Merge branch 'master' of https://github.com/zendframework/zf2 into zf…

…-3371

src/Acl.php

@@ -5,17 +5,11 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
-class Acl
+class Acl implements AclInterface
 {
     /**
      * Rule type: allow
@@ -572,7 +566,11 @@ public function setRule($operation, $type, $roles = null, $resources = null,
         $resources = array();
         foreach ($resourcesTemp as $resource) {
             if (null !== $resource) {
-                $resources[] = $this->getResource($resource);
+                $resourceObj = $this->getResource($resource);
+                $resourceId = $resourceObj->getResourceId();
+                $children = $this->getChildResources($resourceObj);
+                $resources = array_merge($resources, $children);
+                $resources[$resourceId] = $resourceObj;
             } else {
                 $resources[] = null;
             }
@@ -659,6 +657,28 @@ public function setRule($operation, $type, $roles = null, $resources = null,
         return $this;
     }
 
+    /**
+     * Returns all child resources from the given resource.
+     *
+     * @param  Resource\ResourceInterface|string    $resource
+     * @return Resource\ResourceInterface[]
+     */
+    protected function getChildResources(Resource\ResourceInterface $resource)
+    {
+        $return = array();
+        $id = $resource->getResourceId();
+
+        $children = $this->resources[$id]['children'];
+        foreach($children as $child) {
+            $child_return = $this->getChildResources($child);
+            $child_return[$child->getResourceId()] = $child;
+
+            $return = array_merge($return, $child_return);
+        }
+
+        return $return;
+    }
+
     /**
      * Returns true if and only if the Role has access to the Resource
      *
@@ -747,7 +767,10 @@ public function isAllowed($role = null, $resource = null, $privilege = null)
                 if (null !== ($ruleType = $this->getRuleType($resource, null, $privilege))) {
                     return self::TYPE_ALLOW === $ruleType;
                 } elseif (null !== ($ruleTypeAllPrivileges = $this->getRuleType($resource, null, null))) {
-                    return self::TYPE_ALLOW === $ruleTypeAllPrivileges;
+                    $result = self::TYPE_ALLOW === $ruleTypeAllPrivileges;
+                    if ($result || null === $resource) {
+                        return $result;
+                    }
                 }
 
                 // try next Resource

src/AclInterface.php

@@ -0,0 +1,51 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link      http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license   http://framework.zend.com/license/new-bsd New BSD License
+ */
+
+namespace Zend\Permissions\Acl;
+
+interface AclInterface
+{
+    /**
+     * Returns true if and only if the Resource exists in the ACL
+     *
+     * The $resource parameter can either be a Resource or a Resource identifier.
+     *
+     * @param  Resource\ResourceInterface|string $resource
+     * @return boolean
+     */
+    public function hasResource($resource);
+
+    /**
+     * Returns true if and only if the Role has access to the Resource
+     *
+     * The $role and $resource parameters may be references to, or the string identifiers for,
+     * an existing Resource and Role combination.
+     *
+     * If either $role or $resource is null, then the query applies to all Roles or all Resources,
+     * respectively. Both may be null to query whether the ACL has a "blacklist" rule
+     * (allow everything to all). By default, Zend_Acl creates a "whitelist" rule (deny
+     * everything to all), and this method would return false unless this default has
+     * been overridden (i.e., by executing $acl->allow()).
+     *
+     * If a $privilege is not provided, then this method returns false if and only if the
+     * Role is denied access to at least one privilege upon the Resource. In other words, this
+     * method returns true if and only if the Role is allowed all privileges on the Resource.
+     *
+     * This method checks Role inheritance using a depth-first traversal of the Role registry.
+     * The highest priority parent (i.e., the parent most recently added) is checked first,
+     * and its respective parents are checked similarly before the lower-priority parents of
+     * the Role are checked.
+     *
+     * @param  Role\RoleInterface|string            $role
+     * @param  Resource\ResourceInterface|string    $resource
+     * @param  string                               $privilege
+     * @return boolean
+     */
+    public function isAllowed($role = null, $resource = null, $privilege = null);
+}

src/Assertion/AssertionInterface.php

@@ -5,7 +5,6 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Assertion;
@@ -14,11 +13,6 @@
 use Zend\Permissions\Acl\Resource\ResourceInterface;
 use Zend\Permissions\Acl\Role\RoleInterface;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 interface AssertionInterface
 {
     /**

src/Exception/ExceptionInterface.php

@@ -5,15 +5,9 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Exception;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 interface ExceptionInterface
 {}

src/Exception/InvalidArgumentException.php

@@ -5,16 +5,10 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Exception;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 class InvalidArgumentException extends \InvalidArgumentException implements
     ExceptionInterface
 {}

src/Exception/RuntimeException.php

@@ -5,16 +5,10 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Exception;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 class RuntimeException extends \RuntimeException implements
     ExceptionInterface
 {

src/Resource/GenericResource.php

@@ -5,16 +5,10 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Resource;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 class GenericResource implements ResourceInterface
 {
     /**

src/Resource/ResourceInterface.php

@@ -5,16 +5,10 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Resource;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 interface ResourceInterface
 {
     /**

src/Role/GenericRole.php

@@ -5,16 +5,10 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Role;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 class GenericRole implements RoleInterface
 {
     /**

src/Role/Registry.php

@@ -5,18 +5,12 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Role;
 
 use Zend\Permissions\Acl\Exception;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 class Registry
 {
     /**

src/Role/RoleInterface.php

@@ -5,16 +5,10 @@
  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
  * @license   http://framework.zend.com/license/new-bsd New BSD License
- * @package   Zend_Permissions
  */
 
 namespace Zend\Permissions\Acl\Role;
 
-/**
- * @category   Zend
- * @package    Zend_Permissions
- * @subpackage Acl
- */
 interface RoleInterface
 {
     /**

test/AclTest.php

@@ -1303,4 +1303,40 @@ public function testRemoveDenyWithNullResourceAppliesToAllResources()
         $this->assertFalse($this->_acl->isAllowed('guest', 'newsletter', 'read'));
     }
 
+    /**
+     * @group ZF2-3454
+     */
+    public function testAclResourcePermissionsAreInheritedWithMultilevelResourcesAndDenyPolicy()
+    {
+        $this->_acl->addRole('guest');
+        $this->_acl->addResource('blogposts');
+        $this->_acl->addResource('feature', 'blogposts');
+        $this->_acl->addResource('post_1', 'feature');
+        $this->_acl->addResource('post_2', 'feature');
+
+        // Allow a guest to read feature posts and
+        // comment on everything except feature posts.
+        $this->_acl->deny();
+        $this->_acl->allow('guest', 'feature', 'read');
+        $this->_acl->allow('guest', null, 'comment');
+        $this->_acl->deny('guest', 'feature', 'comment');
+
+        $this->assertFalse($this->_acl->isAllowed('guest', 'feature', 'write'));
+        $this->assertTrue($this->_acl->isAllowed('guest', 'post_1', 'read'));
+        $this->assertTrue($this->_acl->isAllowed('guest', 'post_2', 'read'));
+
+        $this->assertFalse($this->_acl->isAllowed('guest', 'post_1', 'comment'));
+        $this->assertFalse($this->_acl->isAllowed('guest', 'post_2', 'comment'));
+    }
+
+    public function testSetRuleWorksWithResourceInterface()
+    {
+        $roleGuest = new Role\GenericRole('guest');
+        $this->_acl->addRole($roleGuest);
+
+        $resourceFoo = new Resource\GenericResource('foo');
+        $this->_acl->addResource($resourceFoo);
+
+        $this->_acl->setRule(Acl\Acl::OP_ADD, Acl\Acl::TYPE_ALLOW, $roleGuest, $resourceFoo);
+    }
 }