Bug #58927
Overlapping ressouce definitions in Policy.yaml resolved incorrectly
| Status: | New | Start date: | 2014-05-19 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | - | % Done: | 0% |
|
| Category: | Security | |||
| Target version: | TYPO3 Flow Base Distribution - 2.1 | |||
| PHP Version: | 5.4 | Complexity: | ||
| Has patch: | No | Affected Flow version: | Git master |
Description
Just encountered this particular bug while updating a Policy.yaml file.
If you have two ressource definitions that overlap:
ressources:
methods:
allMethods: 'method(Vendor\Ext\Controller\SomeController->.*Action())'
specificMethod: 'method(Vendor\Ext\Controller\SomeController->specificAction())'
And acls similar to this:
acls:
OneRole:
methods:
allMethods: GRANT
SecondRole:
methods:
specificMethod: GRANT
Then the second role can not access the specific method. By votes (0 denied, 0 granted, 1 abstained). The interesting part is when you execute
./flow security:showeffectivepolicy Vendor.Ext:SecondRole
The output says that specificMethod is allowed for SecondRole.
So even if this behavior is intended there is a bug in the SecurityCommandController at the very least.
PS:
Affected Flow Version: 2.1.2
Although this version or any version beyond 2.0.0 does not actually exist here in forge.