ZF-2257: Zend_Acl - access control list processing error

Issue Type: Bug Created: 2007-12-03T13:23:00.000+0000 Last Updated: 2008-09-02T10:39:15.000+0000 Status: Resolved Fix version(s): - 1.6.0 (02/Sep/08)

Reporter: Bogdan Modzelewski (motzel) Assignee: Darby Felton (darby) Tags: - Zend_Acl

Related issues: Attachments:


Bug example follows:

<pre class="highlight">
require_once 'Zend/Acl.php';
require_once 'Zend/Acl/Resource.php';
require_once 'Zend/Acl/Role.php';

$acl = new Zend_Acl();

$acl->addRole(new Zend_Acl_Role('foo'));
$acl->add(new Zend_Acl_Resource('bar'));


echo 'access to bar by foo is '.($acl->isAllowed('foo','bar') ? 'allowed' : 'denied');

I've encountered an error during processing simple ACL. First, we allow acces to resource 'bar' by 'foo' role, and then we deny access to all resources by this role. Expecting result is 'denied', but unfortunately 'allowed' appears on screen...

ACL works as expected when we explictly pass a resource to deny method, - try change last acl line to:

<pre class="highlight">


Posted by Jordan Ryan Moore (jordanryanmoore) on 2008-02-17T23:49:49.000+0000

This is not a bug, it works as intended. $acl->deny('foo') means deny 'foo' access to all resources where other rules have not been defined. It basically sets a default.

Posted by Wil Sinclair (wil) on 2008-03-31T16:14:04.000+0000

Please evaluate and categorize as necessary.

Posted by Bogdan Modzelewski (motzel) on 2008-04-01T02:42:38.000+0000

I still think that it's a bug.

If $acl->allow('foo') gives access to ALL resources to foo role, then why $acl->deny('foo') doesn't do opposite ? If, as you say, $acl->deny('foo') means deny 'foo' access to all resources where other rules have not been defined then why $acl->deny('foo', 'bar') doesn't mean the same (deny 'foo' access to 'bar' WHERE OTHER RULES HAVE NOT BEEN DEFINED) ???

Besides, I'd understand your explanation if it really should be used to set a default values, BUT it is the way acl works by default WITHOUT explictly calling $acl->deny(). So what is a deny() method() possible NULL values for? If it shouldn't be called with NULL values then why are they declared as default in following php implementation?

public function deny($roles = null, $resources = null, $privileges = null, Zend_Acl_Assert_Interface $assert = null)

You should throw an exception in such a situation and not declare it as default.

After I review ZF ACL php code It looks for me like that it is a consequence of chosen implementation and it's not easily fixable.

Posted by Marc Jakubowski (octavian) on 2008-04-01T05:42:54.000+0000

I agree with you, Bogdan, that it is very confusing. The documentation should make clear, that a "null" value doesn´t actually mean "all" roles/resources but "all, if not defined otherwise".

But I think a change to this issue would have some performance impact as in your example, the whole rule tree would have to be traversed to deny every single rule that was allowed for the various resources (child resources of what you want to deny). The other way around "$acl->allow('admin');" would have to set "allow" for every previously set rule.

So I would suggest a convention, that either, you don´t use resources at all ($resource = null) or always define resources, but never mixing those two approaches. When using both, "null" should only be used as a fallback setting.

Posted by Darby Felton (darby) on 2008-04-01T08:29:56.000+0000

Perhaps this issue would be more completely resolved with additions and/or modifications to the documentation. Indeed, the behavior described is the behavior intended - that the use of null implies a fallback or default rule in the case where a more specific rule does not apply. In general, Zend_Acl obeys a given rule if and only if a more specific rule does not apply.

Shall we reopen the issue until documentation is updated thusly?

Posted by Bogdan Modzelewski (motzel) on 2008-04-02T00:11:11.000+0000

In general, Zend_Acl obeys a given rule if and only if a more specific rule does not apply.

And that's a sentence missing in documentation! It explains every "problem" mentioned in this issue. I think issue should be reopened until documentation is updated.

Posted by Darby Felton (darby) on 2008-04-02T07:41:40.000+0000

Reopening pending addition to documentation.

Posted by Darby Felton (darby) on 2008-04-02T07:45:59.000+0000

Resolved with SVN r9112.

Posted by Wil Sinclair (wil) on 2008-09-02T10:39:15.000+0000

Updating for the 1.6.0 release.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.