This method is smart enough to automatically recursively extracts roles for hierarchical roles
| public matchIdentityRoles ( array $roles ) : boolean | ||
| $roles | array | |
| return | boolean | |
/**
* @dataProvider roleProvider
*/
public function testMatchIdentityRoles(array $rolesConfig, array $identityRoles, array $rolesToCheck, $doesMatch)
{
$identity = $this->getMock('ZfcRbac\\Identity\\IdentityInterface');
$identity->expects($this->once())->method('getRoles')->will($this->returnValue($identityRoles));
$identityProvider = $this->getMock('ZfcRbac\\Identity\\IdentityProviderInterface');
$identityProvider->expects($this->any())->method('getIdentity')->will($this->returnValue($identity));
$roleService = new RoleService($identityProvider, new InMemoryRoleProvider($rolesConfig), new RecursiveRoleIteratorStrategy());
$this->assertEquals($doesMatch, $roleService->matchIdentityRoles($rolesToCheck));
}
/**
* {@inheritDoc}
*/
public function isGranted(MvcEvent $event)
{
$matchedRouteName = $event->getRouteMatch()->getMatchedRouteName();
$allowedRoles = null;
foreach (array_keys($this->rules) as $routeRule) {
if (fnmatch($routeRule, $matchedRouteName, FNM_CASEFOLD)) {
$allowedRoles = $this->rules[$routeRule];
break;
}
}
// If no rules apply, it is considered as granted or not based on the protection policy
if (null === $allowedRoles) {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
if (in_array('*', $allowedRoles)) {
return true;
}
return $this->roleService->matchIdentityRoles($allowedRoles);
}
/**
* {@inheritDoc}
*/
public function isGranted(MvcEvent $event)
{
$routeMatch = $event->getRouteMatch();
$controller = strtolower($routeMatch->getParam('controller'));
$action = strtolower($routeMatch->getParam('action'));
// If no rules apply, it is considered as granted or not based on the protection policy
if (!isset($this->rules[$controller])) {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
// Algorithm is as follow: we first check if there is an exact match (controller + action), if not
// we check if there are rules set globally for the whole controllers (see the index "0"), and finally
// if nothing is matched, we fallback to the protection policy logic
if (isset($this->rules[$controller][$action])) {
$allowedRoles = $this->rules[$controller][$action];
} elseif (isset($this->rules[$controller][0])) {
$allowedRoles = $this->rules[$controller][0];
} else {
return $this->protectionPolicy === self::POLICY_ALLOW;
}
if (in_array('*', $allowedRoles)) {
return true;
}
return $this->roleService->matchIdentityRoles($allowedRoles);
}
/**
* @param string|string[] $roleOrRoles
* @return bool
*/
public function __invoke($roleOrRoles)
{
return $this->roleService->matchIdentityRoles((array) $roleOrRoles);
}
