Skip to content

Security: Skip unregistered roles in ResourceAclHelper instead of crashing#8735

Open
addow wants to merge 1 commit into
chamilo:masterfrom
webstone:fix/resource-acl-unregistered-role
Open

Security: Skip unregistered roles in ResourceAclHelper instead of crashing#8735
addow wants to merge 1 commit into
chamilo:masterfrom
webstone:fix/resource-acl-unregistered-role

Conversation

@addow

@addow addow commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • ResourceAclHelper::isAllowed() iterates every role in $user->getRoles() and calls Acl::isAllowed($role, ...) for each, but the Laminas ACL registry (built in init()) only ever registers a small fixed set of resource-permission roles (ROLE_USER, ROLE_STUDENT, ROLE_CURRENT_COURSE_TEACHER, ...).
  • Any other role the user happens to carry - e.g. ROLE_SESSION_MANAGER, ROLE_PREVIOUS_ADMIN or ROLE_ALLOWED_TO_SWITCH, all present on an admin's token while using "Login as" - makes Laminas throw Acl\Exception\InvalidArgumentException("Role '...' not found"), crashing the whole request with a 500 instead of just being irrelevant to the resource-level permission check.
  • This affects any AbstractResource-backed resource (documents, forums, etc.) whenever the current user's Symfony role set contains a role the ACL never registered - most commonly while impersonating another user via "Login as".
  • Fix: skip roles the ACL hasn't registered via Acl::hasRole() instead of asking it about them.

Test plan

  • Added tests/CoreBundle/Helpers/ResourceAclHelperTest.php, reproducing the crash with a mocked user carrying ROLE_SESSION_MANAGER/ROLE_PREVIOUS_ADMIN/ROLE_ALLOWED_TO_SWITCH - fails before the fix, passes after.
  • vendor/bin/phpstan analyse clean on the changed file (pre-existing unrelated findings on lines untouched by this change were verified present before this diff too).

…shing

ResourceAclHelper::isAllowed() iterates every role in $user->getRoles()
and calls Acl::isAllowed($role, ...) for each, but the Laminas ACL
registry (built in init()) only ever registers a small fixed set of
resource-permission roles (ROLE_USER, ROLE_STUDENT,
ROLE_CURRENT_COURSE_TEACHER, ...).

Any other role the user happens to carry - e.g. ROLE_SESSION_MANAGER,
ROLE_PREVIOUS_ADMIN or ROLE_ALLOWED_TO_SWITCH, all present on an
admin's token while using "Login as" - makes Laminas throw
Acl\Exception\InvalidArgumentException("Role '...' not found"),
crashing the whole request with a 500 instead of just being irrelevant
to the resource-level permission check.

This affects any AbstractResource-backed resource (documents, forums,
etc.) whenever the current user's Symfony role set contains a role the
ACL never registered - most commonly while impersonating another user
via "Login as".

Fix: skip roles the ACL hasn't registered via Acl::hasRole() instead
of asking it about them.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant