ACL deny, then grant not working as expected.

[ADmad]

From @notoriousturtle on July 6, 2017 6:26

• bug

• feature request (see bottom of post)

• CakePHP Version: 3.7.7

• Platform and Target: 7.0.18-0ubuntu0.16.04.1

What you did, what happened

Trying to grant access to an aco when it has already been denied at least once does not work. I encountered this problem when trying to grant my administrative users access to a particular aco that I had denied previously.

This would say Permission granted, but wouldn't actually work:

$ bin/cake acl grant Groups.1 controllers/manage/Tracks/index

After messing with it for a while I tried to recover aro/aco. This didnt help.

I resolved this by deleting the aco, then granting permission again, like so:

$ bin/cake acl delete aco controllers/manage/Tracks/index
Aco deleted.

$ bin/cake acl_extras aco_sync
Created Aco node: controllers/Manage/Tracks/index
Aco Update Complete

$ bin/cake acl grant Groups.1 controllers/manage/Tracks/index
Permission granted.

Then when I accessed the aco as an administratively grouped user it worked.

What you expected to happen

I expect deny, then granting again to allow access to the aco.

Also, is it possible to get a bit more documentation on Cake's ACL stuff. Also, is there any way I can get a listing of all permissions for a specific aco, such as /manage/Tracks/index? And is there a way to get a list of what aco's a user group has access to? Thanks.

Copied from original issue: cakephp/cakephp#10869

[rchavik]

Trying to grant access to an aco when it has already been denied at least once does not work. I encountered this problem when trying to grant my administrative users access to a particular aco that I had denied previously.

Hmm, I couldn't reproduce the issue in Croogo (it uses the same plugin). Eg:

This would say Permission granted, but wouldn't actually work:
$ bin/cake acl grant Groups.1 controllers/manage/Tracks/index

When you say "wouldn't actually work", are you saying that accessing the action from browser didn't work or using bin/cake acl check says not allowed?

If still denied from browser, tt maybe related to cache or cookie, so clear you cache/cookie and retry.

[notoriousturtle]

@rchavik Ah, I wasn't testing access using check. I was testing access by refreshing the browser (ctrl+shift+r, force refresh, do not use cached data in Chrome). I don't think this was a caching issue.

[rchavik]

Can you double check your Acl component is not configured using CachedDbAcl adapter?

[notoriousturtle]

@rchavik sorry, where do I check this setting? Thanks.

[rchavik]

It's configured via Acl.classname config key. (defaults to DbAcl when not configured)

[notoriousturtle]

This is whats in my AppController.

public $components = [
        'Acl' => [
            'className' => 'Acl.Acl'
        ]
    ];

I'm not sure if its worth mentioning, but I have multiple AppControllers (for an API, and a management section), all with the above $components variable set to the same.

[rchavik]

No, the setting we need to check is Configure::write('Acl.classname', ...);

What is the output of bin/cake/acl check after you re-add the grant?

[notoriousturtle]

/vendor/cakephp/acl/config/bootstrap.php:
   15: if (!Configure::read('Acl.classname')) {
   16:     Configure::write('Acl.classname', 'DbAcl');

This what you want? That is the default config, I haven't changed anything out of the box.

[rchavik]

Yes. So it's probably set using the default.

Hmm. I can't think of anything else. I'll try to repro using a clean cake app when I have time. No promises though