After installing this module the suggested way I keep running into this error:

Fatal error: Uncaught exception 'Zend\ServiceManager\Exception\ServiceNotCreatedException' with message 'While attempting to create zfcrbacservicerbac(alias: ZfcRbac\Service\Rbac) an invalid factory was registered for this instance type.' in C:\xampp\htdocs\portal\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php:845 Stack trace: #0 C:\xampp\htdocs\portal\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(487): Zend\ServiceManager\ServiceManager->createFromFactory('zfcrbacservicer...', 'ZfcRbac\Service...') #1 C:\xampp\htdocs\portal\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(442): Zend\ServiceManager\ServiceManager->create(Array) #2 C:\xampp\htdocs\portal\vendor\ZfcRbac\src\ZfcRbac\Module.php(26): Zend\ServiceManager\ServiceManager->get('ZfcRbac\Service...') #3 [internal function]: ZfcRbac\Module->onBootstrap(Object(Zend\Mvc\MvcEvent)) #4 C:\xampp\htdocs\portal\vendor\zendframework\zendframework\library\Zend\EventManager\ in C:\xampp\htdocs\portal\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php on line 845

Is this error related to the module or has it to do with something going on in the 2.1.*dev ?
Any light that can be shined on fixing this would be rgeatly appreciated.

I must admit that I modified the code to make the firewall work with permissions instead roles.
I made a mistake in Providers/permission config array (I added something like 'permission'=>array('role1') instead of 'role1'=>array('permission')).
With this error, Zend's rbac object should throw an exception complaining that the role doesn't exist.
But what I saw was... silence. The page renders normally, but the firewall just doesn't work and it gives me NO error, nothing whatsoever. It's really confusing and I wasted time "chasing" the issue, I really don't know what's wrong with the firewall.
Then I got the root cause and I noticed the crazy try-catch clause in the firewall listener. It's the one which hid the error message.
So what's the point? Is it a work-in-progress or something?

Hey,

I'm not sure if I did something wrong, but nothing worked until I changed the "return true" to "return false" in ZfcRbac/Firewall/Controller line 52.

This was my setup in global conf:

return array(
'zfcrbac' => array(
'firewalls' => array(
'ZfcRbac\Firewall\Controller' => array(
array('controller' => 'Note\Controller\Note', 'actions' => 'index', 'roles' => array('guest','member'))
),
),
'firewallController' => true,
'providers' => array(
'ZfcRbac\Provider\Generic\Role\InMemory' => array(
'roles' => array(
'admin',
'member' => array('admin'),
'guest' => array('member'),
),
),
),
'identity_provider' => 'standard_identity'
),
'service_manager' => array(
'factories' => array(
'standard_identity' => function ($sm) {
$roles = array('guest','member','admin');
$identity = new \ZfcRbac\Identity\StandardIdentity($roles);
return $identity;
}
),
),

);

Good morning.

The Standard Identity definition is unnecessary, and a better way for using ZfcRbac with ZfcUser is to define the 'auth_zfcuser_service' as default identity provider, since it's inherit from IdentityInterface and if it's null, the Rbac setIdentity function will switch to a standardidentity with the default anonymous role.

Some users add a closure between the two case in the config file and its a very bad way since its create a bug when the config_cache is enabled.

Did you choose this way for another reason that i missed it?

i am getting this error ... any help please

Uncaught exception 'Zend\ServiceManager\Exception\ServiceNotCreatedException' with message 'While attempting to create zfcrbacservicerbac(alias: ZfcRbac\Service\Rbac) an invalid factory was registered for this instance type.' in C:\home\test\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php:864 Stack trace: #0 C:\home\test\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(487): Zend\ServiceManager\ServiceManager->createFromFactory('zfcrbacservicer...', 'ZfcRbac\Service...') #1 C:\home\test\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php(437): Zend\ServiceManager\ServiceManager->create(Array) #2 C:\home\test\module\ZfcRbac\src\ZfcRbac\Module.php(26): Zend\ServiceManager\ServiceManager->get('ZfcRbac\Service...') #3 [internal function]: ZfcRbac\Module->onBootstrap(Object(Zend\Mvc\MvcEvent)) #4 C:\home\test\vendor\zendframework\zendframework\library\Zend\EventManager\EventManager.php(464): call_user_fu in C:\home\test\vendor\zendframework\zendframework\library\Zend\ServiceManager\ServiceManager.php on line 864

Any help!

Hey team,

I'm trying to makes some modifications to ZfcRbac so that it redirects to login on a 403 error but can't seem to make it happen. I had thought that I could fire an event on

public function onBootstrap(mvcEvent $e)
    {
        $sharedEvents = $e->getApplication()->getEventManager();
        $sharedEvents->attach('ZfcRbac', 'dispatch.error', 'doStuff', 100);
    }

But this doesn't seem to work. Is there an easier solution, or could you point me towards some code to make this happen?

I wonder if it is possible to create a role provider with support for multiple inheritance and if it follows the concept of RBAC.

function get RBac, catch block, lines 302-306

InvalidArgumentException is unknown and not present in Exception dir
$e is undefined
$mvcEvent is undefined

Hello,

We are using ZfcRbac in our applications, but we need a stable release.
Could you please tag a version (release-1.0.0 for example) ?

If you set 'anonymousRole' to 'thisIsNotARole' in the modules config, the Controller Firewall Listener will default to "return" rather than restrict acces as can be seen here

I would suggest re-structuring the code from:

try {
        if (!$rbacService->getFirewall('controller')->isGranted($resource)) {
            $e->setError($rbacService::ERROR_CONTROLLER_UNAUTHORIZED)
              ->setParam('identity', $rbacService->getIdentity())
              ->setParam('controller', $controller)
              ->setParam('action', $action);

            $app->getEventManager()->trigger('dispatch.error', $e);
        }
    } catch (InvalidArgumentException $e) {
        return;
    }

To something more like

try {
    if ($rbacService->getFirewall('controller')->isGranted($resource)) {
        return;
    }
} catch (InvalidArgumentException $e) {
}
try {
     $e->setError($rbacService::ERROR_CONTROLLER_UNAUTHORIZED)
              ->setParam('identity', $rbacService->getIdentity())
              ->setParam('controller', $controller)
              ->setParam('action', $action);
            $app->getEventManager()->trigger('dispatch.error', $e);
} catch (InvalidArgumentException $e) {
    return;
}

Currently, the entity (https://github.com/ZF-Commons/ZfcRbac/blob/master/data/Role.php.dist) does not have a OneToMany association set on "children".

Currently the db relies on doctrine, which is annoying if you already use zend\db
it would be nice if there would be a implementation for a zend's db provider.

Hi,

I thought this morning about adding some assertions for REST authentication in our ZfrRest module. However, I realized that some code is "duplicated" in Zend\Permissions\Rbac and ZfcRbac. For instance, writing an assertion that implements Zend\Permissions\Rbac\AssertionInterface (https://github.com/zendframework/zf2/blob/develop/library/Zend/Permissions/Rbac/AssertionInterface.php) won't work within ZfcRbac because assertions uses another interface (https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Assertion/AssertionInterface.php).

This makes everything more complicated because, basically, I need to add a dependency to ZfcRbac in ZfrRest, while it would be much more flexible if I could add a generic AssertionInterface that would work in any other modules that use Rbac, even if it does not use ZfcRbac.

Can't we, to some point, homogeneize the use of interfaces ? Maybe ZfcRbac\Service\Rbac could extend Zend\Permissions\Rbac to some point ?

I'll try to work on it today if I can find some merging points...

I want to protect all my controllers and actions without having to use the plugin on startup of the controller. What is the recommended method for doing this?
Is it possible to get the "Firewalls" dynamically from the database?

Sorry for my bad english, I'm brazilian

I not found any Database Structure for doctrine

I was thinking, you have logic in Firewalls to filter out traffic based on roles. Wouldn't this be better suited for a "Permission" than it would a role, then all roles that had that permission would be allowed to see that route or controller.

I just feel that we are mixing concepts here... Roles should be groups of permissions, not permissions in of themselves. For instance, for the admin/* route, there should be a permission "USE_ADMIN_ABILITIES", and if that is added as part of role "Admin" or role "Guest", that should be up to the person implementing

Thoughts?

Hi,
I don't get to use entities provided in datas, especially Role.php.

For example, permissions don't seem to be collected properly : inherited permissions are missing.

I implementing a messy Role.php but i think it's a good idea to extend AbstractRole as it's suggested but I don't find what's missing.

Thanks

Hi,

I have two questions about the new 1.0 version, which seems quite promising.
1- how to use it with ZfcUser ? The old configuration 'identity_provider' => 'zfcuser_auth_service' seems to be broken.
2- the hasRole service seems to have disappeared : how to replace it ?

Thanks !

It seems that roles are not added to the Permission\Rbac class.

Simple use case: add a firewall route, and add a simple var-dump to "isGranted" from ZfcRbac\Service\Rbac, it's never called. As this is the one that adds the role, of course it's problematic, as it never has role, so every route/controller that is set up is AWLAYS block.

Hi, what about adding ON UPDATE and ON DELETE clause to the foreign keys? I propose these settings:

ALTER TABLE rbac_role
ADD CONSTRAINT rbac_role_ibfk_1 FOREIGN KEY (parent_role_id) REFERENCES rbac_role (role_id) ON UPDATE CASCADE ON DELETE SET NULL;

and

ALTER TABLE rbac_role_permission
ADD CONSTRAINT rbac_role_permission_ibfk_1 FOREIGN KEY (role_id) REFERENCES rbac_role (role_id) ON UPDATE CASCADE ON DELETE CASCADE,
ADD CONSTRAINT rbac_role_permission_ibfk_2 FOREIGN KEY (perm_id) REFERENCES rbac_permission (perm_id) ON UPDATE CASCADE ON DELETE CASCADE;

Otherwise you can't even delete a role containing a parent role because of the foreign key constraint.

Question: Could I make those changes and push those to the repo? How does this work, any links, buzzwords to google for?

isn't it better to change to long-form "<?php echo" since zf2 works with 5.3 and it is disabled by default, you may want to read this link:
http://stackoverflow.com/a/1386627/575447
and this one
http://php.net/manual/en/function.echo.php
for example on the server I use it is disabled, and I agree it is better to use the thing that will work for sure, right?
the file I am reporting is "ZfcRbac/view/error/403.phtml"

Hi,
I am trying to write a Firewall which gets its information from the EntityManager. This is unfortunately impossible, because RbacFactory has no DependencyInjection whatsoever for Firewalls.

You will find a PullRequest fixing this issue soon.

Hey.

Why are the Firewalls not being created by a factory method receiving the service locator, like it's done for providers ?

I am especially using the controller firewall. I did set up everything for working with doctrine entities. My rules need also to be created with entities from database. I need the service locator for it in order to inject my "RuleRepository" into firewall.

My suggestion for making this possible is to change ZfcRbac\Service\RbacFactory like this.
Line 26 -28 from:
foreach($options->getFirewalls() as $class => $config) {
$rbac->addFirewall(new $class($config));
}
To:
foreach($options->getFirewalls() as $class => $config) {
$rbac->addFirewall($class::factory($sl, $config));
}

Let me know if theres another way to do this or if I could help you to improve ZfcRbac (with my beginner knowledge).

Don't you think this should be integrated to ZF 2 ? currently, the implementation in ZF 2 is quite "useless" on its own. This module is really great from what I've seen. Of course some part (like the DBAL implementation) should be in a module, but at least the firewalls, providers, helpers/plugins should be in ZF 2.

Don't you think ?

EVENT_HAS_ROLE never triggered when calling isGranted method in ZfcRbac/Service/Rbac.php
Check code at line 177 https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Service/Rbac.php#L177.
May be the line

if (!$rbac->hasRole($role)) 

should be replaced with

if (!$this->hasRole($role)) 

My IDE (PHPStorm) complains about an abstract static function. It does not throw an error but says this is not a recommanded practice. I think we should follow ZF pattern and have a Factory class instead.

What do you think ?

Bug Description

When I use the following doctrine entity as the identity provided to ZfcRbac ZfcRbac\Service\Rbac throws the following exception:

Fatal error: Uncaught exception 'Zend\Permissions\Rbac\Exception\InvalidArgumentException' with message 'Expected string or implement \Zend\Permissions\Rbac\RoleInterface' in [...]/vendor/zendframework/zendframework/library/Zend/Permissions/Rbac/Rbac.php on line 106

It is caused by the explicit (array) cast in ZfcRbac\Service\Rbac::hasRole():

[...]
   foreach((array) $this->getIdentity()->getRoles() as $userRole) {
[...]

as getRoles() returns a Doctrine\ORM\PersistentCollection and does not cast right to an array although it is iterable like an array (implements ArrayAccess). Removing the (array) cast lets to have roles.

Used Classes and Configuration

Identity entity:

use Doctrine\ORM\Mapping as ORM;

/**
 * @ORM\Entity
 * @ORM\Table(name="users")
 *
 * @property string $name
 * @property string $email
 * @property int $id
 */
class User extends AbstractEntity implements \ZfcRbac\Identity\IdentityInterface {
    /**
     * @ORM\Id
     * @ORM\Column(type="integer");
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    protected $id;

    /**
     * @ORM\Column(type="string");
     *
     * @var string
     */
    protected $name;

    /**
     * @ORM\Column(type="string",length=50,unique=true);
     *
     * @var string
     */
    protected $username;

    /**
     * @ORM\Column(type="string",length=100,nullable=true);
     *
     * @var string
     */
    protected $password;

    /**
     *
     * @todo comment
     *
     * @ORM\ManyToMany(targetEntity="\FworkAdmin\Entity\Role")
     * @var array:string
     */
    protected $roles;

    public function isPlainPassword($plainPassword)    {
        return $plainPassword == $this->getPassword();
    }
    /* (non-PHPdoc)
     * @see \ZfcRbac\Identity\IdentityInterface::getRoles()
     */
    public function getRoles()    {
        return $this->roles;
    }
}

Role entity:

use Doctrine\ORM\Mapping as ORM;

/**
 * @ORM\Entity
 * @ORM\Table(name="roles")
 */
class Role extends \Application\Entity\AbstractEntity implements
        \Zend\Permissions\Rbac\RoleInterface
{

    /**
     * @ORM\Id
     * @ORM\Column(type="integer");
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    protected $id;

    /**
     * @ORM\Column(type="string",length=100,unique=true);
     *
     * @var string
     */
    protected $name;

    /**
     * @ORM\ManyToOne(targetEntity="Role")
     * @ORM\JoinColumn(name="parent_role_id", referencedColumnName="id")
     *
     * @var int
     */
    protected $parent_role;

    /**
     * @ORM\ManyToMany(targetEntity="Permission")
     */
    protected $permissions;

    /**
     * Get the name of the role.
     *
     * @return string
     */
    public function getName()    {
        return $this->name;
    }

    /**
     * Add permission to the role.
     *
     * @param
     *            $name
     * @return RoleInterface
     */
    public function addPermission($name)    {
    }

    /**
     * Checks if a permission exists for this role or any child roles.
     *
     * @param string $name
     * @return bool
     */
    public function hasPermission($name) {
    }

    /**
     * @param RoleInterface|string $child
     * @return Role
     */
    public function addChild($child) {       
    }

    /**
     * @param RoleInterface $parent
     * @return RoleInterface
     */
    public function setParent($parent)   {
        $this->parent_role = $parent;
    }

    /**
     * @return RoleInterface
     */
    public function getParent() {
        return $this->parent_role;
    }
}

module.zfcrbac.global.php:

return array(
    'zfcrbac' => array(
        'firewallRoute' => true,
        'firewallController' => true,
        'firewalls' => array(
            'ZfcRbac\Firewall\Controller' => array(
                array(
                    'controller' => 'index',
                    'actions' => 'index',
                    'roles' => 'guest'
                )
            ),
            'ZfcRbac\Firewall\Route' => array(
                array(
                    'route' => 'admin/*',
                    'roles' => 'admin'
                ),
                array(
                    'route' => 'setup/*',
                    'roles' => 'admin'
                )
            )
        ),

        'providers' => array(
            'ZfcRbac\Provider\AdjacencyList\Role\DoctrineDbal' => array(
                'connection' => 'doctrine.connection.orm_default',
                'options' => array(
                    'table' => 'roles',
                    'id_column' => 'id',
                    'name_column' => 'name',
                    'join_column' => 'parent_role_id'
                )
            ),
            'ZfcRbac\Provider\Generic\Permission\DoctrineDbal' => array(
                'connection' => 'doctrine.connection.orm_default',
                'options' => array(
                    'permission_table' => 'permissions',
                    'role_table' => 'roles',
                    'role_join_table' => 'role_permission',
                    'permission_id_column' => 'id',
                    'permission_join_column' => 'permission_id',
                    'role_id_column' => 'id',
                    'role_join_column' => 'role_id',
                    'permission_name_column' => 'name',
                    'role_name_column' => 'name'
                )
            )
        )
    ),
    'service_manager' => array(
        'factories' => array(
            'ZfcRbac\Firewall\Listener\Route' => '',
            'standard_identity' => function ($sm)
            {
                $roles = array('guest','member','admin');
                $identity = new \ZfcRbac\Identity\StandardIdentity($roles);
                return $identity;
            }
        )
    )
);

There are entries in user table and role table ('admin','guest','member'). The user has a role 'admin'

How can I setup a default Zend Adapter if I want to avoid using Doctrine ?

As the title states, forward() is not being monitored by guards. I think that this is an security issue, because widgetized applications could run into problems.

return $this->forward()->dispatch('ForwardedController');

The problem exists with both the Controller- as well as the RouteGuard. I think it will be impossible to make the RouteGuard capable of this, since dispatch explicitly calls an controller, but I think it should at least work for the ControllerGuard.

This is especially problematic for aliases (see e.g. drupal), since a user could specify an alias from /alias/my/attack to /admin/delete-everything and run it without the required permissions, altough /admin/delete-everything requires admin rights.

This is of course an extreme edge case, because most aliases work with an auto-alias where you can specify only the alias, not the source, but nethertheless I think this should be fixed (if possible, I don't really like the forward plugin that much and feel of it as kinda hacky).

Is this correct ? The assertion expects a Permission\Rbac but you give a Service\Rbac https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Service/Rbac.php#L148

https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Service/RbacFactory.php#L38

The 'identity' was initial on bootstrap, This may not be what I need in some code

It would be nice to have a tag'd version of this module that does not require a dev version of ZF2. My dilemma is that I have moved from SpiffySecurity to this module, which has forced me into a dev version of zf2.

I'm not sure about the naming of those events : https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Provider/Event.php

According to ZF 2, it should be hasRole, isGranted... (ZF 2 has loadModules, loadModule...).

Hello, is it possible to tag a new version to include the last modifications that were merged ?

Thanks in advance.

The module should retrieve the identity using the Zend\Authentication\AuthenticationService by default (starting from 2.1, identity helper and identity controller plugin assume that too).

In the beta, we try to put in cache (https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Permission/PermissionLoaderListener.php#L114) entities, that may contain non-initialized PersistentCollection. IT seems the wrong way to do it, as the application crashes.

@Ocramius, an idea?

When trying to update an user, I get: "A new entity was found through the relationship 'User\Entity\Role#permissions' that was not configured to cascade persist operations for entity: controller.user\controller\usercontroller.settings. To solve this issue: Either explicitly call EntityManager#persist() on this unknown entity or configure cascade persist this association in the mapping for example @manytoone(..,cascade={"persist"})."

Obviously, the User has a m:n relation to Role and Role has a m:n relation to Permission. The Controller throwing the exception is User\Controller\UserController::settingsAction().

My zfcrbac config looks like this:

return [
    'zfc_rbac' => [
        'role_providers' => [
            'ZfcRbac\Role\ObjectRepositoryRoleProvider' => [
                'object_manager' => 'doctrine.entitymanager.orm_default',
                'class_name' => 'User\Entity\Role'
            ]
        ],
        'protection_policy' => GuardInterface::POLICY_ALLOW
    ]
];

Role:addPermission:

public function addPermission($name)
    {
        $permission = new Permission();
        $permission->setName($name);
        $this->permissions->add($permission);
        return $this;
    }

The problem originates in ControllerGuard::isGranted() / RouteGuard::isGranted()

// Load the needed permission inside the container
$this->loadRule($allowedRoles, $permission);

I am unsure if this is expected behaviour (guards persisting permissions) but it doesn't seem to me that way.

    /**
* @return ZendRbac
*/
    public function getRbac()
    {
        if (null === $this->rbac) {
            $this->rbac = new ZendRbac();

            $event = new Event;
            $event->setRbac($this->rbac);

            try {
                $this->getEventManager()->trigger(Event::EVENT_LOAD_ROLES, $event);
                $this->getEventManager()->trigger(Event::EVENT_LOAD_PERMISSIONS, $event);
            } catch (Exception\InvalidArgumentException $ex) {
                $app = $e->getTarget();
                $mvcEvent->setError($rbacService::ERROR_RUNTIME)
                    ->setParam('message', 'Roles or Permissions configuration error');
                $app->getEventManager()->trigger('dispatch.error', $mvcEvent);
            }
        }
        return $this->rbac;
    }

https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Service/Rbac.php#L303

Line:303: $e->getTarget(); // $e is undefined variable

Line 304: $mvcEvent->setError($rbacService::ERROR_RUNTIME)
$mvcEvent and $rbacService are undefined variables

As ZF2 is now stable, many people will be requiring specific or at least released version of ZF in their composer.json.

Can we change the dev-master requirement to 2.* or 2.0.*?

Controller\Plugin\IsGranted only allows you to check for permission and not use an assertion. Is this intentional?

Hi,

@spiffyjr , ocramius is doing something interesting in some of his module, I think we could do the same here, but I need your point of view. Instead of setting a dependency to the whole zendframework framework (https://github.com/ZF-Commons/ZfcRbac/blob/master/composer.json#L19), it could be good to have only dependencies with the part of the framework we are using (so in the case of ZfcRbac, zend-servicemanager, zend-permissions and may be one or two others).

What do you think ? This way people who want to use ZfcRbac as a standalone can do it without downloading tons of unused files.

Hi,
I am trying to use the Lazy provider 'ZfcRbac\Provider\NestedSet\Lazy\DoctrineDbal'.
the load api seems to be based on other schema specification (check generated sql statement, used column names ...)

example(the role column name is role_name but in the api trying to use name ...).
So as result, the api is not working at all with sql exceptions.

Could some one have a look or did I missed something?
Thanks
( version : "dev-master" )

I kinda expected this module to work out of the box with zero configuration. Instead I get a WSOD and the error:

Fatal error: Uncaught exception 'RuntimeException' with message 'An identity provider with the name "Zend\Authentication\AuthenticationService" does not exist' in /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php on line 737 

RuntimeException: An identity provider with the name "Zend\Authentication\AuthenticationService" does not exist in /var/www/reb/vendor/zf-commons/zfc-rbac/src/ZfcRbac/Service/RbacFactory.php on line 31 

Call Stack: 
0.0010 638536 1. {main}() /var/www/reb/public/index.php:0 
0.0179 941832 2. Zend\Mvc\Application::init() /var/www/reb/public/index.php:12 
0.5014 7783336 3. Zend\Mvc\Application->bootstrap() /var/www/reb/vendor/zendframework/zendframework/library/Zend/Mvc/Application.php:242 
0.5591 8737632 4. Zend\EventManager\EventManager->trigger() /var/www/reb/vendor/zendframework/zendframework/library/Zend/Mvc/Application.php:145 
0.5592 8738088 5. Zend\EventManager\EventManager->triggerListeners() /var/www/reb/vendor/zendframework/zendframework/library/Zend/EventManager/EventManager.php:208 
0.6960 10571944 6. call_user_func() /var/www/reb/vendor/zendframework/zendframework/library/Zend/EventManager/EventManager.php:464 
0.6961 10572000 7. ZfcRbac\Module->onBootstrap() /var/www/reb/vendor/zendframework/zendframework/library/Zend/EventManager/EventManager.php:
0 0.6962 10572152 8. Zend\ServiceManager\ServiceManager->get() /var/www/reb/vendor/zf-commons/zfc-rbac/src/ZfcRbac/Module.php:26 
0.6966 10573240 9. Zend\ServiceManager\ServiceManager->create() /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:437 
0.6967 10573320 10. Zend\ServiceManager\ServiceManager->createFromFactory() /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:487 
0.6986 10597056 11. Zend\ServiceManager\ServiceManager->createServiceViaCallback() /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:860 
0.6988 10597576 12. call_user_func() /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:730 
0.6988 10597648 13. ZfcRbac\Service\RbacFactory->createService() 

/var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:0 Zend\ServiceManager\Exception\ServiceNotCreatedException: An exception was raised while creating "ZfcRbac\Service\Rbac"; no instance returned in /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php on line 737 

Call Stack: 
0.0010 638536 1. {main}() /var/www/reb/public/index.php:0 
0.0179 941832 2. Zend\Mvc\Application::init() /var/www/reb/public/index.php:12 
0.5014 7783336 3. Zend\Mvc\Application->bootstrap() /var/www/reb/vendor/zendframework/zendframework/library/Zend/Mvc/Application.php:242 
0.5591 8737632 4. Zend\EventManager\EventManager->trigger() /var/www/reb/vendor/zendframework/zendframework/library/Zend/Mvc/Application.php:145 
0.5592 8738088 5. Zend\EventManager\EventManager->triggerListeners() /var/www/reb/vendor/zendframework/zendframework/library/Zend/EventManager/EventManager.php:208 
0.6960 10571944 6. call_user_func() /var/www/reb/vendor/zendframework/zendframework/library/Zend/EventManager/EventManager.php:464 
0.6961 10572000 7. ZfcRbac\Module->onBootstrap() /var/www/reb/vendor/zendframework/zendframework/library/Zend/EventManager/EventManager.php:
0 0.6962 10572152 8. Zend\ServiceManager\ServiceManager->get() /var/www/reb/vendor/zf-commons/zfc-rbac/src/ZfcRbac/Module.php:26 
0.6966 10573240 9. Zend\ServiceManager\ServiceManager->create() /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:437 
0.6967 10573320 10. Zend\ServiceManager\ServiceManager->createFromFactory() /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:487 
0.6986 10597056 11. Zend\ServiceManager\ServiceManager->createServiceViaCallback() /var/www/reb/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php:860

Also the documentation says something along the lines of:

The object returned by the identity provider must implement ZfcRbac\Identity\IdentityInterface.

Which clearly Zend\Authentication\AuthenticationService would not return. Any ideas?

Shouldn't it return a boolean here ? https://github.com/ZF-Commons/ZfcRbac/blob/master/src/ZfcRbac/Provider/NestedSet/Lazy/DoctrineDbal.php#L110

On the zend developer toolbar I see the "Your roles" section that the ZfcRbac module put there. But it's always empty.

Is this not fully implemented or do I have to configure something?

After checking the permissions with the IsGranted helper is there a way to reuse the Unauthorized Strategy in a controller to redirect to the custom 403?

Given the following settings:
Role Provider: ZfcRbac\Provider\AdjacencyList\Role\DoctrineDbal
Permission Provider: ZfcRbac\Provider\Generic\Permission\DoctrineDbal

Anonymous role (id): 'guest'
Administrator role (id): 'admin', admin inherits from 'guest' (e.g. access to login page, etc.)

Define a ROUTE Firewall:
'ZfcRbac\Firewall\Route' => array(
array('route' => 'admin', 'roles' => 'admin')
),

Then 'guest' users can access the route 'admin', bypassing the firewall!

I obviously missed discussion about this, but why isn't this module built into ZF2? I thought that was the original reason to get RBAC in 1.0.7 and 2.1.

I have all the packages required installed and the ZfcRbac seems to work using the configuration sample file from here (with the provider DoctrineDbal). I only want to combine my own module with ZfcUser and ZfcRbac, but I have no idea on how to specify to ZfcRbac to deny Controllers/Actions . Someone can provide an example of how to deny a user not logged in with the ZfcUser to any of my actions on the IndexController for the module MyTestModule ?

Thanks in advance