Zend_Acl component update breaks application functionality
Having just updated from version 1.10.6 to version 1.11, I discovered the sad fact that the administrator account lost access to most of the functionality.
Adding some resources I went after setting the privileges of the admin role.
')
As it turned out after running two versions of the Zend / Acl.php file through diff, the line 636 of the file was changed.
It was:
It became:
Obviously, if you do not set resources when calling the allow method, privileges for the role will be established only for already registered resources, although earlier such a call would add privileges to access all resources. Now, for normal operation, you need to set the permission before the first addition of the resource to the ACL.
I would like to hope that this is an ill-conceived fix and not a new security policy of the framework.
As it turned out, thus tried to eliminate the ZF-9643 , thereby adding ZF-10649
Adding some resources I went after setting the privileges of the admin role.
$acl->add(new Zend_Acl_Resource('resource1'));
$acl->allow('admin');
$acl->add(new Zend_Acl_Resource('resource2'));
')
As it turned out after running two versions of the Zend / Acl.php file through diff, the line 636 of the file was changed.
It was:
$resources = array($resources);It became:
$resources = ($resources == null && count($this->_resources) > 0) ? array_keys($this->_resources) : array($resources);Obviously, if you do not set resources when calling the allow method, privileges for the role will be established only for already registered resources, although earlier such a call would add privileges to access all resources. Now, for normal operation, you need to set the permission before the first addition of the resource to the ACL.
I would like to hope that this is an ill-conceived fix and not a new security policy of the framework.
As it turned out, thus tried to eliminate the ZF-9643 , thereby adding ZF-10649
Source: https://habr.com/ru/post/107689/
All Articles