Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACL looks for parent when child has assertion that returns bool #2

Closed
weierophinney opened this issue Dec 31, 2019 · 0 comments
Closed

ACL looks for parent when child has assertion that returns bool #2

weierophinney opened this issue Dec 31, 2019 · 0 comments
Assignees
@weierophinney
Labels
Bug Something isn't working
Milestone
2.7.2

Comments

@weierophinney
Copy link
Member

This issue has been moved from the zendframework repository as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html

Original Issue: https://api.github.com/repos/zendframework/zendframework/issues/7385
User: @BWorld
Created On: 2015-03-30T20:37:41Z
Updated At: 2015-11-06T21:03:17Z
Body
Hi,

I have the following setup:

$assertAllow = new TestAssertion(true);
$assertDeny = new TestAssertion(false);

$acl = new Acl();
$acl->addRole('staff');
$acl->addResource('base');
$acl->allow('staff', 'base', 'update', $assertAllow);

$acl->addResource('user', 'base');
$acl->allow('staff', 'user', 'update', $assertDeny);

var_dump($acl->isAllowed('staff', 'user', 'update'));
// Results into: bool true. expected false.

class TestAssertion implements AssertionInterface
{
        protected $value;
        public function __construct($value)
        {
                $this->value = $value;
        }

        public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
        {
                return $this->value;
        }
}

http://pastebin.com/ZGsH8M1F

The expected outcome would be false but it returns true because in Acl::getRuleType() null is returned when the assertion is returning anything else than true.

A simple fix would be returning the assertion value if it is not null but I think I am missing some point here or this is something that is simply overlooked in the design.

If I did miss something please advice how to implement my assertions because I have assertions that are dedicated to a specific resourceId + roleId + privilege combination and I don't want to assign this whole combination to the assertion and let it check if this assertion is really meant for that call..

For example, staff can manage acl roles for users except for 2 users. This is not possible now since the inherited value which allows this behavior when it is actually denied.

Just to be clear, if an assertion exists and is returning otherwise than null stop searching and return that value instead of the parent resource's value.

Thanks

Originally posted by @GeeH at zendframework/zend-permissions-acl#20
@weierophinney weierophinney mentioned this issue Dec 31, 2019
Open
@weierophinney weierophinney added this to the 2.7.2 milestone Sep 21, 2020
@weierophinney weierophinney added the Bug Something isn't working label Sep 21, 2020
@weierophinney weierophinney self-assigned this Sep 21, 2020
weierophinney added a commit to weierophinney/laminas-permissions-acl that referenced this issue Sep 21, 2020
@weierophinney
qa: adds test for laminas#2
0db3d53 
Adds an assertion class to the test suite, and a unit test that
exercises it to demonstrate the scenario presented in laminas#2.

Signed-off-by: Matthew Weier O'Phinney <[email protected]>
weierophinney added a commit to weierophinney/laminas-permissions-acl that referenced this issue Sep 21, 2020
@weierophinney
fix: use the provided assertion to determine the rule type
ba50ce1 
If the provided assertion has run, it, and it alone, should be used to determine the rule type returned.

When a `true` value is returned, the rule type is returned as defined.

When a `false` value is returned, the rule type returned is the inverse of the one defined.

Fixes laminas#2

Signed-off-by: Matthew Weier O'Phinney <[email protected]>
@weierophinney weierophinney mentioned this issue Sep 21, 2020
Merged
weierophinney added a commit that referenced this issue Sep 22, 2020
@weierophinney
qa: adds test for #2
8715047 
Adds an assertion class to the test suite, and a unit test that
exercises it to demonstrate the scenario presented in #2.

Signed-off-by: Matthew Weier O'Phinney <[email protected]>
weierophinney added a commit that referenced this issue Sep 22, 2020
@weierophinney
fix: use the provided assertion to determine the rule type
54289a1 
If the provided assertion has run, it, and it alone, should be used to determine the rule type returned.

When a `true` value is returned, the rule type is returned as defined.

When a `false` value is returned, the rule type returned is the inverse of the one defined.

Fixes #2

Signed-off-by: Matthew Weier O'Phinney <[email protected]>
@Sandldan Sandldan mentioned this issue Apr 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weierophinney weierophinney

Labels
Bug Something isn't working
Projects
None yet
Milestone
2.7.2
Development

No branches or pull requests
1 participant
@weierophinney