From 5533ca7b0970364c144f7077ee760b2b8a31af51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jorge=20Gonz=C3=A1lez?= <steinkel@gmail.com>
Date: Thu, 15 Oct 2015 17:44:16 +0100
Subject: [PATCH] fix bug on rule calculation when negative rules matched

---
 src/Auth/SimpleRbacAuthorize.php              |  7 ++--
 .../TestCase/Auth/SimpleRbacAuthorizeTest.php | 32 +++++++++++++++++++
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/Auth/SimpleRbacAuthorize.php b/src/Auth/SimpleRbacAuthorize.php
index aec17e4c3..5847e5e15 100644
--- a/src/Auth/SimpleRbacAuthorize.php
+++ b/src/Auth/SimpleRbacAuthorize.php
@@ -174,7 +174,8 @@ protected function _checkRules(array $user, $role, Request $request)
     {
         $permissions = $this->config('permissions');
         foreach ($permissions as $permission) {
-            if ($allowed = $this->_matchRule($permission, $user, $role, $request)) {
+            $allowed = $this->_matchRule($permission, $user, $role, $request);
+            if ($allowed !== null) {
                 return $allowed;
             }
         }
@@ -189,7 +190,7 @@ protected function _checkRules(array $user, $role, Request $request)
      * @param array $user current user
      * @param string $role effective user role
      * @param Request $request request
-     * @return bool
+     * @return bool if rule matched, null if rule not matched
      */
     protected function _matchRule($permission, $user, $role, $request)
     {
@@ -216,7 +217,7 @@ protected function _matchRule($permission, $user, $role, $request)
             }
         }
 
-        return false;
+        return null;
     }
 
     /**
diff --git a/tests/TestCase/Auth/SimpleRbacAuthorizeTest.php b/tests/TestCase/Auth/SimpleRbacAuthorizeTest.php
index 183611b7b..7f84f7878 100644
--- a/tests/TestCase/Auth/SimpleRbacAuthorizeTest.php
+++ b/tests/TestCase/Auth/SimpleRbacAuthorizeTest.php
@@ -655,6 +655,38 @@ public function providerAuthorize()
                 //expected
                 true
             ],
+            'array-prefix' => [
+                //permissions
+                [
+                    [
+                        'role' => ['test'],
+                        'prefix' => ['one', 'admin'],
+                        'controller' => '*',
+                        'action' => 'one',
+                        'allowed' => false,
+                    ],
+                    [
+                        'role' => ['test'],
+                        'prefix' => ['one', 'admin'],
+                        'controller' => '*',
+                        'action' => '*',
+                    ],
+                ],
+                //user
+                [
+                    'id' => 1,
+                    'username' => 'luke',
+                    'role' => 'test',
+                ],
+                //request
+                [
+                    'prefix' => 'admin',
+                    'controller' => 'Tests',
+                    'action' => 'one'
+                ],
+                //expected
+                false
+            ],
         ];
     }
 }