->_acl->isAllowed('marketing', 'latest'));

$this->assertFalse($this->_acl->isAllowed('marketing', 'announcement', 'archive'));
$this->assertFalse($this->_acl->isAllowed('staff', 'announcement', 'archive'));
$this->assertFalse($this->_acl->isAllowed('administrator', 'announcement', 'archive'));

$this->assertFalse($this->_acl->isAllowed('staff', 'latest', 'publish'));
$this->assertFalse($this->_acl->isAllowed('editor', 'announcement', 'archive'));

// Remove some previous permission specifications

// Marketing can no longer publish and archive newsletters
$this->_acl->removeAllow('marketing', 'newsletter', array('publish', 'archive'));

// Marketing can no longer archive the latest news
$this->_acl->removeAllow('marketing', 'latest', 'archive');

// Now staff (and marketing, by inheritance) may revise latest news
$this->_acl->removeDeny('staff', 'latest', 'revise');

// Access control checks for the above refinements

$this->assertFalse($this->_acl->isAllowed('marketing', 'newsletter', 'publish'));
$this->assertFalse($this->_acl->isAllowed('marketing', 'newsletter', 'archive'));

$this->assertFalse($this->_acl->isAllowed('marketing', 'latest', 'archive'));

$this->assertTrue($this->_acl->isAllowed('staff', 'latest', 'revise'));
$this->assertTrue($this->_acl->isAllowed('marketing', 'latest', 'revise'));

// Grant marketing all permissions on the latest news
$this->_acl->allow('marketing', 'latest');

// Access control checks for the above refinement
$this->assertTrue($this->_acl->isAllowed('marketing', 'latest', 'archive'));
$this->assertTrue($this->_acl->isAllowed('marketing', 'latest', 'publish'));
$this->assertTrue($this->_acl->isAllowed('marketing', 'latest', 'edit'));
$this->assertTrue($this->_acl->isAllowed('marketing', 'latest'));

@macnibblet
If I call addResource() before calling isAllowed then $this->_acl->isAllowed('administrator') returns false

Contributor

macnibblet commented Apr 15, 2013

Can you please gist/pastebin the entire code ?

@macnibblet
$this->_acl = new \Zend\Permissions\Acl\Acl();

$this->_acl->addRole(new Role\GenericRole('administrator'));

$this->_acl->addResource(new Resource\GenericResource('newsletter'));
$this->_acl->allow('administrator');

var_dump($this->_acl->isAllowed('administrator')); // bool(false)

@macnibblet
here is another report about this: zendframework#3934

Owner

weierophinney commented Apr 15, 2013

I'll summarize the issue, which I've confirmed:

  • null resources and/or permissions when no resources exist in the tree works as expected (role has rights for all permissions queried).
  • Assigning a null resource and/or permission prior to resources existing in the tree, and then adding resources to the tree, works as expected (role receives rights on new resources added).
  • Using null for the resource and permission when one or more resources already exists in the tree does not work (role will not receive rights on the resources that already exist).

This does appear to be a bug; looking into it now.

weierophinney added some commits Apr 15, 2013

@weierophinney weierophinney [#4226] Added test reproducing issue
- calling `allow($role)` after a resource exists should grant that role
  all privileges on all resources.
8c61669
@weierophinney weierophinney [#4226] Fix null resource/privilege assignment
- Prepend `null` to the list of resources when `null` is passed as the
  resource to `allow()`/`deny()`, ensuring that `allPrivileges` gets
  updated correctly.
4f4d60e
Owner

weierophinney commented Apr 15, 2013

Please mark #3934 as fixed when merging! :)

@ezimuel ezimuel merged commit 4f4d60e into zendframework:master Apr 16, 2013

1 check passed

default The Travis build passed
Details

@weierophinney weierophinney added a commit to zendframework/zend-permissions-acl that referenced this pull request May 15, 2015

@weierophinney weierophinney [zendframework/zendframework#4226] Added test reproducing issue
- calling `allow($role)` after a resource exists should grant that role
  all privileges on all resources.
5f2823b

@weierophinney weierophinney added a commit to zendframework/zend-permissions-acl that referenced this pull request May 15, 2015

@weierophinney weierophinney [zendframework/zendframework#4226] Fix null resource/privilege assign…
…ment

- Prepend `null` to the list of resources when `null` is passed as the
  resource to `allow()`/`deny()`, ensuring that `allPrivileges` gets
  updated correctly.
3a1c449
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment