Bug #8576

Unable to overwrite inherited ACL roles in Policy.yaml

Added by Michael Schams over 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2010-07-01
Due date:
% Done:

0%

Estimated time:
2.00 h
PHP Version:
Has patch:
Complexity:

Description

Roles are inherited correctly but you can not overwrite a previously defined DENY with a GRANT. It's working fine to overwrite a GRANT with a DENY bit not vice versa.

See attached PDF document for clarification.

Please note: this ticket is related to #8427 (see examples there) but describes a (new) system behaviour (bug).


Files

#2

Updated by Karsten Dambekalns over 11 years ago

  • Status changed from New to Accepted
  • Assignee set to Andreas Förthner
  • Target version set to 1.0 alpha 10
  • Estimated time set to 2.00 h
#3

Updated by Andreas Förthner over 11 years ago

  • Target version changed from 1.0 alpha 10 to 1.0 alpha 11
#4

Updated by Karsten Dambekalns about 11 years ago

  • Target version deleted (1.0 alpha 11)
#5

Updated by Andreas Förthner about 11 years ago

  • Target version set to 1.0 alpha 13
#6

Updated by Karsten Dambekalns almost 11 years ago

  • Target version changed from 1.0 alpha 13 to 1.0 alpha 14
#7

Updated by Andreas Förthner almost 11 years ago

  • Status changed from Accepted to Resolved

I close this issue, as the introduction of the new Everybody role and the fact, that every resource is automatically added to this role with an ABSTAIN privilege, should solve the issue.

Here is a short explanation how privilege evaluation works:

The DENY privilege overrides any other privilege no matter of the inheritance. This is done by intention. By defining a resource it is by default denied to everyone. As soon as one of the roles (or inherited parent roles) gets a GRANT privilge and no DENY privilege the account is allowed to access. The new ABSTAIN privilege is just ignored when evaluating the access decision, but if no other privilege is found, access is denied.

Also available in: Atom PDF