Removing permission of specific resource removes all role permissions

[mario-deluna]

Well i wrote a driver for Doctrine and thought I must have made a strange mistake. But it turns out that this error also happens with the ArrayDriver:

$manager->role('somegroup')->allow('update', 'jobs');
$manager->role('somegroup')->allow('create', 'jobs');
$manager->role('somegroup')->deny('update', 'jobs', 42);

In my logic this should only deny the resource "42" but the drivers removeRolePermission method receives a Permission object without a resource_id so it deletes the entire permission.

$this->assertTrue($manager->role('somegroup')->can('create', 'jobs')); // is true
$this->assertTrue($manager->role('somegroup')->can('update', 'jobs', 1)); // is false
$this->assertFalse($manager->role('somegroup')->can('update', 'jobs', 42)); // is false

Did i got something wrong?

[Sxderp]

I think this can be narrowed down to the following code in /src/lock.php

foreach ($permissions as $key => $permission) {
    if ($permission instanceof Privilege && $permission->isAllowed($this, $action, $resource)) {
        $this->removePermission($permission);
        unset($permissions[$key]);
    }
}

If I'm reading it correctly then if a particular permission allows an action such as:

('update', 'jobs', 42)

then that permission will be deleted, regardless of the fact that the deny is a specific subset of the permission. I think just making a check were if the deny has a resource ID then don't remove any permissions that don't have resource IDs might work.

I don't have too much time to analyze what's going on.