search

codeigniter4 / shield

Authentication and Authorization for CodeIgniter 4
https://shield.codeigniter.com
MIT License
366 stars 133 forks source link

Bug: The method `can` in Group Entity is always `false` if a group has permissions defined by a wildcard. #648

Closed jozefrebjak closed 1 year ago

jozefrebjak commented 1 year ago

PHP Version

8.1.14

CodeIgniter4 Version

4.3.2

Shield Version

dev-develop

Which operating systems have you tested for this bug?

macOS

Which server did you use?

cli-server (PHP built-in webserver)

Database

MariaDB 10.2

Did you customize Shield?

No

What happened?

Method in Group entity can is always false if group has permissions defined with *.

Steps to Reproduce

For example superadmin:

        'superadmin' => [
            'admin.*',
            'users.*',
            'beta.*',
        ],
    /**
     * Determines if the group has the given permission
     */
    public function can(string $permission): bool
    {
        $this->populatePermissions();

        return in_array(strtolower($permission), $this->permissions, true);
    }

can method use populatePermissions method to get permissions.

/**
     * Loads our permissions for this group.
     */
    private function populatePermissions(): void
    {
        if ($this->permissions !== null) {
            return;
        }

        $this->permissions = setting('AuthGroups.matrix')[$this->alias] ?? [];
    }

and $this->permissions will return array like:

       [
            'admin.*',
            'users.*',
            'beta.*',
        ]

So for example if we use $group->can('users.admin.access')

in_array(strtolower('users.admin.access'),  [ 'admin.*', 'users.*', 'beta.*'], true);

can method will return false.

Expected Output

Include in can method also permissions with * specified.

Anything else?

No response

datamweb commented 1 year ago

@jozefrebjak I don't understand what you mean, can you send a simple example of table data and sample code for review.

What do you mean by $group->can('users.admin.access')? Where in the documentation have we used this?

jozefrebjak commented 1 year ago

@jozefrebjak I don't understand what you mean, can you send a simple example of table data and sample code for review.

What do you mean by $group->can('users.admin.access')? Where in the documentation have we used this?

@datamweb You can see an example here. I'm building a similar UI interface in my project.

As you can see, there is just a simple check if a group can access a specified permission and there is an issue with groups where we use the wildcard, because it's checking the exact match now. I fixed this behaviour in https://github.com/codeigniter4/shield/pull/649