Zend Framework 2 ACL - Permissions on Modules Index

Question

I have a problem setting up proper rules in my application. The following is my code... I create roles, resources and restrictions.. but... I expect that 'consul' is allowed to go to /mymodule but it's denied to /mymodule/{add,edit,delete}... and so the 'operat' going everywhere except delete controller of mymodule...

//creating roles
$guest  = new GenericRole('guest');
$consul = new GenericRole('consul');
$operat = new GenericRole('operat');
$admin  = new GenericRole('admin');

//adding roles
$acl -> addRole($guest);
$acl -> addRole($consul,'guest');
$acl -> addRole($operat,'consul');
$acl -> addRole($admin,'operat');

//adding resources
$acl -> addResource(new GenericResource('home'));
$acl -> addResource(new GenericResource('application'));
$acl -> addResource(new GenericResource('auth'));
$acl -> addResource(new GenericResource('mymodule'));

//adding restrictions
$acl -> allow('guest', 'home');
$acl -> allow('guest', 'application');
$acl -> allow('guest', 'auth');
$acl ->  deny('guest', 'mymodule');
$acl -> allow('consul','mymodule');
$acl -> allow('operat','mymodule','index');
$acl ->  deny('consul','mymodule','add');
$acl ->  deny('consul','mymodule','edit');
$acl ->  deny('consul','mymodule','delete');
$acl -> allow('operat','mymodule');
$acl ->  deny('operat','mymodule','delete');
$acl -> allow('admin');

instead of desired behavior, zf2 doesn't permit to view /mymodule to 'consul' and if I try to debug I have the following (my code and in the comment the result):

//some tests 
echo $acl->isAllowed('guest', 'mymodule') ? 'allowed' : 'denied';               // denied
echo $acl->isAllowed('guest', 'mymodule','index') ? 'allowed' : 'denied';       // denied
echo $acl->isAllowed('guest', 'mymodule','add') ? 'allowed' : 'denied';         // denied
echo $acl->isAllowed('consul','mymodule') ? 'allowed' : 'denied';               // denied
echo $acl->isAllowed('consul','mymodule','index') ? 'allowed' : 'denied';       // allowed
echo $acl->isAllowed('consul','mymodule','default') ? 'allowed' : 'denied';     // allowed
echo $acl->isAllowed('consul','mymodule','add') ? 'allowed' : 'denied';         // denied
echo $acl->isAllowed('consul','mymodule','edit') ? 'allowed' : 'denied';        // denied
echo $acl->isAllowed('operat','mymodule') ? 'allowed' : 'denied';               // denied
echo $acl->isAllowed('operat','mymodule','index') ? 'allowed' : 'denied';       // allowed
echo $acl->isAllowed('operat','mymodule','default') ? 'allowed' : 'denied';     // allowed
echo $acl->isAllowed('operat','mymodule','add') ? 'allowed' : 'denied';         // allowed
echo $acl->isAllowed('operat','mymodule','edit') ? 'allowed' : 'denied';        // allowed
echo $acl->isAllowed('operat','mymodule','delete') ? 'allowed' : 'denied';      // denied
echo $acl->isAllowed('admin','mymodule') ? 'allowed' : 'denied';                // allowed
echo $acl->isAllowed('admin','mymodule','index') ? 'allowed' : 'denied';        // allowed
echo $acl->isAllowed('admin','mymodule','default') ? 'allowed' : 'denied';      // allowed
echo $acl->isAllowed('admin','mymodule','add') ? 'allowed' : 'denied';          // allowed
echo $acl->isAllowed('admin','mymodule','edit') ? 'allowed' : 'denied';         // allowed
echo $acl->isAllowed('admin','mymodule','delete') ? 'allowed' : 'denied';       // allowed

who can help me understand this strange behavior? where is my fault?

thank you in advance

Answer 1

If you deny some privileges to the consul role on a resource, it will not be considered as having all privileges on that resource (which is what you ask when you do $acl->isAllowed('consul', 'mymodule')).

Basically, you need to allow a specific privilege (index for instance) and do your check on this privilege.