Zend Framework

Assertion implementation does not receive ACL privilege query parameter.

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.9.3
  • Fix Version/s: 1.10.0
  • Component/s: Zend_Acl
  • Labels:
    None

Description

(I am experiencing a bug in the latest version of Zend that seems similar to an issue reported in the past - ZF-5425. It is the same in every way except I am only having trouble with the "privilege" parameter. Everything else seems to be being passed.)

Zend_Acl manual states that:

The assert() method of an assertion object is passed the ACL, role, resource, and privilege to which the authorization query (i.e., isAllowed()) applies, in order to provide a context for the assertion class to determine its conditions where needed.

But when assertion is attached to global "all-privileges" with:

$acl::allow('someRole',null,null,new MyAssertion());

... with the assertion built like:

class MyAssertion implements Zend_Acl_Assert_Interface {
	public function assert(Zend_Acl $acl,
				Zend_Acl_Role_Interface $role = null,
				Zend_Acl_Resource_Interface $resource = null,
				$privilege = null)
    {
		if($role == 'someRole') return true;
		elseif($resource == 'someBannedResource') return false;        
		else return true;
    }	
}

... Then after a query:

$acl->isAllowed('someRole','someResource','somePermission');

... the assertion should be called with

assert(Zend_Acl object, 'somerole', 'someResource', 'somePermission').

Instead it is called with

assert(Zend_Acl object, 'somerole', 'someResource', null)

Attachments

  1. File
    Acl.php
    06/Oct/09 2:54 PM
    41 kB
    Aaron Lozier
  2. File
    Acl.php
    30/Sep/09 3:06 PM
    41 kB
    Aaron Lozier

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Aaron Lozier added a comment -

The attached file contains what seems to be a fix for the reported issue. Here is what I added:

Lines 93-96: added _isAllowedPrivilege parameter. this serves the same purpose as _isAllowedRole and _isAllowedResource directly above.

Lines 762-765: sets _isAllowedPrivilege to $privilege where $privilege not null. again, same as the functionality for role and resource directly above.

Line 1047: changed $privilege to $this->_isAllowedPrivilege

The main point here is that wherever null value ('all-privileges') is used in the allow() function, the original value of privilege gets lost in the loop by the time it calls the assertion class. Saving it in a class parameter and passing that when the assertion class is called resolves the problem.

Hope this helps!

Show
Aaron Lozier added a comment - The attached file contains what seems to be a fix for the reported issue. Here is what I added: Lines 93-96: added _isAllowedPrivilege parameter. this serves the same purpose as _isAllowedRole and _isAllowedResource directly above. Lines 762-765: sets _isAllowedPrivilege to $privilege where $privilege not null. again, same as the functionality for role and resource directly above. Line 1047: changed $privilege to $this->_isAllowedPrivilege The main point here is that wherever null value ('all-privileges') is used in the allow() function, the original value of privilege gets lost in the loop by the time it calls the assertion class. Saving it in a class parameter and passing that when the assertion class is called resolves the problem. Hope this helps!
Hide
Permalink
Aaron Lozier added a comment -

_isAllowedPrivilege must also be set back to null at beginning of isAllowed method. Lines 741-742

FROM:

// reset role & resource to null
$this->_isAllowedRole = $this->_isAllowedResource = null;

TO:

// reset role & resource & privilege to null
$this->_isAllowedRole = $this->_isAllowedResource = $this->_isAllowedPrivilege = null;

Show
Aaron Lozier added a comment - _isAllowedPrivilege must also be set back to null at beginning of isAllowed method. Lines 741-742 FROM: // reset role & resource to null $this->_isAllowedRole = $this->_isAllowedResource = null; TO: // reset role & resource & privilege to null $this->_isAllowedRole = $this->_isAllowedResource = $this->_isAllowedPrivilege = null;
Hide
Permalink
Dolf Schimmel (Freeaqingme) added a comment -

Fixed. Thanks for reporting!

Show
Dolf Schimmel (Freeaqingme) added a comment - Fixed. Thanks for reporting!

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.