Issues

ZF-10649: Recent fix for Issue ZF-9643 seems to break a critical functionality of Zend_Acl

Description

Seems that the recent fix http://framework.zend.com/issues/browse/ZF-9643 broke a critical functionality of Zend_Acl

$acl = new Zend_Acl(); $acl->addRole(new Zend_Acl_Role('administrator')); $acl->addResource(new Zend_Acl_Resource('administrator'));

$acl->allow('administrator');

echo $acl->isAllowed('administrator') ? "allowed" : "denied"; // denied

// In versions 1.10.x 'administrator' role would be allowed to access All resources // by $acl->allow('administrator'); or $acl->allow('administrator', null); // basically saying to allow Role 'administrator' to Access ALL Resources

// Reverting the old code from line 636 of Zend_Acl would fix the issue, but of course would revert ZF-9643 issue // $resources = ($resources == null && count($this->_resources) > 0) ? array_keys($this->_resources) : array($resources); // revert to // array($resources)

Comments

I am experiencing this same issue, it is preventing me from upgrading to 1.11.0. Reverting as specified by Reporter above fixes it.

Same problem here, prevents me from upgrading to 1.11.0. I've got a default allow permission schema for a site with just 3 resources that need to be restricted.


// default permission is allow
$this->allow();

This won't give permission to any resource that is NOT defined as follows:


$this->add(new Zend_Acl_Resource('account'));

In 1.10.8 it worked as expected, gave permission to every other resource. Thanks for fixing soon!

I've uploaded a patch for this issue. It includes a unit test.

The problem is actually pretty interesting. The fix for ZF-9643 was at the time a good fix, but there is this use case (described in this issue) that was not covered by our existing unit tests. Regardless, this use case is indeed pretty common, so we need to find a way to ensure that all common use cases work.

In this solution, we actually need to handle (in setRule()) the special case of what happens when 'null' is passed in for resources. The concept of "all resources" is handled by a special "global" ruleset. This solution attempts to modify the global ruleset instead of iterating and applying a rule to all resources. Consequently, when removing rules globally, this patch iterates all resources to do a full "cleanup".

The solution provided is completely backwards compatible for as far as all the use cases described in old and the new unit tests.

Please test this.

I had the same problem and the patch fixed it ! Thanks Ralph

Had the same problem after upgrade. Path worked as expected. Thanks.

The patch worked as expected. Thank you for fixing the issue.

Fixed in trunk at r23357 and release branch 1.11 at 23358