mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2025-01-18 18:46:17 +00:00
Fix incorrectly inheriting permissions.
When child inherits from a deny parent the '*' permission should reflect permissions on all nodes not just the leaf node. Previously once a node with all permissions set to inherit was found, the check would pass. Instead it should cascade to the parent nodes and look for explicit allow/deny. Refs #8450
This commit is contained in:
mark_story
parent
18b0334890
commit
fef3090717
2 changed files with 30 additions and 11 deletions
|
|
@ -129,18 +129,17 @@ class Permission extends AppModel {
|
|||
$perms = Hash::extract($perms, '{n}.' . $this->alias);
|
||||
foreach ($perms as $perm) {
|
||||
if ($action === '*') {
|
||||
foreach ($permKeys as $key) {
|
||||
if (!empty($perm)) {
|
||||
if ($perm[$key] == -1) {
|
||||
return false;
|
||||
} elseif ($perm[$key] == 1 || $perm[$key] == 0) {
|
||||
$inherited[$key] = $perm[$key];
|
||||
}
|
||||
}
|
||||
if (empty($perm)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (count($inherited) === count($permKeys)) {
|
||||
return true;
|
||||
foreach ($permKeys as $key) {
|
||||
if ($perm[$key] == -1 && !(isset($inherited[$key]) && $inherited[$key] == 1)) {
|
||||
// Deny, but only if a child node didnt't explicitly allow
|
||||
return false;
|
||||
} elseif ($perm[$key] == 1) {
|
||||
// Allow & inherit from parent nodes
|
||||
$inherited[$key] = $perm[$key];
|
||||
}
|
||||
}
|
||||
} else {
|
||||
switch ($perm['_' . $action]) {
|
||||
|
|
@ -153,6 +152,10 @@ class Permission extends AppModel {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($action === '*' && count($inherited) === count($permKeys)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -452,6 +452,12 @@ class DbAclTest extends CakeTestCase {
|
|||
$this->Acl->Aco->create(array('parent_id' => $this->Acl->Aco->id, 'alias' => 'town'));
|
||||
$this->Acl->Aco->save();
|
||||
|
||||
$this->Acl->Aco->create(array('parent_id' => null, 'alias' => 'bizzaro_world'));
|
||||
$this->Acl->Aco->save();
|
||||
|
||||
$this->Acl->Aco->create(array('parent_id' => $this->Acl->Aco->id, 'alias' => 'bizzaro_town'));
|
||||
$this->Acl->Aco->save();
|
||||
|
||||
$this->Acl->Aro->create(array('parent_id' => null, 'alias' => 'Jane'));
|
||||
$this->Acl->Aro->save();
|
||||
|
||||
|
|
@ -463,8 +469,18 @@ class DbAclTest extends CakeTestCase {
|
|||
$this->Acl->inherit('Jane', 'town', '*');
|
||||
$this->Acl->allow('Jane', 'town', 'create');
|
||||
|
||||
// Setup deny on create for parent
|
||||
$this->Acl->deny('Jane', 'bizzaro_world', '*');
|
||||
$this->Acl->allow('Jane', 'bizzaro_world', 'create');
|
||||
|
||||
// Setup inherit.
|
||||
$this->Acl->inherit('Jane', 'bizzaro_town', '*');
|
||||
|
||||
$this->assertTrue($this->Acl->check('Jane', 'town', 'create'), 'Should have access due to override');
|
||||
$this->assertTrue($this->Acl->check('Jane', 'town', '*'), 'Should have access due to inherit');
|
||||
|
||||
$this->assertTrue($this->Acl->check('Jane', 'bizzaro_town', 'create'), 'Should have access due explicit allow');
|
||||
$this->assertFalse($this->Acl->check('Jane', 'bizzaro_town', '*'), 'Should not have access due to inherit');
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue