I have a problem of which i'm trying to determine whether this is because i
don't understand the ACL mechanism or because it is a bug.
When i set an allow rule for a a certain role and then a deny rule for a
child-role and then ask whether the child is allowed to do that, it returns
False, because the more specific rule is leading.
For example:
$acl = new Zend_Acl();
$acl->addRole(new Zend_Acl_Role('User1'));
$acl->addRole(new Zend_Acl_Role('User1-1'), 'User1');
$acl->add(new Zend_Acl_Resource('resource'));
$acl->allow('User1', 'resource', 'list');
$acl->deny('User1-1', 'resource', 'list');
$bool = $acl->isAllowed('User1-1', 'resource', 'list');
var_dump($bool);
this will output:
bool(false)
So far so good.
I'm trying to do the same, but in combination with assertions:
class UserStatusAssertion implements Zend_Acl_Assert_Interface
{
protected $statuses = array();
public function __construct($arr)
{
$this->statuses = $arr;
}
public function assert(Zend_Acl $acl, Zend_Acl_Role_Interface $role =
null,
Zend_Acl_Resource_Interface $resource = null,
$privilege = null)
{
return $this->_isAllowedStatus($acl->user->status, $role);
}
protected function _isAllowedStatus($status, $role)
{
echo "returning ".((int) $this->statuses[$status])." for role:
".$role->getRoleId()."<br>\n";
return $this->statuses[$status];
}
}
class User
{
public $status;
public function __construct($status)
{
$this->status = $status;
}
}
$acl = new Zend_Acl();
$acl->user = new User('Status2');
$statuses1 = array('Status1' => True, 'Status2' => True, 'Status3' =>
False);
$statuses2 = array('Status1' => True, 'Status2' => False, 'Status3' =>
False);
$UserStatusAssertion1 = new UserStatusAssertion($statuses1);
$UserStatusAssertion2 = new UserStatusAssertion($statuses2);
$acl->addRole(new Zend_Acl_Role('User1'));
$acl->addRole(new Zend_Acl_Role('User1-1'), 'User1');
$acl->add(new Zend_Acl_Resource('resource'));
$acl->allow('User1', 'resource', 'access', $UserStatusAssertion1);
$acl->allow('User1-1', 'resource', 'access', $UserStatusAssertion2);
$bool = $acl->isAllowed('User1-1', 'resource', 'access');
var_dump($bool);
this outputs:
returning 0 for role: User1-1
returning 1 for role: User1
bool(true)
So, first it checks the rule for the child, which returns False (correct),
and then .. instead of leaving it to that, it checks the rule of the parent
and return True. That is correct in itself, but i don't understand why
suddenly the parent-rule is overruling the child-rule? I would expect the
opposite (since that is also what the first example does).
So, my question: is this a bug?
Or do i just not understand the ACL mechanism?
--
View this message in context:
http://www.nabble.com/Zend_Acl-problem-with-Role-inheritance-and-Assertions-tp18570190p18570190.html
Sent from the Zend Framework mailing list archive at Nabble.com.
