search

zendframework / zf3-web

Website of Zend Framework 3
https://framework.zend.com
BSD 3-Clause "New" or "Revised" License
39 stars 34 forks source link

Invalid code samples for the `2017-04-27-zend-permissions-rbac` post #69

Closed codeaid closed 7 years ago

codeaid commented 7 years ago

The code samples in the article about RBAC seem to be wrong. I've copy/pasted code from the aforementioned page and wrapped some calls in var_dump:

$guest = new Role('guest');
$guest->addPermission('read');

$rbac = new Rbac();
$rbac->addRole($guest);

var_dump($rbac->isGranted('guest', 'read')); // true
var_dump($rbac->isGranted('guest', 'write')); // false
print '--------------------------------------' . PHP_EOL;

$editor = new Role('editor');
$editor->addChild('guest');
$editor->addPermission('write');

$rbac->addRole($editor);
var_export($rbac);exit;

var_dump($rbac->isGranted('editor', 'write')); // true
var_dump($rbac->isGranted('editor', 'read'));  // true
var_dump($rbac->isGranted('guest', 'write')); // false
print '--------------------------------------' . PHP_EOL;

$reviewer = new Role('reviewer');
$reviewer->addChild('guest');
$reviewer->addPermission('moderate');

$rbac->addRole($reviewer);

var_dump($rbac->isGranted('reviewer', 'moderate')); // true
var_dump($rbac->isGranted('reviewer', 'write'));    // false; editor only!
var_dump($rbac->isGranted('reviewer', 'read'));     // true
var_dump($rbac->isGranted('guest', 'moderate')); // false
print '--------------------------------------' . PHP_EOL;

$admin = new Role('admin');
$admin->addChild('editor');
$admin->addChild('reviewer');
$admin->addPermission('settings');

$rbac->addRole($admin);

var_dump($rbac->isGranted('admin', 'settings')); // true
var_dump($rbac->isGranted('admin', 'write'));    // true
var_dump($rbac->isGranted('admin', 'moderate')); // true
var_dump($rbac->isGranted('admin', 'read'));     // true
var_dump($rbac->isGranted('editor', 'settings')); // false
var_dump($rbac->isGranted('reviewer', 'settings')); // false
var_dump($rbac->isGranted('guest', 'write'));    // false
print '--------------------------------------' . PHP_EOL;

$mario = new Role('mario');
$mario->addChild('editor');
$mario->addPermission('update');

$rbac->addRole($mario);

var_dump($rbac->isGranted($mario, 'settings')); // false; admin only!
var_dump($rbac->isGranted($mario, 'update'));   // true; mario only!
var_dump($rbac->isGranted('editor', 'update'));   // false; mario only!
var_dump($rbac->isGranted($mario, 'write'));    // true; all editors
var_dump($rbac->isGranted($mario, 'read'));     // true; all guests

Based on the blog post the expected output for this is

bool(true)
bool(false)
--------------------------------------
bool(true)
bool(true)
bool(false)
--------------------------------------
bool(true)
bool(false)
bool(true)
bool(false)
--------------------------------------
bool(true)
bool(true)
bool(true)
bool(true)
bool(false)
bool(false)
bool(false)
--------------------------------------
bool(false)
bool(true)
bool(false)
bool(true)
bool(true)

The actual output, however, is as follows:

bool(true)
bool(false)
--------------------------------------
bool(true)
bool(false)   <-- wrong
bool(false)
--------------------------------------
bool(true)
bool(false)
bool(false)   <-- wrong
bool(false)
--------------------------------------
bool(true)
bool(false)   <-- wrong
bool(false)   <-- wrong
bool(false)   <-- wrong
bool(false)
bool(false)
bool(false)
--------------------------------------
bool(false)
bool(true)
bool(false)
bool(false)   <-- wrong
bool(false)   <-- wrong

The fix for this is to pass the actual role objects to all addRole($role) calls instead of strings. E.g.:

$editor->addChild('guest');
$admin->addChild('editor');
// to
$editor->addChild($guest);
$admin->addChild($editor);