ZF-7973: Assertion implementation does not receive ACL privilege query parameter.

Issue Type: Bug Created: 2009-09-29T06:50:58.000+0000 Last Updated: 2009-10-15T16:56:23.000+0000 Status: Resolved Fix version(s): - 1.10.0 (27/Jan/10)

Reporter: Aaron Lozier (ajlozier) Assignee: Dolf Schimmel (Freeaqingme) (freak) Tags: - Zend_Acl

Related issues: Attachments: - Acl.php


(I am experiencing a bug in the latest version of Zend that seems similar to an issue reported in the past - ZF-5425. It is the same in every way except I am only having trouble with the "privilege" parameter. Everything else seems to be being passed.)

Zend_Acl manual states that:

{quote} The assert() method of an assertion object is passed the ACL, role, resource, and privilege to which the authorization query (i.e., isAllowed()) applies, in order to provide a context for the assertion class to determine its conditions where needed. {quote}

But when assertion is attached to global "all-privileges" with:

<pre class="highlight">
$acl::allow('someRole',null,null,new MyAssertion());

... with the assertion built like:

<pre class="highlight">
class MyAssertion implements Zend_Acl_Assert_Interface {
    public function assert(Zend_Acl $acl,
                Zend_Acl_Role_Interface $role = null,
                Zend_Acl_Resource_Interface $resource = null,
                $privilege = null)
        if($role == 'someRole') return true;
        elseif($resource == 'someBannedResource') return false;        
        else return true;

... Then after a query:

<pre class="highlight">

... the assertion should be called with

assert(Zend_Acl object, 'somerole', 'someResource', 'somePermission').

Instead it is called with

assert(Zend_Acl object, 'somerole', 'someResource', null)


Posted by Aaron Lozier (ajlozier) on 2009-09-30T15:06:27.000+0000

The attached file contains what seems to be a fix for the reported issue. Here is what I added:

Lines 93-96: added _isAllowedPrivilege parameter. this serves the same purpose as _isAllowedRole and _isAllowedResource directly above.

Lines 762-765: sets _isAllowedPrivilege to $privilege where $privilege not null. again, same as the functionality for role and resource directly above.

Line 1047: changed $privilege to $this->_isAllowedPrivilege

The main point here is that wherever null value ('all-privileges') is used in the allow() function, the original value of privilege gets lost in the loop by the time it calls the assertion class. Saving it in a class parameter and passing that when the assertion class is called resolves the problem.

Hope this helps!

Posted by Aaron Lozier (ajlozier) on 2009-10-06T14:54:54.000+0000

_isAllowedPrivilege must also be set back to null at beginning of isAllowed method. Lines 741-742


    // reset role & resource to null
    $this->_isAllowedRole = $this->_isAllowedResource = null;


    // reset role & resource & privilege to null
    $this->_isAllowedRole = $this->_isAllowedResource = $this->_isAllowedPrivilege = null;

Posted by Dolf Schimmel (Freeaqingme) (freak) on 2009-10-15T16:56:22.000+0000

Fixed. Thanks for reporting!

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.