[FLOW3-general] Security: ACLs dont work perfect

Wed Nov 24 22:39:16 CET 2010

Hi list,

i think i have found a bug in the security part
I have two accounts, one with the role "Administrator" and one with the 
role "Editor"

My Policy.yaml file looks like this

---------------------------------------------------------
resources:
   methods:
     F3_Tutorials_RestrictedAdminArea: 
'class(F3\Tutorials\Controller\Admin\.*)'
     F3_Tutorials_RestrictedDashbaord: 
'class(F3\Tutorials\Controller\(Dashboard)Controller)'
roles:
   Administrator: []
   Editor: []
acls:
   Administrator:
     methods:
       F3_Tutorials_RestrictedAdminArea: GRANT
       F3_Tutorials_RestrictedDashbaord: GRANT
   Editor
     methods:
       F3_Tutorials_RestrictedDashbaord: GRANT
---------------------------------------------------------

You see the Administartor can access to all Controller/Admin/ 
controllers and to the DashboardController

if i logged in with the Administrator it works all without problems..
but, if i logged in with the Editor user and i go to the 
DashboardController i became the following exception

---------------------------------------------------------
#1222268609: Access denied (0 denied, 0 granted, 1 abstained)

F3\FLOW3\Security\Exception\AccessDeniedException thrown in file
Packages/Framework/FLOW3/Classes/Security/Authorization/AccessDecisionVoterManager.php 
in line 128.
---------------------------------------------------------

the strange thing is, i go to an public page, add this to the FLUID file

---------------------------------------------------------
<f:security.ifHasRole role="Editor">
	I am an editor
</f:security.ifHasRole>
---------------------------------------------------------

and it works.. i see the message "I am an editor"
So i can exlude that there is a problem with the account role!

i hope someone can help me, or have i found a bug ?!

cheers
julian