role inheritance and ZendDeveloperToolbar about rbacuserdoctrineorm HOT 14 CLOSED

Hi,

I've had a look at the issue here,
firstly I notice you are using the role_parent_id incorrectly,
'member' should have 'admin' as a parent, or in other words member is a child role for admin,
this way you can have the admin role extend from multiple child roles, gaining all their permissions.

That said, I installed ZendDeveloperToolbar and see only one role when im loggen in:

I can also not locate a case where RecursiveIterator is throwing the exception. Could you maybe provide the code in which the issue occurs? It might give me more insight.

from rbacuserdoctrineorm.

Hello Jan,

seems that I am missing something important here.

In general I started with the ZF2-Tutorial and followed the installation instructions for all the modules involved (except that I cannot use composer - don't ask why ;-) ).

I changed the inheritance in my MySQL database as follows, but still have the error message:

INSERT INTO `rbac_role` (`role_id`, `parent_role_id`, `role_name`) VALUES
(1, NULL, 'guest'),
(2, 1, 'member'),
(3, 2, 'admin');

This is what I have in my zfcrbac.global.conf:

<?php
$settings = array(
    'anonymousRole' => 'guest',
    'firewallRoute' => true,
    'firewallController' => true,
    'template' => 'error/403',
    'enableLazyProviders' => true,
    'firewalls' => array(
        'ZfcRbac\Firewall\Controller' => array(
            array('controller' => 'index', 'actions' => 'index', 'roles' => 'guest'),
        ),
        'ZfcRbac\Firewall\Route' => array(
            array('route' => 'profiles/add', 'roles' => 'member'),
            array('route' => 'member',       'roles' => 'admin'),
            array('route' => 'album/*',      'roles' => 'member'),
        ),
    ),
    'providers' => array(
        'ZfcRbac\Provider\AdjacencyList\Role\DoctrineDbal' => array(
            'connection' => 'doctrine.connection.orm_default',
            'options' => array(
                'table'       => 'rbac_role',
                'id_column'   => 'role_id',
                'name_column' => 'role_name',
                'join_column' => 'parent_role_id'
            )
        ),
        'ZfcRbac\Provider\Generic\Permission\DoctrineDbal' => array(
            'connection' => 'doctrine.connection.orm_default',
            'options' => array(
                'permission_table'       => 'rbac_permission',
                'role_table'             => 'rbac_role',
                'role_join_table'        => 'rbac_role_permission',
                'permission_id_column'   => 'perm_id',
                'role_id_column'         => 'role_id',
                'permission_join_column' => 'perm_id',
                'role_join_column'       => 'role_id',
                'permission_name_column' => 'perm_name',
                'role_name_column'       => 'role_name'
            )
        ),
    ),
    'identity_provider' => 'standard_identity',
);
$serviceManager = array(
    'factories' => array(
        'standard_identity' => function ($sm) {
                $roles = array('guest', 'member', 'admin');
                $identity = new \ZfcRbac\Identity\StandardIdentity($roles);
                return $identity;
        },
    )
);
return array(
    'zfcrbac'         => $settings,
    'service_manager' => $serviceManager,
);

The 'standard_identity' factory is a relict of the ZfcRbac installation, but doesn't make sense here this way as the roles are retrieved from the database.
If I pass an empty array to the StandardIdentity, the error message vanishes but I still have doubled roles in the toolbar.

Cheers,
LowTower.

from rbacuserdoctrineorm.

Regarding the toolbar:
I find all roles defined in the database under "Identity Roles Assigned" and the role "guest" is doubled.
If I login as admin, nothing changes here.

from rbacuserdoctrineorm.

Okay,
don't have my best day ;-)

Seems that i have to set "zfcuser_auth_service" as 'identity_provider'.
This done, the following happens:

• NOT logged in, on an unsecured site: "Identity Roles Assigned: No Roles Assigned"
• LOGGED IN, on an unsecured site: "Identity Roles Assigned: No Roles Assigned" - same as above
• LOGGED IN, on a SECURED site (zfcadmin): "Identity Roles Assigned: admin" - okay
• LOGGED IN, on a SECURED site (album): "Fatal error: Uncaught exception 'UnexpectedValueException' with message 'Objects returned by RecursiveIterator::getChildren() must implement RecursiveIterator'"

zfcadmin is secured with role 'admin', whereas 'album' is secured with role 'member'.

Still don't get the point :-(

from rbacuserdoctrineorm.

Hi,
Could you remove the provider config, the identity_provider and the service_manager config from your file above as these are setup by this module, that will get things running again without errors I believe. then all you have to figure out is how to get zfcuser to login as a guest by default so that its permissions are loaded automatically or get ZfcRabc to do so if you want permissions to be set on a guest role (if not the controller method hasRole('guest') should resolve as true), I havn't played with that yet, so won't be able to point you in the right direction there, let me know if that solved the issue

from rbacuserdoctrineorm.

Hi Jan,

thanks for Your effort.
Nothing significantly changed with Your proposals.
BTW: shouldn't the provider, the identity_provider and service_manager be overwritten if the order of the modules in the application.config.php is correct.

I have set up a completely new project with the zf2-tutorial-repository and the RbacUserDoctrine-Module (and their requirements) with composer this time.

Still, on an unsecured site, no "No Roles Assigned".
Then, not logged in on a secured site, I get:
Notice: Undefined variable: identity in .../vendor/zf-commons/zfc-rbac/view/error/403.phtml on line 2 Fatal error: Call to a member function getRoles() on a non-object in /srv/www/htdocs/web222/html/0_domains/lacms/zf2-tutorial2/vendor/zf-commons/zfc-rbac/view/error/403.phtml on line 2
Now, when I am logged in as role admin and browse to a site that is secured with the role member, the toolbar says I am admin (Yeah), but the view says the following:
Identity (with roles Warning: implode(): Invalid arguments passed in .../vendor/zf-commons/zfc-rbac/view/error/403.phtml on line 6 ) is not authorized to access album.
The role admin inherits from member - so it should be allowed to access the site as well.
Secondly, there seems to be an array expected for $identity->getRoles()which should then be imploded.
What is returned is an instance of Doctrine\ORM\PersistentCollection

Try to set up a github repository with my files the next days.
Would be nice if You could then look over it.

Thanks so far and in advance,
cheers,
LowTower.

from rbacuserdoctrineorm.

Hello Jan,

i have cloned the original zf2-tutorial and made some modifications to demonstrate the strange behaviour of RbacUserDoctrine or my overwhelming stupidity ;-)

My repository is named zf2-tutorial as well.

It would be nice if You could:

• download the master.zip
• run composer
• adjust the database credentials to Your needs
• run Your sql file vendor/esserj/rbac-user-doctrine-orm/data/schema-full.sql
• run my sql file data/data.sql
• goto /user and sign-in as [email protected] with password 123456
• check the assigned role in the toolbar (I expect "admin" but "No Role Assigned" appears)
• goto home and check the assigned role in the toolbar ("No Role Assigned" appears)
• goto /album (a php warning appears Warning: implode(): Invalid arguments passed ...)
• check the assigned role in the toolbar ("admin" appears)
• goto /user and check the assigned role in the toolbar (I still expect "admin" but "No Role Assigned" appears)
• sign-out
• goto /admin and/or album/add (I expect the sites to be protected by the route firewall)
• help me out ;-)

from rbacuserdoctrineorm.

Any comments???

from rbacuserdoctrineorm.

I have the same issue. Was there a resolution to this by chance?

from rbacuserdoctrineorm.

Hi Rob, sorry for the late response, got a little too busy to do anything else but work after hours,
I'm cloning your repo tonight and try and see what's wrong and why

from rbacuserdoctrineorm.

Hi again,
I had a look at what was going wrong and notices you still had the role hierarchy wrong although I did try and explain how it should be setup, find the query below that you should use to insert data into the table (truncate first or you will get duplicate key errors)

INSERT INTO `rbac_role` (`role_id`, `parent_role_id`, `role_name`) VALUES
(1, 2, 'guest'),
(2, 3, 'member'),
(3, NULL, 'admin');

as you can see in that case member has no parent and thus it means that no Role has admin as a child, making it the highest available role in the table, member being the next highest (it only has admin (id:2) as a parent.
What this means it that in this case when you are an admin any roles having admin as a parent will be considered roles the admin has as well, and because the admin has member the same logic applies to the member role (in that is has guest) and thus an admin has both member and guest roles.

Now, because RbacUserDoctrineOrm as the name suggest is a Doctrine module, it expects doctrine database connection configuration to be setup, I didn't take that up in the Readme as its actually part of Doctrine setup, but I will update the readme to make sure it clear even for those not going to the doctrine pages.
To get your doctrine setup, put the following in your config/autoload/local.php (but as long as you still need the other DB connection leave it in as well)

'doctrine' => array(
        'connection' => array(
            // default connection name
            'orm_default' => array(
                'driverClass' => 'Doctrine\DBAL\Driver\PDOMySql\Driver',
                'params' => array(
                    'host'     => 'localhost',
                    'port'     => '3306',
                    'user'     => '',//put user
                    'password' => '',//put pass
                    'dbname'   => 'zf2tutorial',
                )
            )
        )
    )

Now because we don't want any DB overhead (having to load roles even though they are not needed) you will only see the toolbar display roles for those pages that are role protected, though if you would do anything that loads roles (like $this->hasRole('member') in your controller methods that are not protected you would also see the highest role available.

Last but not least I noticed that the ZfcRbac view that is displayed when you don't meet the requirements for a given page is not compatible with my Role object (it does an implode) so it was good that I had a peak into your project as I wouldn't have picked that up otherwise!

Let me know if you need more help!

as a side note you were missing the album table definition in your sql

Cheers!
Jan

from rbacuserdoctrineorm.

I've updated the framework to now have a 403 template that supports \Doctrine\ORM\PersistentCollection objects

from rbacuserdoctrineorm.

Hello Jens,

thanks a lot for Your feedback!

Of course, I had set the database credentials for Doctrine as well.

Don't know why I had a mix in the inheritance again, but I am sure I checked both "directions".

Now, with Your changes and the correct inheritance row, everything is fine.

Cheers,
LowTower.

from rbacuserdoctrineorm.

Good to hear! have fun learning ZF2!

from rbacuserdoctrineorm.