Variable $roleParams not set before isset check in yii\filters\AccessRule::matchRole function
santilin opened this issue · comments
In the matchRole function of the AccessRule class, the variable $roleParams is not set before the isset($roleParams) condition.
The problematic code is:
if (!isset($roleParams)) {
$roleParams = !is_array($this->roleParams) && is_callable($this->roleParams) ? call_user_func($this->roleParams, $this) : $this->roleParams;
}
This code assumes that $roleParams is already defined, but it is not set anywhere before this condition.
Steps to Reproduce
- Set $this->roleParams to a non-array value (e.g., null, false, or a string) in your AccessRule configuration.
- Call the matchRole function with a user object that does not have the required permissions.
Expected Behavior
The matchRole function should handle the case where $this->roleParams is not an array or callable, and it should not assume that $roleParams is already defined.
Yii2 version: 2.0.50
PHP version: 8.3
Set $this->roleParams to a non-array value (e.g., null, false, or a string) in your AccessRule configuration.
$roleParams accepts only Closure or array, if you pass null, false, or a string, then it is a configuration error.
https://www.yiiframework.com/doc/api/2.0/yii-filters-accessrule#$roleParams-detail
Yet, ¿but what is the point of testing
not isset($roleParams)
when the local variable $roleParams is not defined?
That test will always return false.
It is inside of foreach, so it is empty for first iteration, but each next iteration will use already calculated value. In this way Closure is executed only once and only when it is actually needed.
Ah, ok, I didn't understand that.
Thanks.