/** * @covers RoleBasedHandlerOperationPolicy */ public function testRoleAuthorization() { // Create a test user; import('classes.user.User'); $testUser = new User(); $testUser->setId(3); // Create a test context. $application = PKPApplication::getApplication(); $contextDepth = $application->getContextDepth(); if ($contextDepth > 0) { $testContext = new DataObject(); $testContextId = 5; $testContext->setId($testContextId); $userHasRoleContextArgs = array($testContextId, $testUser->getId()); $userHasRoleSiteArgs = array(0, $testUser->getId()); } else { $testContext = null; $userHasRoleSiteArgs = $userHasRoleContextArgs = array($testUser->getId()); } // Create a non-authorized role. $nonAuthorizedRole = ROLE_ID_SITE_ADMIN; // Test the user-group/role policy with a default // authorized request. $request = $this->getMockRequest('permittedOperation', $testContext, $testUser); $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true))); $rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, $nonAuthorizedRole), 'permittedOperation'); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); // Test the user-group/role policy with a non-authorized role. $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array($nonAuthorizedRole)), 'userHasRoleReturnValue' => false))); $rolePolicy = new RoleBasedHandlerOperationPolicy($request, $nonAuthorizedRole, 'permittedOperation'); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); // Test the policy with an authorized role but a non-authorized operation. $request = $this->getMockRequest('privateOperation', null, $testUser); $userHasRoleInvocation = array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true); $this->mockRoleDao(array($userHasRoleInvocation)); $rolePolicy = new RoleBasedHandlerOperationPolicy($request, ROLE_ID_TEST, 'permittedOperation'); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); // Test the policy with an authorized role and a non-authorized operation // but bypass the the operation check. // FIXME: Remove the "bypass operation check" code once we've removed the // HandlerValidatorRole compatibility class, see #5868. $this->mockRoleDao(array($userHasRoleInvocation)); $rolePolicy = new RoleBasedHandlerOperationPolicy($request, ROLE_ID_TEST, array(), 'some.message', false, true); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); // Test the "all roles must match" feature. $request = $this->getMockRequest('permittedOperation', $testContext, $testUser); $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true), array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_SITE_ADMIN)), 'userHasRoleReturnValue' => true))); $rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN), 'permittedOperation', 'some.message', true, false); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); // Test again the "all roles must match" feature but this time // with one role not matching. $this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true), array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_SITE_ADMIN)), 'userHasRoleReturnValue' => false))); $rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN), 'permittedOperation', 'some.message', true, false); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); }