I have a problem setting up proper rules in my application. The following is my code... I create roles, resources and restrictions.. but... I expect that 'consul' is allowed to go to /mymodule but it's denied to /mymodule/{add,edit,delete}... and so the 'operat' going everywhere except delete controller of mymodule...
//creating roles
$guest = new GenericRole('guest');
$consul = new GenericRole('consul');
$operat = new GenericRole('operat');
$admin = new GenericRole('admin');
//adding roles
$acl -> addRole($guest);
$acl -> addRole($consul,'guest');
$acl -> addRole($operat,'consul');
$acl -> addRole($admin,'operat');
//adding resources
$acl -> addResource(new GenericResource('home'));
$acl -> addResource(new GenericResource('application'));
$acl -> addResource(new GenericResource('auth'));
$acl -> addResource(new GenericResource('mymodule'));
//adding restrictions
$acl -> allow('guest', 'home');
$acl -> allow('guest', 'application');
$acl -> allow('guest', 'auth');
$acl -> deny('guest', 'mymodule');
$acl -> allow('consul','mymodule');
$acl -> allow('operat','mymodule','index');
$acl -> deny('consul','mymodule','add');
$acl -> deny('consul','mymodule','edit');
$acl -> deny('consul','mymodule','delete');
$acl -> allow('operat','mymodule');
$acl -> deny('operat','mymodule','delete');
$acl -> allow('admin');
instead of desired behavior, zf2 doesn't permit to view /mymodule to 'consul' and if I try to debug I have the following (my code and in the comment the result):
//some tests
echo $acl->isAllowed('guest', 'mymodule') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('guest', 'mymodule','index') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('guest', 'mymodule','add') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('consul','mymodule') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('consul','mymodule','index') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('consul','mymodule','default') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('consul','mymodule','add') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('consul','mymodule','edit') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('operat','mymodule') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('operat','mymodule','index') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('operat','mymodule','default') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('operat','mymodule','add') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('operat','mymodule','edit') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('operat','mymodule','delete') ? 'allowed' : 'denied'; // denied
echo $acl->isAllowed('admin','mymodule') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('admin','mymodule','index') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('admin','mymodule','default') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('admin','mymodule','add') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('admin','mymodule','edit') ? 'allowed' : 'denied'; // allowed
echo $acl->isAllowed('admin','mymodule','delete') ? 'allowed' : 'denied'; // allowed
who can help me understand this strange behavior? where is my fault?
thank you in advance
If you deny some privileges to the consul role on a resource, it will not be considered as having all privileges on that resource (which is what you ask when you do $acl->isAllowed('consul', 'mymodule')).
Basically, you need to allow a specific privilege (index for instance) and do your check on this privilege.