/**
  * @covers RoleBasedHandlerOperationPolicy
  */
 public function testRoleAuthorization()
 {
     // Construct the user roles array.
     $userRoles = array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST);
     // Test the user-group/role policy with a default
     // authorized request.
     $request = $this->getMockRequest('permittedOperation');
     $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
     $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
     $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST), 'permittedOperation'));
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
     // Test the user-group/role policy with a non-authorized role.
     $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
     $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
     $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_NON_AUTHORIZED, 'permittedOperation'));
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
     // Test the policy with an authorized role but a non-authorized operation.
     $request = $this->getMockRequest('privateOperation');
     $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
     $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
     $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, 'permittedOperation'));
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
     // Test the policy with an authorized role and a
     // non-authorized operation but bypass the the operation check.
     // FIXME: Remove the "bypass operation check" code once we've removed the
     // HandlerValidatorRole compatibility class, see #5868.
     $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
     $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
     $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, array(), 'some.message', false, true));
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
     // Test the "all roles must match" feature.
     $request = $this->getMockRequest('permittedOperation');
     $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
     $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
     $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST), 'permittedOperation', 'some.message', true, false));
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
     // Test again the "all roles must match" feature but this time
     // with one role not matching.
     $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
     $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
     $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN, ROLE_ID_NON_AUTHORIZED), 'permittedOperation', 'some.message', true, false));
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
 }
 /**
  * @covers AuthorizationDecisionManager
  */
 public function testDecide()
 {
     // We have to test policies and policy sets
     // as well as different combining algorithms.
     $denyPolicy = new AuthorizationPolicy();
     $permitPolicy = $this->getMock('AuthorizationPolicy', array('effect'));
     $permitPolicy->expects($this->any())->method('effect')->will($this->returnCallback(array($this, 'mockEffect')));
     // deny overrides
     // - permit policy
     // - deny policy
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($permitPolicy);
     $decisionManager->addPolicy($denyPolicy);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
     // deny overrides
     // - permit policy
     // - permit policy
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($permitPolicy);
     $decisionManager->addPolicy($permitPolicy);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
     // deny overrides
     // - permit policy
     // - allow overrides
     // -- deny policy
     // -- deny policy
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($permitPolicy);
     $policySet = new PolicySet();
     $policySet->addPolicy($denyPolicy);
     $policySet->addPolicy($denyPolicy);
     $decisionManager->addPolicy($policySet);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
     // deny overrides
     // - permit policy
     // - allow overrides
     // -- deny policy
     // -- permit policy
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($permitPolicy);
     $policySet = new PolicySet(COMBINING_PERMIT_OVERRIDES);
     $policySet->addPolicy($denyPolicy);
     $policySet->addPolicy($permitPolicy);
     $decisionManager->addPolicy($policySet);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
 }
 /**
  * @covers RoleBasedHandlerOperationPolicy
  */
 public function testRoleAuthorization()
 {
     // Create a test user;
     import('classes.user.User');
     $testUser = new User();
     $testUser->setId(3);
     // Create a test context.
     $application = PKPApplication::getApplication();
     $contextDepth = $application->getContextDepth();
     if ($contextDepth > 0) {
         $testContext = new DataObject();
         $testContextId = 5;
         $testContext->setId($testContextId);
         $userHasRoleContextArgs = array($testContextId, $testUser->getId());
         $userHasRoleSiteArgs = array(0, $testUser->getId());
     } else {
         $testContext = null;
         $userHasRoleSiteArgs = $userHasRoleContextArgs = array($testUser->getId());
     }
     // Create a non-authorized role.
     $nonAuthorizedRole = ROLE_ID_SITE_ADMIN;
     // Test the user-group/role policy with a default
     // authorized request.
     $request = $this->getMockRequest('permittedOperation', $testContext, $testUser);
     $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true)));
     $rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, $nonAuthorizedRole), 'permittedOperation');
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
     // Test the user-group/role policy with a non-authorized role.
     $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array($nonAuthorizedRole)), 'userHasRoleReturnValue' => false)));
     $rolePolicy = new RoleBasedHandlerOperationPolicy($request, $nonAuthorizedRole, 'permittedOperation');
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
     // Test the policy with an authorized role but a non-authorized operation.
     $request = $this->getMockRequest('privateOperation', null, $testUser);
     $userHasRoleInvocation = array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true);
     $this->mockRoleDao(array($userHasRoleInvocation));
     $rolePolicy = new RoleBasedHandlerOperationPolicy($request, ROLE_ID_TEST, 'permittedOperation');
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
     // Test the policy with an authorized role and a non-authorized operation
     // but bypass the the operation check.
     // FIXME: Remove the "bypass operation check" code once we've removed the
     // HandlerValidatorRole compatibility class, see #5868.
     $this->mockRoleDao(array($userHasRoleInvocation));
     $rolePolicy = new RoleBasedHandlerOperationPolicy($request, ROLE_ID_TEST, array(), 'some.message', false, true);
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
     // Test the "all roles must match" feature.
     $request = $this->getMockRequest('permittedOperation', $testContext, $testUser);
     $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true), array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_SITE_ADMIN)), 'userHasRoleReturnValue' => true)));
     $rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN), 'permittedOperation', 'some.message', true, false);
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
     // Test again the "all roles must match" feature but this time
     // with one role not matching.
     $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true), array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_SITE_ADMIN)), 'userHasRoleReturnValue' => false)));
     $rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN), 'permittedOperation', 'some.message', true, false);
     $decisionManager = new AuthorizationDecisionManager();
     $decisionManager->addPolicy($rolePolicy);
     self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
 }