ZF-7119: ACL does not permit a "deny all privileges all permissions", i.e. an unexpected implementation of "all resources" (two examples).

Description

I have two scenario's that result in unexpected behavior of the acl component.

  1. If I deny all privileges to all resources, explicit allow rules are still allowing access.
<? include_once('Zend/Acl.php'); include_once('Zend/Acl/Role.php'); include_once('Zend/Acl/Resource.php'); $acl = new Zend_Acl(); $acl->addRole(new Zend_Acl_Role('user')); $acl->addRole(new Zend_Acl_Role('troll')); $acl->add(new Zend_Acl_Resource('news')); $acl->add(new Zend_Acl_Resource('users')); /* http://framework.zend.com/manual/en/zend.acl.html The NULL values in the above allow() calls are used to indicate that the allow rules apply to all resources. */ /* all the roles are permitted to view all resources */ $acl->allow(null, null, 'view'); $acl->allow('troll', 'news', 'view'); /* trolls denied all privileges to all resources!! */ $acl->deny('troll', null, null); echo 'troll-all-view: '.($acl->isAllowed('troll', null, 'view') ? 'allowed to view' : 'denied to view'); echo '
'; /* expecting: denied, result: allowed */ echo 'troll-news-view: '.($acl->isAllowed('troll', 'news', 'view') ? 'allowed to view' : 'denied to view'); echo '
'; echo 'user-all-view: '.($acl->isAllowed('user', null, 'view') ? 'allowed to view' : 'denied to view'); echo '
'; ?>
  1. If I ask if a specific role is allowed viewing privileges on all resources, but one of the resources is denied viewing privileges, I still get a positive result.
<? include_once('Zend/Acl.php'); include_once('Zend/Acl/Role.php'); include_once('Zend/Acl/Resource.php'); $acl = new Zend_Acl(); $acl->addRole(new Zend_Acl_Role('user')); $acl->addRole(new Zend_Acl_Role('troll')); $acl->add(new Zend_Acl_Resource('news')); $acl->add(new Zend_Acl_Resource('users')); /* http://framework.zend.com/manual/en/zend.acl.html The NULL values in the above allow() calls are used to indicate that the allow rules apply to all resources. */ /* all the roles are permitted to view all resources */ $acl->allow(null, null, 'view'); /* trolls denied to view news items */ $acl->deny('troll', 'news', null); /* expecting: denied, result: allowed */ echo 'troll-all-view: '.($acl->isAllowed('troll', null, 'view') ? 'allowed to view' : 'denied to view'); echo '
'; /* explicit denied rule does work though */ echo 'troll-news-view: '.($acl->isAllowed('troll', 'news', 'view') ? 'allowed to view' : 'denied to view'); echo '
'; echo 'user-all-view: '.($acl->isAllowed('user', null, 'view') ? 'allowed to view' : 'denied to view'); echo '
'; ?>

Best Regards, Onno

Comments

This bug seems to be about a possible problem with the structure of Zend_ACL so it might be interesting to also have a look at bug ZF-5369

THis is not related to ZF-5369. ZF-5369 is about inheritance. This issue is about changing the ACL for a user in a script, that's not picked up correctly by Zend_ACL.

It in fact is the same problem. The "problem" is that zend_acl doesn't keep track of the order in which rules are added.


<?
include_once('Zend/Acl.php');
include_once('Zend/Acl/Role.php');
include_once('Zend/Acl/Resource.php');

$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('user'));
$acl->addRole(new Zend_Acl_Role('troll'));

$acl->add(new Zend_Acl_Resource('news'));
$acl->add(new Zend_Acl_Resource('users'));

$acl->allow('troll', 'news', 'view'); // allow first, deny later
$acl->deny('troll', null, null);

As a result of that the above codesample is equal to this:


<?
include_once('Zend/Acl.php');
include_once('Zend/Acl/Role.php');
include_once('Zend/Acl/Resource.php');

$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('user'));
$acl->addRole(new Zend_Acl_Role('troll'));

$acl->add(new Zend_Acl_Resource('news'));
$acl->add(new Zend_Acl_Resource('users'));

$acl->deny('troll', null, null); // Deny first, allow later
$acl->allow('troll', 'news', 'view');

Closing this issue as duplicate.