From 9ee610757eff8d492fe4f10e3db4d6c1244b1913 Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Fri, 24 May 2013 21:47:10 -0400
Subject: [PATCH] Throw exceptions when invalid permission keys are used.

Silently 'failing' to save permissions is bad, throw exceptions instead.

Fixes #3851
---
 lib/Cake/Model/Permission.php                  | 18 +++++++++---------
 .../Controller/Component/Acl/DbAclTest.php     | 10 ++++++++++
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/lib/Cake/Model/Permission.php b/lib/Cake/Model/Permission.php
index b47eaa979..47a9de204 100644
--- a/lib/Cake/Model/Permission.php
+++ b/lib/Cake/Model/Permission.php
@@ -162,9 +162,10 @@ class Permission extends AppModel {
  *
  * @param string $aro ARO The requesting object identifier.
  * @param string $aco ACO The controlled object identifier.
- * @param string $actions Action (defaults to *)
+ * @param string $actions Action (defaults to *) Invalid permissions will result in an exception
  * @param integer $value Value to indicate access type (1 to give access, -1 to deny, 0 to inherit)
  * @return boolean Success
+ * @throws AclException on Invalid permission key.
  */
 	public function allow($aro, $aco, $actions = "*", $value = 1) {
 		$perms = $this->getAclLink($aro, $aco);
@@ -185,15 +186,14 @@ class Permission extends AppModel {
 			if (!is_array($actions)) {
 				$actions = array('_' . $actions);
 			}
-			if (is_array($actions)) {
-				foreach ($actions as $action) {
-					if ($action{0} !== '_') {
-						$action = '_' . $action;
-					}
-					if (in_array($action, $permKeys)) {
-						$save[$action] = $value;
-					}
+			foreach ($actions as $action) {
+				if ($action{0} !== '_') {
+					$action = '_' . $action;
 				}
+				if (!in_array($action, $permKeys, true)) {
+					throw new AclException(__d('cake_dev', 'Invalid permission key "%s"', $action));
+				}
+				$save[$action] = $value;
 			}
 		}
 		list($save['aro_id'], $save['aco_id']) = array($perms['aro'], $perms['aco']);
diff --git a/lib/Cake/Test/Case/Controller/Component/Acl/DbAclTest.php b/lib/Cake/Test/Case/Controller/Component/Acl/DbAclTest.php
index 2d3c4c809..5356ddc93 100644
--- a/lib/Cake/Test/Case/Controller/Component/Acl/DbAclTest.php
+++ b/lib/Cake/Test/Case/Controller/Component/Acl/DbAclTest.php
@@ -293,6 +293,16 @@ class DbAclTest extends CakeTestCase {
 		$this->assertFalse($this->Acl->allow('Lumbergh', 'ROOT/tpsReports/DoesNotExist', 'create'));
 	}
 
+/**
+ * Test that allow() with an invalid permission name triggers an error.
+ *
+ * @expectedException CakeException
+ * @return void
+ */
+	public function testAllowInvalidPermission() {
+		$this->Acl->allow('Micheal', 'tpsReports', 'derp');
+	}
+
 /**
  * testAllowInvalidNode method
  *