acl
acl copied to clipboard
cakephp
ACL deny, then grant not working as expected.
From @notoriousturtle on July 6, 2017 6:26
-
[x] bug
-
[x] feature request (see bottom of post)
-
CakePHP Version: 3.7.7
-
Platform and Target: 7.0.18-0ubuntu0.16.04.1
What you did, what happened
Trying to grant access to an aco when it has already been denied at least once does not work. I encountered this problem when trying to grant my administrative users access to a particular aco that I had denied previously.
This would say Permission granted, but wouldn't actually work:
$ bin/cake acl grant Groups.1 controllers/manage/Tracks/index
After messing with it for a while I tried to recover aro/aco. This didnt help.
I resolved this by deleting the aco, then granting permission again, like so:
$ bin/cake acl delete aco controllers/manage/Tracks/index
Aco deleted.
$ bin/cake acl_extras aco_sync
Created Aco node: controllers/Manage/Tracks/index
Aco Update Complete
$ bin/cake acl grant Groups.1 controllers/manage/Tracks/index
Permission granted.
Then when I accessed the aco as an administratively grouped user it worked.
What you expected to happen
I expect deny, then granting again to allow access to the aco.
Also, is it possible to get a bit more documentation on Cake's ACL stuff. Also, is there any way I can get a listing of all permissions for a specific aco, such as /manage/Tracks/index? And is there a way to get a list of what aco's a user group has access to? Thanks.
Copied from original issue: cakephp/cakephp#10869
Trying to grant access to an aco when it has already been denied at least once does not work. I encountered this problem when trying to grant my administrative users access to a particular aco that I had denied previously.
Hmm, I couldn't reproduce the issue in Croogo (it uses the same plugin). Eg:
This would say Permission granted, but wouldn't actually work: $ bin/cake acl grant Groups.1 controllers/manage/Tracks/index
When you say "wouldn't actually work", are you saying that accessing the action from browser didn't work or using bin/cake acl check says not allowed?
If still denied from browser, tt maybe related to cache or cookie, so clear you cache/cookie and retry.
@rchavik Ah, I wasn't testing access using check. I was testing access by refreshing the browser (ctrl+shift+r, force refresh, do not use cached data in Chrome). I don't think this was a caching issue.
Can you double check your Acl component is not configured using CachedDbAcl adapter?
It's configured via Acl.classname config key. (defaults to DbAcl when not configured)
This is whats in my AppController.
public $components = [
'Acl' => [
'className' => 'Acl.Acl'
]
];
I'm not sure if its worth mentioning, but I have multiple AppControllers (for an API, and a management section), all with the above $components variable set to the same.
No, the setting we need to check is Configure::write('Acl.classname', ...);
What is the output of bin/cake/acl check after you re-add the grant?
/vendor/cakephp/acl/config/bootstrap.php:
15: if (!Configure::read('Acl.classname')) {
16: Configure::write('Acl.classname', 'DbAcl');
This what you want? That is the default config, I haven't changed anything out of the box.
Yes. So it's probably set using the default.
Hmm. I can't think of anything else. I'll try to repro using a clean cake app when I have time. No promises though