search

zendframework / zend-permissions-acl

BSD 3-Clause "New" or "Revised" License
60 stars 23 forks source link

ACL looks for parent when child has assertion that returns bool #20

Open GeeH opened 8 years ago

GeeH commented 8 years ago

This issue has been moved from the zendframework repository as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html

Original Issue: https://api.github.com/repos/zendframework/zendframework/issues/7385 User: @BWorld Created On: 2015-03-30T20:37:41Z Updated At: 2015-11-06T21:03:17Z Body Hi,

I have the following setup:

$assertAllow = new TestAssertion(true);
$assertDeny = new TestAssertion(false);

$acl = new Acl();
$acl->addRole('staff');
$acl->addResource('base');
$acl->allow('staff', 'base', 'update', $assertAllow);

$acl->addResource('user', 'base');
$acl->allow('staff', 'user', 'update', $assertDeny);

var_dump($acl->isAllowed('staff', 'user', 'update'));
// Results into: bool true. expected false.

class TestAssertion implements AssertionInterface
{
        protected $value;
        public function __construct($value)
        {
                $this->value = $value;
        }

        public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
        {
                return $this->value;
        }
}

http://pastebin.com/ZGsH8M1F

The expected outcome would be false but it returns true because in Acl::getRuleType() null is returned when the assertion is returning anything else than true.

A simple fix would be returning the assertion value if it is not null but I think I am missing some point here or this is something that is simply overlooked in the design.

If I did miss something please advice how to implement my assertions because I have assertions that are dedicated to a specific resourceId + roleId + privilege combination and I don't want to assign this whole combination to the assertion and let it check if this assertion is really meant for that call..

For example, staff can manage acl roles for users except for 2 users. This is not possible now since the inherited value which allows this behavior when it is actually denied.

Just to be clear, if an assertion exists and is returning otherwise than null stop searching and return that value instead of the parent resource's value.

Thanks

weierophinney commented 4 years ago

This repository has been closed and moved to laminas/laminas-permissions-acl; a new issue has been opened at https://github.com/laminas/laminas-permissions-acl/issues/2.