Bug #58927

Overlapping ressouce definitions in Policy.yaml resolved incorrectly

Added by Sven Radetzky over 7 years ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Security
Start date:
2014-05-19
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.4
Has patch:
No
Complexity:

Description

Just encountered this particular bug while updating a Policy.yaml file.

If you have two ressource definitions that overlap:

ressources:
  methods:
    allMethods: 'method(Vendor\Ext\Controller\SomeController->.*Action())'
    specificMethod: 'method(Vendor\Ext\Controller\SomeController->specificAction())'

And acls similar to this:

acls:
  OneRole:
    methods:
      allMethods: GRANT
  SecondRole:
    methods:
      specificMethod: GRANT

Then the second role can not access the specific method. By votes (0 denied, 0 granted, 1 abstained). The interesting part is when you execute

./flow security:showeffectivepolicy Vendor.Ext:SecondRole

The output says that specificMethod is allowed for SecondRole.

So even if this behavior is intended there is a bug in the SecurityCommandController at the very least.

PS:

Affected Flow Version: 2.1.2

Although this version or any version beyond 2.0.0 does not actually exist here in forge.

No data to display

Also available in: Atom PDF