Bug #58927
Overlapping ressouce definitions in Policy.yaml resolved incorrectly
Status: | New | Start date: | 2014-05-19 | |
---|---|---|---|---|
Priority: | Should have | Due date: | ||
Assigned To: | - | % Done: | 0% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 2.1 | |||
PHP Version: | 5.4 | Complexity: | ||
Has patch: | No | Affected Flow version: | Git master |
Description
Just encountered this particular bug while updating a Policy.yaml file.
If you have two ressource definitions that overlap:
ressources: methods: allMethods: 'method(Vendor\Ext\Controller\SomeController->.*Action())' specificMethod: 'method(Vendor\Ext\Controller\SomeController->specificAction())'
And acls similar to this:
acls: OneRole: methods: allMethods: GRANT SecondRole: methods: specificMethod: GRANT
Then the second role can not access the specific method. By votes (0 denied, 0 granted, 1 abstained). The interesting part is when you execute
./flow security:showeffectivepolicy Vendor.Ext:SecondRole
The output says that specificMethod is allowed for SecondRole.
So even if this behavior is intended there is a bug in the SecurityCommandController at the very least.
PS:
Affected Flow Version: 2.1.2
Although this version or any version beyond 2.0.0 does not actually exist here in forge.