Issues

ZF-7973: Assertion implementation does not receive ACL privilege query parameter.

Description

(I am experiencing a bug in the latest version of Zend that seems similar to an issue reported in the past - ZF-5425. It is the same in every way except I am only having trouble with the "privilege" parameter. Everything else seems to be being passed.)

Zend_Acl manual states that:

{quote} The assert() method of an assertion object is passed the ACL, role, resource, and privilege to which the authorization query (i.e., isAllowed()) applies, in order to provide a context for the assertion class to determine its conditions where needed. {quote}

But when assertion is attached to global "all-privileges" with:


$acl::allow('someRole',null,null,new MyAssertion());

... with the assertion built like:


class MyAssertion implements Zend_Acl_Assert_Interface {
    public function assert(Zend_Acl $acl,
                Zend_Acl_Role_Interface $role = null,
                Zend_Acl_Resource_Interface $resource = null,
                $privilege = null)
    {
        if($role == 'someRole') return true;
        elseif($resource == 'someBannedResource') return false;        
        else return true;
    }   
}

... Then after a query:


 $acl->isAllowed('someRole','someResource','somePermission');

... the assertion should be called with

{{assert(Zend_Acl object, 'somerole', 'someResource', 'somePermission')}}.

Instead it is called with

{{assert(Zend_Acl object, 'somerole', 'someResource', null)}}

Comments

The attached file contains what seems to be a fix for the reported issue. Here is what I added:

Lines 93-96: added _isAllowedPrivilege parameter. this serves the same purpose as _isAllowedRole and _isAllowedResource directly above.

Lines 762-765: sets _isAllowedPrivilege to $privilege where $privilege not null. again, same as the functionality for role and resource directly above.

Line 1047: changed $privilege to $this->_isAllowedPrivilege

The main point here is that wherever null value ('all-privileges') is used in the allow() function, the original value of privilege gets lost in the loop by the time it calls the assertion class. Saving it in a class parameter and passing that when the assertion class is called resolves the problem.

Hope this helps!

_isAllowedPrivilege must also be set back to null at beginning of isAllowed method. Lines 741-742

FROM:

    // reset role & resource to null
    $this->_isAllowedRole = $this->_isAllowedResource = null;

TO:

    // reset role & resource & privilege to null
    $this->_isAllowedRole = $this->_isAllowedResource = $this->_isAllowedPrivilege = null;

Fixed. Thanks for reporting!