Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

ACL looks for parent when child has assertion that returns bool #20

Open
GeeH opened this issue Jun 28, 2016 · 1 comment
Open

ACL looks for parent when child has assertion that returns bool #20

GeeH opened this issue Jun 28, 2016 · 1 comment

Comments

@GeeH
Copy link
Contributor

GeeH commented Jun 28, 2016

This issue has been moved from the zendframework repository as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html

Original Issue: https://api.github.com/repos/zendframework/zendframework/issues/7385
User: @BWorld
Created On: 2015-03-30T20:37:41Z
Updated At: 2015-11-06T21:03:17Z
Body
Hi,

I have the following setup:

$assertAllow = new TestAssertion(true);
$assertDeny = new TestAssertion(false);

$acl = new Acl();
$acl->addRole('staff');
$acl->addResource('base');
$acl->allow('staff', 'base', 'update', $assertAllow);

$acl->addResource('user', 'base');
$acl->allow('staff', 'user', 'update', $assertDeny);

var_dump($acl->isAllowed('staff', 'user', 'update'));
// Results into: bool true. expected false.

class TestAssertion implements AssertionInterface
{
        protected $value;
        public function __construct($value)
        {
                $this->value = $value;
        }

        public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
        {
                return $this->value;
        }
}

http://pastebin.com/ZGsH8M1F

The expected outcome would be false but it returns true because in Acl::getRuleType() null is returned when the assertion is returning anything else than true.

A simple fix would be returning the assertion value if it is not null but I think I am missing some point here or this is something that is simply overlooked in the design.

If I did miss something please advice how to implement my assertions because I have assertions that are dedicated to a specific resourceId + roleId + privilege combination and I don't want to assign this whole combination to the assertion and let it check if this assertion is really meant for that call..

For example, staff can manage acl roles for users except for 2 users. This is not possible now since the inherited value which allows this behavior when it is actually denied.

Just to be clear, if an assertion exists and is returning otherwise than null stop searching and return that value instead of the parent resource's value.

Thanks
@GeeH GeeH mentioned this issue Jun 28, 2016
Closed
@weierophinney weierophinney mentioned this issue Dec 31, 2019
Closed
@weierophinney
Copy link
Member

This repository has been closed and moved to laminas/laminas-permissions-acl; a new issue has been opened at laminas/laminas-permissions-acl#2.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weierophinney @GeeH