We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

ACL Roles Inheritance

Is it a bug or I'm doing something wrong?

<?php
$acl = new \Phalcon\Acl\Adapter\Memory;
$acl->setDefaultAction(\Phalcon\Acl::DENY);

$acl->addRole(new \Phalcon\Acl\Role('Users'));
$acl->addRole(new \Phalcon\Acl\Role('Managers'), 'Users');

$acl->addResource(new \Phalcon\Acl\Resource('Resource'), ['search', 'update']);

$acl->allow('Users', 'Resource', 'search');

$acl->isAllowed('Users',    'Resource', 'search'); // 1
$acl->isAllowed('Managers', 'Resource', 'search'); // 0 
                                                   // Why?!
                                                   // Shouldn't "Managers" inherit from "Users" its accesses

print_r($acl);
/*
...
[_roleInherits:protected] => Array (
    [Managers] => Array (
        [0] => Users
    )
)
...
*/


43.9k

isn't there a typo error in your code: php $acl->addRole(new \Phalcon\Acl\Role('Managers'), 'Users'); instead of: php $acl->addRole(new \Phalcon\Acl\Role('Managers', 'Users'));



29.4k

No

\Phalcon\Acl\Role::__construct (string $name, [string $description])

The second parameter is role description. https://docs.phalcon.io/en/latest/api/Phalcon_Acl_Role.html



43.9k

I did not play yet with acl inheritance, but it seems to me that you've got a misplaced close parenthesis.



98.9k

This is a bug, it's fixed in the 1.0.0 branch, thanks

Hi, we have a similar problem at 1.0.0.BETA.1. On 0.8 it worked fine.

Is any news about this bug?



98.9k

@alexzaprozhets it's fixed in the 1.0.0 branch

We did a build from latest Phalcon version and test ACL inheritance - no luck, problem is remain.

HI, I can confirm that problem was solved in stable 1.0.0

There seem to be a problem with inheritance in 1.2.0 stable. The following code stopped working (worked for 1.1.0) but I cannot determine what API changes may have caused the issue. The code:

public static $roles = array(
        \Users::ROLE_EXTERNAL => 'bar',
        \Users::ROLE_INTERNAL => 'baz',
        \Users::ROLE_ADMINISTRATOR => 'foo'
    ...
    );
...
            $prevRole = null;
            $curRole = null;
            foreach (self::$roles as $roleName => $roleDescription) {
                $curRole = new Role($roleName, $roleDescription);
                $acl->addRole($curRole, $prevRole ? $prevRole->getName() : null); // BTW, why can I not optionally pass a role object here?
                $prevRole = $curRole;
            }
...

When inspecting the ACL object after this code run the _roleInherits property seems to be filled correctly but $acl->isAllowed only returns Acl::ALLOW for the resources added to the role itself, not for its inherited roles. Maybe I mistake the inherits functionality: I would like to inherit the ADMINITRATOR group from the INTERAL group which inherits from the EXTERNAL group, SO that ADMINISTRATOR has access to all INTERNAL and EXTERNAL resources.

What am I doing wrong?



98.9k

@michaelkrone I'm adding a fix for this in 1.2.1, will let you know

Thank you. Adding the Resources explicitly to the Roles seems to work.

Hi, what about fix for ACL? Can you give us some time estimation?



10

Hi, i have a problem with the inheritance chain:

$acl = new AclEngine();

$acl->setDefaultAction(Acl::DENY);

$acl->addRole('user');
$acl->addRole('admin', 'user');
$acl->addRole('developer', 'admin');

$acl->addResource('tickets', ['list', 'open', 'close']);

$acl->allow('user', 'tickets', 'open');

var_dump($acl->isAllowed('user', 'tickets', 'open')); // returns 1
var_dump($acl->isAllowed('admin', 'tickets', 'open')); // returns 1
var_dump($acl->isAllowed('developer', 'tickets', 'open')); // returns 0 (!)

PHP 5.5.1 Phalcon 1.2.1



75

Hi,

I have the same problem on phalcon 2.0. The issue seems to have already been solved but I can't figure out what i'm doing wrong.

Here is some information :

i do :

var_dump($acl->isAllowed("Guests", "errors", "show401"));
var_dump($acl->isAllowed("Users", "errors", "show401"));
var_dump($acl->isAllowed("Admins", "errors", "show401"));
var_dump($acl->isAllowed("Admins", "game", "index"));
var_dump($acl);

and get :

boolean true

boolean true

boolean false

boolean true

object(Phalcon\Acl\Adapter\Memory)[69]
  protected '_eventsManager' => null
  protected '_defaultAccess' => int 0
  protected '_accessGranted' => int 1
  protected '_activeRole' => string 'Admins' (length=6)
  protected '_activeResource' => string 'game' (length=4)
  protected '_activeAccess' => string 'index' (length=5)
  protected '_rolesNames' => 
    array (size=3)
      'Guests' => boolean true
      'Users' => boolean true
      'Admins' => boolean true
  protected '_roles' => 
    array (size=3)
      0 => 
        object(Phalcon\Acl\Role)[70]
          protected '_name' => string 'Guests' (length=6)
          protected '_description' => null
      1 => 
        object(Phalcon\Acl\Role)[71]
          protected '_name' => string 'Users' (length=5)
          protected '_description' => null
      2 => 
        object(Phalcon\Acl\Role)[72]
          protected '_name' => string 'Admins' (length=6)
          protected '_description' => null
  protected '_resourcesNames' => 
    array (size=9)
      '*' => boolean true
      'index' => boolean true
      'errors' => boolean true
      'session' => boolean true
      'game' => boolean true
      'header' => boolean true
      'shop' => boolean true
      'improvements' => boolean true
      'admin' => boolean true
  protected '_resources' => 
    array (size=8)
      0 => 
        object(Phalcon\Acl\Resource)[73]
          protected '_name' => string 'index' (length=5)
          protected '_description' => null
      1 => 
        object(Phalcon\Acl\Resource)[74]
          protected '_name' => string 'errors' (length=6)
          protected '_description' => null
      2 => 
        object(Phalcon\Acl\Resource)[75]
          protected '_name' => string 'session' (length=7)
          protected '_description' => null
      3 => 
        object(Phalcon\Acl\Resource)[76]
          protected '_name' => string 'game' (length=4)
          protected '_description' => null
      4 => 
        object(Phalcon\Acl\Resource)[77]
          protected '_name' => string 'header' (length=6)
          protected '_description' => null
      5 => 
        object(Phalcon\Acl\Resource)[78]
          protected '_name' => string 'shop' (length=4)
          protected '_description' => null
      6 => 
        object(Phalcon\Acl\Resource)[79]
          protected '_name' => string 'improvements' (length=12)
          protected '_description' => null
      7 => 
        object(Phalcon\Acl\Resource)[80]
          protected '_name' => string 'admin' (length=5)
          protected '_description' => null
  protected '_access' => 
    array (size=32)
      'Guests!*!*' => int 0
      'Guests!index!index' => int 1
      'Guests!index!*' => int 0
      'Guests!index!login' => int 1
      'Guests!errors!show401' => int 1
      'Guests!errors!*' => int 0
      'Guests!errors!show500' => int 1
      'Guests!errors!show404' => int 1
      'Guests!session!index' => int 1
      'Guests!session!*' => int 0
      'Guests!session!start' => int 1
      'Guests!session!register' => int 1
      'Guests!session!end' => int 1
      'Users!*!*' => int 0
      'Users!game!index' => int 1
      'Users!game!*' => int 0
      'Users!game!hack' => int 1
      'Users!game!improvements' => int 1
      'Users!game!menu' => int 1
      'Users!game!procs' => int 1
      'Users!game!shop' => int 1
      'Users!game!skills' => int 1
      'Users!header!money' => int 1
      'Users!header!*' => int 0
      'Users!shop!buyBook' => int 1
      'Users!shop!*' => int 0
      'Users!shop!list' => int 1
      'Users!improvements!list' => int 1
      'Users!improvements!*' => int 0
      'Admins!*!*' => int 0
      'Admins!admin!timers' => int 1
      'Admins!admin!*' => int 0
  protected '_roleInherits' => 
    array (size=2)
      'Users' => 
        array (size=1)
          0 => string 'Guests' (length=6)
      'Admins' => 
        array (size=1)
          0 => string 'Users' (length=5)
  protected '_accessList' => 
    array (size=22)
      '*!*' => boolean true
      'index!index' => boolean true
      'index!login' => boolean true
      'errors!show401' => boolean true
      'errors!show500' => boolean true
      'errors!show404' => boolean true
      'session!index' => boolean true
      'session!start' => boolean true
      'session!register' => boolean true
      'session!end' => boolean true
      'game!index' => boolean true
      'game!hack' => boolean true
      'game!improvements' => boolean true
      'game!menu' => boolean true
      'game!procs' => boolean true
      'game!shop' => boolean true
      'game!skills' => boolean true
      'header!money' => boolean true
      'shop!buyBook' => boolean true
      'shop!list' => boolean true
      'improvements!list' => boolean true
      'admin!timers' => boolean true