ACL allow(‘admin’, ALL, [ ‘new’, ‘edit’ ]) and deny(admin', ALL, ALL) is not denied

8 months ago

woytam
Member | 9
+
0
-

Hello,
I find a little not predictable behavior.
If I allow some priviledges and then deny ALL, it is still allowed.

Example code:

<?php
$acl = new \Nette\Security\Permission();

// Resources definitions
$acl->addResource('Articles');

// Roles definitions
$acl->addRole('admin');

bdump($acl->isAllowed('admin', 'Articles', 'default'));     // false
$acl->allow('admin', 'Articles', array('default', 'new', 'edit'));
bdump($acl->isAllowed('admin', 'Articles', 'default'));     // true
$acl->deny('admin', 'Articles');
bdump($acl->isAllowed('admin', 'Articles', 'default'));     // true !!
?>

As you can see on last line, after denying resource ‘Articles’ for ‘admin’, function isAllowed still returns true.

And command

<?php
$acl->removeAllow('admin', 'Articles');
?>

throws notice: Undefined index: allPrivileges in File: ...\vendor\nette\security\src\Security\Permission.php:560

I see problem in allowing only some privileges by array, and trying to denying ALL privileges by “placeholder”.

Is it expected behavior of Nette Permission?