Sub-resource with same privileges as parent resource causes wrong return value of Permission::isAllowed()

5 years ago

bene
Member | 83
+
0
-

PHP: 5.4.8
Nette: 2.1.0

// - r1:
//   - privileges:
//     - p1
//     - p2
//   - resources:
//     - r1:
//       - privileges:
//         - p1 (x)
//         - p2

// Bug
$p = new \Nette\Security\Permission;
$p->addRole('role');
$p->addResource('r1');
$p->addResource('r2', 'r1');
$p->allow('role', 'r1', 'p1');
$p->allow('role', 'r1', 'p2');
$p->allow('role', 'r2', 'p1');

var_dump($p->isAllowed('role', 'r1', 'p1')); // true
var_dump($p->isAllowed('role', 'r1', 'p2')); // true
var_dump($p->isAllowed('role', 'r2', 'p1')); // true
var_dump($p->isAllowed('role', 'r2', 'p2')); // false - Bug: returns true!

// Ok
$p = new \Nette\Security\Permission;
$p->addRole('role');
$p->addResource('r1');
$p->addResource('r2', 'r1');
$p->allow('role', 'r1', 'p1');
$p->allow('role', 'r2', 'p1');
$p->allow('role', 'r2', 'p2');

var_dump($p->isAllowed('role', 'r1', 'p1')); // true
var_dump($p->isAllowed('role', 'r1', 'p2')); // false
var_dump($p->isAllowed('role', 'r2', 'p1')); // true
var_dump($p->isAllowed('role', 'r2', 'p2')); // true

5 years ago

enumag
Member | 2128
+
0
-

This behaviour seems correct to me.

The resource r2 inherits all privileges from r1. So if you allow p1 for r1, r2 inherits that as well because r2 extends r1 (= r2 is just a special case of r1).

Last edited by enumag (2014-01-13 19:34)

5 years ago

bene
Member | 83
+
0
-

This behaviour doesn't have sense to me for following example:

  • Car (resource) has drive (privilege).
  • Lorry inherit from car and have drive too.

If I allow to role car_driver drive car, this role has access to drive lorry too.

But if this behaviour is feature, OK, we have to write own permission class.

Thx

5 years ago

xificurk
Member | 118
+
0
-

Why do you use resource inheritance then?

5 years ago

bene
Member | 83
+
0
-

That was only example which shows object and more special object. Our application has forms with privileges “add” and “edit” and more special forms sometimes inherit from more common forms. I don't want to talk about right and wrong design. @enumag wrote example and explained that is feature and I'll take it. One angle of view is different as second. I wrote we have to write own permission class because this behaviour is not for us. I think there is no reason keep this topic opened.

Thanks for comments