[1.3.0] [FIX] ACL allows access to forbidden resources

ext/acl/adapter/memory.c

@@ -674,27 +674,24 @@ PHP_METHOD(Phalcon_Acl_Adapter_Memory, deny){
 	RETURN_MM();
 }
 
-static int phalcon_role_adapter_memory_check_inheritance(zval *role, zval *resource, zval *access, zval *access_list, zval* this_ptr TSRMLS_DC)
+#define PHALCON_ACL_NO      0
+#define PHALCON_ACL_YES     1
+#define PHALCON_ACL_DUNNO  -1
+
+static int phalcon_role_adapter_memory_check_inheritance(zval *role, zval *resource, zval *access, zval *access_list, zval* role_inherits TSRMLS_DC)
 {
-	zval *role_inherits, *inherited_roles, *access_key, *have_access = NULL;
+	zval *inherited_roles, *access_key;
 	zval **parent_role;
-	zval one = zval_used_for_init;
+	int result = PHALCON_ACL_DUNNO;
 	HashPosition hp;
 
-	ZVAL_LONG(&one, 1);
-
 	assert(Z_TYPE_P(role) == IS_STRING);
 	assert(Z_TYPE_P(resource) == IS_STRING);
 	assert(Z_TYPE_P(access) == IS_STRING);
 	assert(Z_TYPE_P(access_list) == IS_ARRAY);
 
-	role_inherits = phalcon_fetch_nproperty_this(this_ptr, SL("_roleInherits"), PH_NOISY TSRMLS_CC);
-	if (!phalcon_array_isset_fetch(&inherited_roles, role_inherits, role)) {
-		return 0;
-	}
-
-	if (Z_TYPE_P(inherited_roles) != IS_ARRAY) {
-		return 0;
+	if (!phalcon_array_isset_fetch(&inherited_roles, role_inherits, role) || Z_TYPE_P(inherited_roles) != IS_ARRAY) {
+		return PHALCON_ACL_DUNNO;
 	}
 
 	ALLOC_INIT_ZVAL(access_key);
@@ -704,25 +701,27 @@ static int phalcon_role_adapter_memory_check_inheritance(zval *role, zval *resou
 		zend_hash_move_forward_ex(Z_ARRVAL_P(inherited_roles), &hp)
 	) {
 		int found;
+		zval *have_access;
 
 		phalcon_concat_vsvsv(&access_key, *parent_role, SL("!"), resource, SL("!"), access, 0 TSRMLS_CC);
 		found = phalcon_array_isset_fetch(&have_access, access_list, access_key);
 		zval_dtor(access_key);
 		ZVAL_NULL(access_key);
 
-		if (found && Z_TYPE_P(have_access) != IS_NULL) {
-			break;
+		if (found) {
+			result = zend_is_true(have_access) ? PHALCON_ACL_YES : PHALCON_ACL_NO;
+		}
+		else {
+			result = phalcon_role_adapter_memory_check_inheritance(*parent_role, resource, access, access_list, role_inherits TSRMLS_CC);
 		}
 
-		have_access = NULL; /* To be safe */
-		if (phalcon_role_adapter_memory_check_inheritance(*parent_role, resource, access, access_list, this_ptr TSRMLS_CC)) {
-			have_access = &one;
+		if (PHALCON_ACL_DUNNO != result) {
 			break;
 		}
 	}
 
 	zval_ptr_dtor(&access_key);
-	return (have_access && Z_TYPE_P(have_access) != IS_NULL) ? 1 : 0;
+	return result;
 }
 
 /**
@@ -743,19 +742,16 @@ static int phalcon_role_adapter_memory_check_inheritance(zval *role, zval *resou
  */
 PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 
-	zval *role, *resource, *access, *events_manager;
+	zval *role, *resource, *access, *events_manager, *role_inherits;
 	zval *event_name = NULL, *status, *default_access, *roles_names;
 	zval *have_access = NULL, *access_list, *access_key = NULL;
-	zval resource_star, access_star;
+	zval star;
 	int allow_access;
 
 	PHALCON_MM_GROW();
 
-	INIT_ZVAL(access_star);
-	ZVAL_STRING(&access_star, "*", 0);
-
-	INIT_ZVAL(resource_star);
-	ZVAL_STRING(&resource_star, "*", 0);
+	INIT_ZVAL(star);
+	ZVAL_STRING(&star, "*", 0);
 
 	phalcon_fetch_params(1, 3, 0, &role, &resource, &access);
 
@@ -772,7 +768,7 @@ PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 		PHALCON_INIT_VAR(status);
 		phalcon_call_method_p2(status, events_manager, "fire", event_name, this_ptr);
 		if (PHALCON_IS_FALSE(status)) {
-			RETURN_CCTOR(status);
+			RETURN_CTOR(status);
 		}
 	}
 
@@ -783,7 +779,7 @@ PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 	 */
 	roles_names = phalcon_fetch_nproperty_this(this_ptr, SL("_rolesNames"), PH_NOISY_CC);
 	if (!phalcon_array_isset(roles_names, role)) {
-		RETURN_CCTOR(default_access);
+		RETURN_CTOR(default_access);
 	}
 
 	access_list = phalcon_fetch_nproperty_this(this_ptr, SL("_access"), PH_NOISY_CC);
@@ -794,55 +790,60 @@ PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 	/** 
 	 * Check if there is a direct combination for role-resource-access
 	 */
-	phalcon_array_isset_fetch(&have_access, access_list, access_key);
-	allow_access = have_access && Z_TYPE_P(have_access) != IS_NULL;
-
+	if (phalcon_array_isset_fetch(&have_access, access_list, access_key)) {
+		allow_access = zend_is_true(have_access) ? PHALCON_ACL_YES : PHALCON_ACL_NO;
+	}
+	else {
+		allow_access = PHALCON_ACL_DUNNO;
+	}
+
 	/** 
 	 * Check in the inherits roles
 	 */
-	if (!allow_access && phalcon_role_adapter_memory_check_inheritance(role, resource, access, access_list, getThis() TSRMLS_CC)) {
-		allow_access = 1;
+	if (PHALCON_ACL_DUNNO == allow_access) {
+		role_inherits = phalcon_fetch_nproperty_this(this_ptr, SL("_roleInherits"), PH_NOISY TSRMLS_CC);
+		allow_access  = phalcon_role_adapter_memory_check_inheritance(role, resource, access, access_list, role_inherits TSRMLS_CC);
 	}
 
 	/** 
 	 * If access wasn't found yet, try role-resource-*
 	 */
-	if (!allow_access) {
+	if (PHALCON_ACL_DUNNO == allow_access) {
 
 		PHALCON_INIT_NVAR(access_key);
 		PHALCON_CONCAT_VSVS(access_key, role, "!", resource, "!*");
 
 		/** 
 		 * In the direct role
 		 */
-		phalcon_array_isset_fetch(&have_access, access_list, access_key);
-		allow_access = have_access && Z_TYPE_P(have_access) != IS_NULL;
-
-		if (!allow_access && phalcon_role_adapter_memory_check_inheritance(role, resource, &access_star, access_list, getThis() TSRMLS_CC)) {
-			allow_access = 1;
+		if (phalcon_array_isset_fetch(&have_access, access_list, access_key)) {
+			allow_access = zend_is_true(have_access) ? PHALCON_ACL_YES : PHALCON_ACL_NO;
+		}
+		else {
+			allow_access = phalcon_role_adapter_memory_check_inheritance(role, resource, &star, access_list, role_inherits TSRMLS_CC);
 		}
 	}
 
 	/** 
 	 * If access wasn't found yet, try role-*-*
 	 */
-	if (!allow_access) {
+	if (PHALCON_ACL_DUNNO == allow_access) {
 
 		PHALCON_INIT_NVAR(access_key);
 		PHALCON_CONCAT_VS(access_key, role, "!*!*");
 
 		/** 
 		 * Try in the direct role
 		 */
-		phalcon_array_isset_fetch(&have_access, access_list, access_key);
-		allow_access = have_access && Z_TYPE_P(have_access) != IS_NULL;
-
-		if (!allow_access && phalcon_role_adapter_memory_check_inheritance(role, &resource_star, &access_star, access_list, getThis() TSRMLS_CC)) {
-			allow_access = 1;
+		if (phalcon_array_isset_fetch(&have_access, access_list, access_key)) {
+			allow_access = zend_is_true(have_access) ? PHALCON_ACL_YES : PHALCON_ACL_NO;
+		}
+		else {
+			allow_access = phalcon_role_adapter_memory_check_inheritance(role, &star, &star, access_list, role_inherits TSRMLS_CC);
 		}
 	}
 
-	ZVAL_BOOL(return_value, allow_access);
+	ZVAL_BOOL(return_value, PHALCON_ACL_YES == allow_access);
 
 	phalcon_update_property_this(this_ptr, SL("_accessGranted"), return_value TSRMLS_CC);
 	if (Z_TYPE_P(events_manager) == IS_OBJECT) {

ext/tests/issue-1303.phpt

@@ -0,0 +1,27 @@
+--TEST--
+ACL allows access to forbidden resources - https://github.com/phalcon/cphalcon/issues/1303
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+$acl = new \Phalcon\Acl\Adapter\Memory();
+
+$acl->setDefaultAction(\Phalcon\Acl::DENY);
+
+$acl->addRole('Guests');
+$acl->addRole('Designers');
+
+$customersResource = new \Phalcon\Acl\Resource('Customers', 'Customers management');
+
+$acl->addResource($customersResource, array('search', 'create', 'update'));
+
+$acl->allow('Guests', 'Customers', 'search');
+$acl->allow('Guests', 'Customers', 'create');
+$acl->deny('Guests', 'Customers', 'update');
+
+var_dump((int)$acl->isAllowed('Guests', 'Customers', 'edit'));
+var_dump((int)$acl->isAllowed('Guests', 'Customers', 'update'));
+?>
+--EXPECT--
+int(0)
+int(0)

ext/tests/issue-65.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Negating ACL roles - https://github.com/phalcon/cphalcon/issues/65
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+$acl = new \Phalcon\Acl\Adapter\Memory();
+$acl->setDefaultAction(\Phalcon\Acl::DENY);
+
+$acl->addRole('Guests');
+$acl->addRole('Members', 'Guests');
+
+$acl->addResource('Login', array('index'));
+
+$acl->allow('Guests', 'Login', 'index');
+$acl->deny('Members', 'Login', 'index');
+var_dump((bool)$acl->isAllowed('Members', 'Login', 'index'));
+?>
+--EXPECT--
+bool(false)