Issues

ZF-7119: ACL does not permit a "deny all privileges all permissions", i.e. an unexpected implementation of "all resources" (two examples).

Issue Type: Bug Created: 2009-06-25T03:37:36.000+0000 Last Updated: 2009-07-21T05:13:42.000+0000 Status: Resolved Fix version(s): Reporter: Onno Lissenberg (orlissenberg) Assignee: Dolf Schimmel (Freeaqingme) (freak) Tags: - Zend_Acl

Related issues: - ZF-5369

Attachments:

Description

I have two scenario's that result in unexpected behavior of the acl component.

  1. If I deny all privileges to all resources, explicit allow rules are still allowing access.
addRole(new Zend\_Acl\_Role('user')); $acl->addRole(new Zend\_Acl\_Role('troll')); $acl->add(new Zend\_Acl\_Resource('news')); $acl->add(new Zend\_Acl\_Resource('users')); /\* The NULL values in the above allow() calls are used to indicate that the allow rules apply to all resources. \*/ /\* all the roles are permitted to view all resources \*/ $acl->allow(null, null, 'view'); $acl->allow('troll', 'news', 'view'); /\* trolls denied all privileges to all resources!! \*/ $acl->deny('troll', null, null); echo 'troll-all-view: '.($acl->isAllowed('troll', null, 'view') ? 'allowed to view' : 'denied to view'); echo ' '; /\* expecting: denied, result: allowed \*/ echo 'troll-news-view: '.($acl->isAllowed('troll', 'news', 'view') ? 'allowed to view' : 'denied to view'); echo ' '; echo 'user-all-view: '.($acl->isAllowed('user', null, 'view') ? 'allowed to view' : 'denied to view'); echo ' '; ?> 1. If I ask if a specific role is allowed viewing privileges on all resources, but one of the resources is denied viewing privileges, I still get a positive result. addRole(new Zend\_Acl\_Role('user')); $acl->addRole(new Zend\_Acl\_Role('troll')); $acl->add(new Zend\_Acl\_Resource('news')); $acl->add(new Zend\_Acl\_Resource('users')); /\* The NULL values in the above allow() calls are used to indicate that the allow rules apply to all resources. \*/ /\* all the roles are permitted to view all resources \*/ $acl->allow(null, null, 'view'); /\* trolls denied to view news items \*/ $acl->deny('troll', 'news', null); /\* expecting: denied, result: allowed \*/ echo 'troll-all-view: '.($acl->isAllowed('troll', null, 'view') ? 'allowed to view' : 'denied to view'); echo ' '; /\* explicit denied rule does work though \*/ echo 'troll-news-view: '.($acl->isAllowed('troll', 'news', 'view') ? 'allowed to view' : 'denied to view'); echo ' '; echo 'user-all-view: '.($acl->isAllowed('user', null, 'view') ? 'allowed to view' : 'denied to view'); echo ' '; ?> Best Regards, Onno

Comments

Posted by Christian Ascheberg (asche) on 2009-07-19T09:10:06.000+0000

This bug seems to be about a possible problem with the structure of Zend_ACL so it might be interesting to also have a look at bug ZF-5369

Posted by Christoph Kempen (webpatser) on 2009-07-21T05:05:11.000+0000

THis is not related to ZF-5369. ZF-5369 is about inheritance. This issue is about changing the ACL for a user in a script, that's not picked up correctly by Zend_ACL.

Posted by Dolf Schimmel (Freeaqingme) (freak) on 2009-07-21T05:10:21.000+0000

It in fact is the same problem. The "problem" is that zend_acl doesn't keep track of the order in which rules are added.

<pre class="highlight">
<?
include_once('Zend/Acl.php');
include_once('Zend/Acl/Role.php');
include_once('Zend/Acl/Resource.php');

$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('user'));
$acl->addRole(new Zend_Acl_Role('troll'));

$acl->add(new Zend_Acl_Resource('news'));
$acl->add(new Zend_Acl_Resource('users'));

$acl->allow('troll', 'news', 'view'); // allow first, deny later
$acl->deny('troll', null, null);

As a result of that the above codesample is equal to this:

<pre class="highlight">
<?
include_once('Zend/Acl.php');
include_once('Zend/Acl/Role.php');
include_once('Zend/Acl/Resource.php');

$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('user'));
$acl->addRole(new Zend_Acl_Role('troll'));

$acl->add(new Zend_Acl_Resource('news'));
$acl->add(new Zend_Acl_Resource('users'));

$acl->deny('troll', null, null); // Deny first, allow later
$acl->allow('troll', 'news', 'view');

Posted by Dolf Schimmel (Freeaqingme) (freak) on 2009-07-21T05:12:54.000+0000

Closing this issue as duplicate.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts