Issue Type: Bug Created: 2010-11-05T16:53:47.000+0000 Last Updated: 2011-01-21T08:57:36.000+0000 Status: Resolved Fix version(s): - 1.11.1 (30/Nov/10)
Reporter: Jerome Coloma (froz) Assignee: Ralph Schindler (ralph) Tags: - Zend_Acl
Related issues: - ZF-9643
Attachments: - ZF-10649.patch
Seems that the recent fix http://framework.zend.com/issues/browse/ZF-9643 broke a critical functionality of Zend_Acl
$acl = new Zend_Acl(); $acl->addRole(new Zend_Acl_Role('administrator')); $acl->addResource(new Zend_Acl_Resource('administrator'));
echo $acl->isAllowed('administrator') ? "allowed" : "denied"; // denied
// In versions 1.10.x 'administrator' role would be allowed to access All resources // by $acl->allow('administrator'); or $acl->allow('administrator', null); // basically saying to allow Role 'administrator' to Access ALL Resources
// Reverting the old code from line 636 of Zend_Acl would fix the issue, but of course would revert ZF-9643 issue // $resources = ($resources == null && count($this->_resources) > 0) ? array_keys($this->_resources) : array($resources); // revert to // array($resources)
Posted by jsnod (afx114) on 2010-11-09T14:33:07.000+0000
I am experiencing this same issue, it is preventing me from upgrading to 1.11.0. Reverting as specified by Reporter above fixes it.
Posted by Philip Iezzi (iezzip) on 2010-11-11T09:10:44.000+0000
Same problem here, prevents me from upgrading to 1.11.0. I've got a default allow permission schema for a site with just 3 resources that need to be restricted.
<pre class="highlight"> // default permission is allow $this->allow();
This won't give permission to any resource that is NOT defined as follows:
<pre class="highlight"> $this->add(new Zend_Acl_Resource('account'));
In 1.10.8 it worked as expected, gave permission to every other resource. Thanks for fixing soon!
Posted by Ralph Schindler (ralph) on 2010-11-12T12:24:51.000+0000
I've uploaded a patch for this issue. It includes a unit test.
The problem is actually pretty interesting. The fix for ZF-9643 was at the time a good fix, but there is this use case (described in this issue) that was not covered by our existing unit tests. Regardless, this use case is indeed pretty common, so we need to find a way to ensure that all common use cases work.
In this solution, we actually need to handle (in setRule()) the special case of what happens when 'null' is passed in for resources. The concept of "all resources" is handled by a special "global" ruleset. This solution attempts to modify the global ruleset instead of iterating and applying a rule to all resources. Consequently, when removing rules globally, this patch iterates all resources to do a full "cleanup".
The solution provided is completely backwards compatible for as far as all the use cases described in old and the new unit tests.
Please test this.
Posted by Emmanuel Bouton (goten4) on 2010-11-13T13:22:21.000+0000
I had the same problem and the patch fixed it ! Thanks Ralph
Posted by Jacek Kobus (jacekkobus.com) on 2010-11-14T17:06:36.000+0000
Had the same problem after upgrade. Path worked as expected. Thanks.
Posted by Jerome Coloma (froz) on 2010-11-14T17:10:59.000+0000
The patch worked as expected. Thank you for fixing the issue.
Posted by Ralph Schindler (ralph) on 2010-11-18T08:20:28.000+0000
Fixed in trunk at r23357 and release branch 1.11 at 23358
Have you found an issue?
See the Overview section for more details.