Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.2.0, extension/ezwebin 1.4-1
-
None
-
n/a
Description
Supposing you have duplicate "content/read" policies in a role. One has a Section limitation to section ID 1, and one has a Section limitation to section ID 2.
If you run:
has_access_to_limitation( 'content', 'read', hash( 'Section', 2 ) )
This will return false because the first check only has a limitation of section ID 1. However, this is incorrect, as the user in question does have access to read section ID 2.
If you look at the existing code you can see why this is the case, because the first policy that has a section limitation is assumed to be the only policy with that limitation.
// User has access unless limitations don't match foreach ( $result['policies'] as $limitationArray ) { foreach ( $limitationArray as $limitationKey => $limitationValues ) { if ( isset( $limitations[$limitationKey] ) ) { if ( !in_array( $limitations[$limitationKey], $limitationValues ) ) { return false; } } else { // TODO: build limitation array of unmatched policies } } }
Of course, this does open up discussion that the content manager should consolidate the Section limitations into one policy.
Attachments
Issue Links
- relates to
-
EZP-16386 eZJSCore server limitation per function doesn't work
- Closed