Merge pull request #258 from CakeDC/issue/rbac-negative-rules-30

fix bug on rule calculation when negative rules matched
CakeDC · Oct 15, 2015 · 3ce3872 · 3ce3872
2 parents f8e4cef + 5533ca7
commit 3ce3872
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/src/Auth/SimpleRbacAuthorize.php b/src/Auth/SimpleRbacAuthorize.php
@@ -174,7 +174,8 @@ protected function _checkRules(array $user, $role, Request $request)
     {
         $permissions = $this->config('permissions');
         foreach ($permissions as $permission) {
-            if ($allowed = $this->_matchRule($permission, $user, $role, $request)) {
+            $allowed = $this->_matchRule($permission, $user, $role, $request);
+            if ($allowed !== null) {
                 return $allowed;
             }
         }
@@ -189,7 +190,7 @@ protected function _checkRules(array $user, $role, Request $request)
      * @param array $user current user
      * @param string $role effective user role
      * @param Request $request request
-     * @return bool
+     * @return bool if rule matched, null if rule not matched
      */
     protected function _matchRule($permission, $user, $role, $request)
     {
@@ -216,7 +217,7 @@ protected function _matchRule($permission, $user, $role, $request)
             }
         }
 
-        return false;
+        return null;
     }
 
     /**

diff --git a/tests/TestCase/Auth/SimpleRbacAuthorizeTest.php b/tests/TestCase/Auth/SimpleRbacAuthorizeTest.php
@@ -655,6 +655,38 @@ public function providerAuthorize()
                 //expected
                 true
             ],
+            'array-prefix' => [
+                //permissions
+                [
+                    [
+                        'role' => ['test'],
+                        'prefix' => ['one', 'admin'],
+                        'controller' => '*',
+                        'action' => 'one',
+                        'allowed' => false,
+                    ],
+                    [
+                        'role' => ['test'],
+                        'prefix' => ['one', 'admin'],
+                        'controller' => '*',
+                        'action' => '*',
+                    ],
+                ],
+                //user
+                [
+                    'id' => 1,
+                    'username' => 'luke',
+                    'role' => 'test',
+                ],
+                //request
+                [
+                    'prefix' => 'admin',
+                    'controller' => 'Tests',
+                    'action' => 'one'
+                ],
+                //expected
+                false
+            ],
         ];
     }
 }