Issues

ZF-1721: Zend_Acl::isAllowed does not support Role/Resource Inheritance down to Assertions

Issue Type: Bug Created: 2007-07-14T16:52:11.000+0000 Last Updated: 2009-08-14T14:38:15.000+0000 Status: Resolved Fix version(s): - 1.9.1 (11/Aug/09)

Reporter: Ralph Schindler (ralph) Assignee: Ralph Schindler (ralph) Tags: - Zend_Acl

Related issues: - ZF-1722

Attachments:

Description

Zend_Acl::isAllowed currently transforms any is_a Zend_Acl_Role_Interface and Zend_Acl_Resource_Interface based objects to that of Zend_Acl_Role, and Zend_Acl_Resource.

This diminishes any benefit a developer might see in using assertions in a dynamic manner (ie, accessing properties of an object that has implemented a Role or Resource Interface) inside the assertion.

my fix is supplied below:

<pre class="highlight">
    public function isAllowed($role = null, $resource = null, $privilege = null)
    {
        // make sure $role is a valid role
        if (null !== $role) {
            $this->_getRoleRegistry()->get($role); // throws exception if not found
        }

        if (null !== $resource) {
            $this->get($resource); // throws exception if not found
        }

Comments

Posted by Ralph Schindler (ralph) on 2007-07-14T18:47:14.000+0000

Scratch that, this is a safer approach:

<pre class="highlight">
    public function isAllowed($role = null, $resource = null, $privilege = null)
    {
        // make sure $role is a valid role
        if (null !== $role) {
            $registryRole = $this->_getRoleRegistry()->get($role); // throws exception if not found

            if (!$role instanceof Zend_Acl_Role_Interface) {
                $role = $registryRole;
            }
        }
        
        if (null !== $resource) {
            $registryResource = $this->get($resource); // throws exception if not found
            if (!$resource instanceof Zend_Acl_Resource_Interface) {
                $resource = $registryResource;
            }
        }

Posted by Darby Felton (darby) on 2007-07-26T11:54:47.000+0000

Postponing to after 1.0.1.

Posted by Darby Felton (darby) on 2007-08-01T13:17:20.000+0000

The issue description shows the same code as Zend_Acl already has at the top of isAllowed().

The proposed fix has no effect since: * Zend_Acl_Role_Registry::get() always returns an instance of Zend_Acl_Role_Interface unless an exception is thrown for a role not found, and * Zend_Acl::get() always returns an instance of Zend_Acl_Resource_Interface unless an exception is thrown for a resource not found.

Resolving as incomplete. See also [ZF-1722] and [ZF-1765].

Posted by Ralph Schindler (ralph) on 2007-08-01T13:41:10.000+0000

Darby, the problem with ACL at current is its goals and architecture. The impression is that by using a is-a (instanceof) architecture, you are implying that you can implement Base Roles and Resoures and expect them to persist through the isAllowed, which is not the case. The initial problem is that isAllowed will take any supplied object that implements the interface, and turn it into the object presented at ACL creation time.

This is not what I want, and I think that moving forward, as more people start to use ACL for runtime resource access checking, this will be a need.

That being said, the current code:

<pre class="highlight">
        if (null !== $role) {
            $role = $this->_getRoleRegistry()->get($role);
        }

        if (null !== $resource) {
            $resource = $this->get($resource);
        }

will always produce the same object supplied at ACL creation time.

Whereas, this code:

<pre class="highlight">
public function isAllowed($role = null, $resource = null, $privilege = null)
    {
        // make sure $role is a valid role
        if (null !== $role) {
            $registryRole = $this->_getRoleRegistry()->get($role); // throws exception if not found

            if (!$role instanceof Zend_Acl_Role_Interface) {
                $role = $registryRole;
            }
        }
        
        if (null !== $resource) {
            $registryResource = $this->get($resource); // throws exception if not found
            if (!$resource instanceof Zend_Acl_Resource_Interface) {
                $resource = $registryResource;
            }
        }

Will allow an object that implements the interface to persist through the isAllowed, as long as the ID (object type) matches somethign that is in the ACL registry.

Again, its an architectual issue, but one that I will address in a few days with code.

Posted by Ralph Schindler (ralph) on 2007-08-03T12:37:24.000+0000

After discussion with darby, this is still an issue. (linked to ZF-1722 as well)

Posted by Martijn Korse (themarty) on 2008-08-08T06:08:39.000+0000

If i understand the problem correctly i think this shouldn't be solved here, but by overloading the _getRoleRegistry() and get() method.

I've created something in the past where i extended the Role Registry class and overloaded the getRoleRegistry() method (in an extended version of the Zend_Acl class), so it would return an object of my own registry class. and had no problem accessing the the properties of my custom role objects in assertions

Posted by Wil Sinclair (wil) on 2008-12-19T11:32:31.000+0000

I think you're the right person to assign this to, Ralph. We don't need to address it immediately, but I'd like closure on this soon after 1.8.

Posted by Avi Block (blocka) on 2009-05-02T20:46:26.000+0000

Any update on this? 1.8 has been released!

Posted by Stefan Gehrig (sgehrig) on 2009-06-15T01:55:37.000+0000

Anything new on this one?

Posted by James Ellis (jamesellis) on 2009-06-16T06:41:25.000+0000

Is Ralph actually working on this issue actively or should we not hold our breath?

Posted by Ralph Schindler (ralph) on 2009-07-30T18:40:40.000+0000

Fix in place in trunk as of r17317, please test.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts