Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

ACL looks for parent when child has assertion that returns bool #20

Open
Open
ACL looks for parent when child has assertion that returns bool#20
@GeeH

Description

@GeeH
GeeH
opened on Jun 28, 2016

This issue has been moved from the zendframework repository as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html

Original Issue: https://api.github.com/repos/zendframework/zendframework/issues/7385
User: @BWorld
Created On: 2015-03-30T20:37:41Z
Updated At: 2015-11-06T21:03:17Z
Body
Hi,

I have the following setup:

$assertAllow = new TestAssertion(true);
$assertDeny = new TestAssertion(false);

$acl = new Acl();
$acl->addRole('staff');
$acl->addResource('base');
$acl->allow('staff', 'base', 'update', $assertAllow);

$acl->addResource('user', 'base');
$acl->allow('staff', 'user', 'update', $assertDeny);

var_dump($acl->isAllowed('staff', 'user', 'update'));
// Results into: bool true. expected false.

class TestAssertion implements AssertionInterface
{
        protected $value;
        public function __construct($value)
        {
                $this->value = $value;
        }

        public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
        {
                return $this->value;
        }
}

http://pastebin.com/ZGsH8M1F

The expected outcome would be false but it returns true because in Acl::getRuleType() null is returned when the assertion is returning anything else than true.

A simple fix would be returning the assertion value if it is not null but I think I am missing some point here or this is something that is simply overlooked in the design.

If I did miss something please advice how to implement my assertions because I have assertions that are dedicated to a specific resourceId + roleId + privilege combination and I don't want to assign this whole combination to the assertion and let it check if this assertion is really meant for that call..

For example, staff can manage acl roles for users except for 2 users. This is not possible now since the inherited value which allows this behavior when it is actually denied.

Just to be clear, if an assertion exists and is returning otherwise than null stop searching and return that value instead of the parent resource's value.

Thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions