function setUp()
{
parent::setUp();
$acl = new lmbAcl();
$acl->addRole('boy');
$acl->addRole('man');
$acl->addResource('girl');
$acl->allow('boy', 'girl', 'sex');
$acl->allow('man', 'girl', 'marry');
$acl->addResource('vodka');
$acl->allow('man', 'vodka');
lmbToolkit::instance()->setAcl($acl);
$this->tags_dir = realpath(dirname(__FILE__) . '/../../../src/macro');
}
function testResourceInheritsMultiple()
{
$acl = new lmbAcl();
$acl->addResource('content');
$acl->addResource('articles');
$acl->addResource('news', array('content', 'articles'));
$inherits = $acl->getResourceInherits('news');
$this->assertTrue(in_array('articles', $inherits));
$this->assertTrue(in_array('content', $inherits));
}
function testAcceptance()
{
$acl = new lmbAcl();
$acl->addResource('content');
$acl->addRole('guest');
$acl->addRole('staff', 'guest');
$acl->addRole('editor', 'staff');
$acl->addRole('administrator');
// Guest may only view content
$acl->allow('guest', null, 'view');
// Staff inherits view privilege from guest, but also needs additional privileges
$acl->allow('staff', null, array('edit', 'submit', 'revise'));
// Editor inherits view, edit, submit, and revise privileges, but also needs additional privileges
$acl->allow('editor', null, array('publish', 'archive', 'delete'));
// Administrator inherits nothing but is allowed all privileges
$acl->allow('administrator');
// Access control checks based on above permission sets
$this->assertTrue($acl->isAllowed('guest', 'content', 'view'));
$this->assertFalse($acl->isAllowed('guest', 'content', 'edit'));
$this->assertFalse($acl->isAllowed('guest', 'content', 'submit'));
$this->assertFalse($acl->isAllowed('guest', 'content', 'revise'));
$this->assertFalse($acl->isAllowed('guest', 'content', 'publish'));
$this->assertFalse($acl->isAllowed('guest', 'content', 'archive'));
$this->assertFalse($acl->isAllowed('guest', 'content', 'delete'));
$this->assertFalse($acl->isAllowed('guest', 'content', 'unknown'));
$this->assertFalse($acl->isAllowed('guest'));
$this->assertTrue($acl->isAllowed('staff', 'content', 'view'));
$this->assertTrue($acl->isAllowed('staff', 'content', 'edit'));
$this->assertTrue($acl->isAllowed('staff', 'content', 'submit'));
$this->assertTrue($acl->isAllowed('staff', 'content', 'revise'));
$this->assertFalse($acl->isAllowed('staff', 'content', 'publish'));
$this->assertFalse($acl->isAllowed('staff', 'content', 'archive'));
$this->assertFalse($acl->isAllowed('staff', 'content', 'delete'));
$this->assertFalse($acl->isAllowed('staff', 'content', 'unknown'));
$this->assertFalse($acl->isAllowed('staff'));
$this->assertTrue($acl->isAllowed('editor', 'content', 'view'));
$this->assertTrue($acl->isAllowed('editor', 'content', 'edit'));
$this->assertTrue($acl->isAllowed('editor', 'content', 'submit'));
$this->assertTrue($acl->isAllowed('editor', 'content', 'revise'));
$this->assertTrue($acl->isAllowed('editor', 'content', 'publish'));
$this->assertTrue($acl->isAllowed('editor', 'content', 'archive'));
$this->assertTrue($acl->isAllowed('editor', 'content', 'delete'));
$this->assertFalse($acl->isAllowed('editor', 'content', 'unknown'));
$this->assertFalse($acl->isAllowed('editor'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'view'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'edit'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'submit'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'revise'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'publish'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'archive'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'delete'));
$this->assertTrue($acl->isAllowed('administrator', 'content', 'unknown'));
$this->assertTrue($acl->isAllowed('administrator'));
// Some checks on specific areas, which inherit access controls from the root ACL node
$acl->addResource('newsletter');
$acl->addResource('pending', 'newsletter');
$acl->addResource('gallery');
$acl->addResource('profiles', 'gallery');
$acl->addResource('config');
$acl->addResource('hosts', 'config');
$this->assertTrue($acl->isAllowed('guest', 'pending', 'view'));
$this->assertTrue($acl->isAllowed('staff', 'profiles', 'revise'));
$this->assertTrue($acl->isAllowed('staff', 'pending', 'view'));
$this->assertTrue($acl->isAllowed('staff', 'pending', 'edit'));
$this->assertFalse($acl->isAllowed('staff', 'pending', 'publish'));
$this->assertFalse($acl->isAllowed('staff', 'pending'));
$this->assertFalse($acl->isAllowed('editor', 'hosts', 'unknown'));
$this->assertTrue($acl->isAllowed('administrator', 'pending'));
// Add a new group, marketing, which bases its permissions on staff
$acl->addRole('marketing', 'staff');
// Refine the privilege sets for more specific needs
// Allow marketing to publish and archive newsletters
$acl->allow('marketing', 'newsletter', array('publish', 'archive'));
// Allow marketing to publish and archive latest news
$acl->addResource('news');
$acl->addResource('latest', 'news');
$acl->allow('marketing', 'latest', array('publish', 'archive'));
// Deny staff (and marketing, by inheritance) rights to revise latest news
$acl->deny('staff', 'latest', 'revise');
$acl->addResource('announcement', 'news');
$this->assertTrue($acl->isAllowed('marketing', 'content', 'view'));
$this->assertTrue($acl->isAllowed('marketing', 'content', 'edit'));
$this->assertTrue($acl->isAllowed('marketing', 'content', 'submit'));
$this->assertTrue($acl->isAllowed('marketing', 'content', 'revise'));
$this->assertFalse($acl->isAllowed('marketing', 'content', 'publish'));
$this->assertFalse($acl->isAllowed('marketing', 'content', 'archive'));
$this->assertFalse($acl->isAllowed('marketing', 'content', 'delete'));
$this->assertFalse($acl->isAllowed('marketing', 'content', 'unknown'));
$this->assertFalse($acl->isAllowed('marketing'));
$this->assertTrue($acl->isAllowed('marketing', 'newsletter', 'publish'));
$this->assertFalse($acl->isAllowed('staff', 'pending', 'publish'));
$this->assertTrue($acl->isAllowed('marketing', 'newsletter', 'archive'));
$this->assertFalse($acl->isAllowed('marketing', 'newsletter', 'delete'));
$this->assertFalse($acl->isAllowed('marketing', 'newsletter'));
$this->assertTrue($acl->isAllowed('marketing', 'latest', 'publish'));
$this->assertTrue($acl->isAllowed('marketing', 'latest', 'archive'));
$this->assertFalse($acl->isAllowed('marketing', 'latest', 'delete'));
$this->assertFalse($acl->isAllowed('marketing', 'latest', 'revise'));
$this->assertFalse($acl->isAllowed('marketing', 'latest'));
$this->assertFalse($acl->isAllowed('marketing', 'announcement', 'archive'));
$this->assertFalse($acl->isAllowed('staff', 'announcement', 'archive'));
$this->assertFalse($acl->isAllowed('staff', 'latest', 'publish'));
$acl->allow('marketing', 'latest');
$this->assertTrue($acl->isAllowed('marketing', 'latest', 'archive'));
$this->assertTrue($acl->isAllowed('marketing', 'latest', 'publish'));
$this->assertTrue($acl->isAllowed('marketing', 'latest', 'edit'));
$this->assertTrue($acl->isAllowed('marketing', 'latest'));
}
function testResourceInheritsAndRoleInheritsOverlap()
{
$acl = new lmbAcl();
$acl->addRole('user');
$acl->addRole('fbi', 'user');
$acl->addResource('news');
$acl->addResource('secret', 'news');
$acl->allow('user', 'news', 'view');
$acl->deny('user', 'secret', 'view');
$this->assertTrue($acl->isAllowed('user', 'news', 'view'));
$this->assertFalse($acl->isAllowed('user', 'secret', 'view'));
$this->assertTrue($acl->isAllowed('fbi', 'news', 'view'));
// role inherits and resource inherits conflict, role inherits should have the priority
$this->assertFalse($acl->isAllowed('fbi', 'secret', 'view'));
}
