Validate role column config strictly

dereuromark · dereuromark · commit f1d8b81d6739 · 2026-05-25T04:24:06.000+02:00
diff --git a/src/Auth/AclTrait.php b/src/Auth/AclTrait.php
@@ -552,12 +552,12 @@ protected function _getUserRoles(ArrayAccess|array $user) {
 		// Single-role from session
 		if (!$this->getConfig('multiRole')) {
 			$roleColumn = $this->getConfig('roleColumn');
-			if (!$roleColumn) {
+			if (!is_string($roleColumn) || $roleColumn === '') {
 				throw new CakeException('Invalid TinyAuth config, `roleColumn` config missing.');
 			}
 
 			// Check if the roleColumn is a dot notation path
-			if (str_contains((string)$roleColumn, '.')) {
+			if (str_contains($roleColumn, '.')) {
 				$role = Hash::get($user, $roleColumn);
 				if (!$role) {
 					throw new CakeException(sprintf('Missing TinyAuth role id field (%s) in user session', 'Auth.User.' . $roleColumn));
diff --git a/src/Auth/AllowTrait.php b/src/Auth/AllowTrait.php
@@ -97,7 +97,7 @@ protected function _isActionAllowed(array $rule, $action) {
 			return false;
 		}
 
-		return !(!in_array($action, $rule['allow'], true) && !in_array('*', $rule['allow'], true));
+		return in_array($action, $rule['allow'], true) || in_array('*', $rule['allow'], true);
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ protected function _isActionAllowed(array $rule, $action) {`
`97`	`97`	`return false;`
`98`	`98`	`}`
`99`	`99`
`100`		`- return !(!in_array($action, $rule['allow'], true) && !in_array('*', $rule['allow'], true));`
	`100`	`+ return in_array($action, $rule['allow'], true) \|\| in_array('*', $rule['allow'], true);`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`/**`