public function testABitOfEverythingAsAnExample()
 {
     $superAdminDude = new User();
     $superAdminDude->title->value = 'Miss';
     $superAdminDude->username = '******';
     $superAdminDude->firstName = 'Laura';
     $superAdminDude->lastName = 'Laurason';
     $superAdminDude->setPassword('laura');
     $this->assertTrue($superAdminDude->save());
     $adminDude = new User();
     $adminDude->title->value = 'Mr.';
     $adminDude->username = '******';
     $adminDude->firstName = 'Jason';
     $adminDude->lastName = 'Jasonson';
     $adminDude->setPassword('jason');
     $this->assertTrue($adminDude->save());
     $accountOwner = new User();
     $accountOwner->title->value = 'Mr.';
     // :P
     $accountOwner->username = '******';
     $accountOwner->firstName = 'lisa';
     $accountOwner->lastName = 'Lisason';
     $accountOwner->setPassword('lisay');
     $this->assertTrue($accountOwner->save());
     $salesDude1 = new User();
     $salesDude1->title->value = 'Mr.';
     $salesDude1->username = '******';
     $salesDude1->firstName = 'Ray';
     $salesDude1->lastName = 'Rayson';
     $salesDude1->setPassword('ray45');
     $this->assertTrue($salesDude1->save());
     $salesDude2 = new User();
     $salesDude2->title->value = 'Mr.';
     $salesDude2->username = '******';
     $salesDude2->firstName = 'Stafford';
     $salesDude2->lastName = 'Staffordson';
     $salesDude2->setPassword('stafford');
     $this->assertTrue($salesDude2->save());
     $managementDudette = new User();
     $managementDudette->title->value = 'Ms.';
     $managementDudette->username = '******';
     $managementDudette->firstName = 'Donna';
     $managementDudette->lastName = 'Donnason';
     $managementDudette->setPassword('donna');
     $this->assertTrue($managementDudette->save());
     $supportDude = new User();
     $supportDude->title->value = 'Mr.';
     $supportDude->username = '******';
     $supportDude->firstName = 'Ross';
     $supportDude->lastName = 'Rosson';
     $supportDude->setPassword('rossy');
     $this->assertTrue($supportDude->save());
     $superAdminDudes = new Group();
     $superAdminDudes->name = 'Super Admin Dudes';
     $superAdminDudes->users->add($superAdminDude);
     $this->assertTrue($superAdminDudes->save());
     $adminDudes = new Group();
     $adminDudes->name = 'Admin Dudes';
     $adminDudes->users->add($adminDude);
     $adminDudes->groups->add($superAdminDudes);
     $this->assertTrue($adminDudes->save());
     $superAdminDudes->setPolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES, 0);
     $this->assertTrue($superAdminDudes->save());
     $adminDudes->setRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS);
     $adminDudes->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB);
     $adminDudes->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_MOBILE);
     $adminDudes->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
     $adminDudes->setPolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS, 90);
     $this->assertTrue($adminDudes->save());
     $salesDudes = new Group();
     $salesDudes->name = 'Sales Dudes';
     $salesDudes->users->add($salesDude1);
     $salesDudes->users->add($salesDude2);
     $this->assertTrue($salesDudes->save());
     $managementDudes = new Group();
     $managementDudes->name = 'Management Dudes';
     $managementDudes->users->add($managementDudette);
     $this->assertTrue($managementDudes->save());
     $everyone = Group::getByName(Group::EVERYONE_GROUP_NAME);
     $everyone->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB);
     $everyone->setPolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES, 1);
     $everyone->setPolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS, 30);
     $this->assertTrue($everyone->save());
     Yii::app()->user->userModel = $accountOwner;
     $account = new Account();
     $account->name = 'Doozy Co.';
     $this->assertTrue($account->save());
     // The account has no explicit permissions set at this point.
     // The account owner has full permissions implicitly.
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     // Nobody else has permissions.
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($supportDude));
     // Everyone is given read permissions to the account.
     $everyone = Group::getByName(Group::EVERYONE_GROUP_NAME);
     $account->addPermissions($everyone, Permission::READ);
     $account->save();
     // In one step everyone has read permissions, except the owner who still has full.
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($everyone));
     // Sales Dudes is given write permissions to the account.
     $account->addPermissions($salesDudes, Permission::WRITE);
     $account->save();
     // The Sales Dudes group and everyone in it has write.
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($everyone));
     // Management Dudes is given change owner permissions to the account.
     $account->addPermissions($managementDudes, Permission::CHANGE_OWNER);
     $account->save();
     // The Managment Dudes group and everyone in it has change owner.
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($everyone));
     // We want to remove Support Dude's read on the account.
     // The first way... having thought about our security and groups well...
     // Everyone's read permission is removed, and instead Sales Dudes
     // and Managment Dudes are given read permissions. Order is irrelevant.
     $account->removePermissions($everyone, Permission::READ);
     $account->addPermissions($salesDudes, Permission::READ);
     $account->addPermissions($managementDudes, Permission::READ);
     $account->save();
     // The effect is that Support Dude and Admin Dudes lose read permissions because
     // now nobody has that permission via Everyone.
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($everyone));
     // Permissions are set back.
     $account->addPermissions($everyone, Permission::READ);
     $account->removePermissions($salesDudes, Permission::READ);
     $account->removePermissions($managementDudes, Permission::READ);
     $account->save();
     // Support Dude and Admin Dudes get their read back.
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($everyone));
     // The second way... more ad-hoc...
     // We explicitly deny. Deny's have precedence over allows.
     $account->addPermissions($supportDude, Permission::READ, Permission::DENY);
     $account->save();
     // The effect is that Support Dude loses read permissions but
     // Everyone else still has read.
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($everyone));
     // Managment Dudes has all permissions is denied.
     // This takes precedence over the read permission the group was given.
     $account->addPermissions($managementDudes, Permission::ALL, Permission::DENY);
     $account->save();
     // The effect is that Management Dudes lose all permissions
     // regardless of what they have been granted.
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($everyone));
     // We'll give Management Dudes back their permissions.
     $account->removePermissions($managementDudes, Permission::ALL, Permission::DENY);
     // And give management dudette change permissions.
     $account->addPermissions($managementDudette, Permission::CHANGE_PERMISSIONS);
     $account->save();
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($accountOwner));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::READ | Permission::CHANGE_PERMISSIONS | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::READ_WRITE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::READ | Permission::CHANGE_OWNER, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($supportDude));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($everyone));
     // Then we'll just nuke eveyone's permissions. If you use this it is for
     // the kind of scenario where an admin wants to re-setup permissions from scratch
     // so you'd put a Do You Really Want To Do This???? kind of message.
     Permission::deleteAll();
     // Removing all permissions is done directly on the database,
     // so we need to forget our account and get it back again.
     $accountId = $account->id;
     $account->forget();
     unset($account);
     $account = Account::getById($accountId);
     // Nobody else has permissions again.
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($adminDude));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($adminDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($salesDude1));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($salesDude2));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($managementDudette));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($salesDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($managementDudes));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($supportDude));
     // TODO
     // - Permissions on modules.
     // - Permissions on types.
     // - Permissions on fields.
     // All users have the right to login via the web, because the Everyone group was granted that right.
     $this->assertEquals(Right::ALLOW, $adminDude->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $adminDudes->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $salesDude1->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $salesDude2->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $managementDudette->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $salesDudes->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $managementDudes->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $supportDude->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $everyone->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB));
     $this->assertEquals(Right::ALLOW, $adminDude->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::ALLOW, $adminDudes->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::DENY, $salesDude1->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::DENY, $salesDude2->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::DENY, $managementDudette->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::DENY, $salesDudes->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::DENY, $managementDudes->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::DENY, $supportDude->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     $this->assertEquals(Right::DENY, $everyone->getEffectiveRight('UsersModule', UsersModule::RIGHT_CHANGE_USER_PASSWORDS));
     // All users have a password expiry days of 30 because it was set on Everyone, but that was overridden
     // for Admin Dudes with a more generous password expiry policy set for them.
     $this->assertEquals(90, $adminDude->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(90, $adminDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(90, $adminDude->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(90, $adminDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(30, $salesDude1->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(30, $salesDude2->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(30, $managementDudette->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(30, $salesDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(30, $managementDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(30, $supportDude->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     $this->assertEquals(30, $everyone->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRY_DAYS));
     // But all users' passwords, except Super Admin Dudes, expire because of the policy set on Everyone,
     // which is set more specifically for Super Admin Dudes.
     $this->assertEquals(0, $superAdminDude->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(0, $superAdminDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $adminDude->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $adminDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $salesDude1->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $salesDude2->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $managementDudette->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $salesDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $managementDudes->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $supportDude->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     $this->assertEquals(1, $everyone->getEffectivePolicy('UsersModule', UsersModule::POLICY_PASSWORD_EXPIRES));
     // The policy set on Super Admin Dudes that their passwords don't expire is more explicit than the Everyone
     // setting and so takes precedence. While ALLOW for permissions and rights is just required from any one
     // source (explicit or inherited from a group) and DENY on any source overrides it, the effective policy
     // is the most explicit. A policy set specifically on a user overrides a policy set on a group they are
     // directly in, which overrides one that that group is in, and so on, which overrides anything set on the
     // Everyone group. If nothing is set the policy value is null.
     // TODO
     // - Roles.
 }
Example #2
0
 /**
  * @param string $sourceName
  * @param int $sourceId
  * @param string $targetName
  * @param int $targetId
  * @param string $permission
  */
 protected function revokeInternal($sourceName, $sourceId, $targetName, $targetId, $permission)
 {
     Permission::deleteAll(['source_model' => $sourceName, 'source_id' => $sourceId, 'target_model' => $targetId, 'target_id' => $targetId, 'permission' => $permission]);
     return !$this->isAllowedExplicit($sourceName, $sourceId, $targetName, $targetId, $permission);
 }
 public function testPermissionsCachingHitsAndMisses2()
 {
     if (!SECURITY_OPTIMIZED) {
         return;
     }
     // Like the test above by averaging over many loops.
     $loops = 100;
     $accounts = Account::getAll();
     $account = $accounts[0];
     $user = User::getByUsername('bobby');
     $this->assertNotEquals($account->owner->id, $user->id);
     $this->setSomePermissions();
     $firstTime = $secondTime = $thirdTime = $fourthTime = 0;
     for ($i = 0; $i < $loops; $i++) {
         $startTime = microtime(true);
         $permissions = $account->getEffectivePermissions($user);
         $endTime = microtime(true);
         $firstTime += $endTime - $startTime;
         $startTime = microtime(true);
         $permissions = $account->getEffectivePermissions($user);
         $endTime = microtime(true);
         $secondTime += $endTime - $startTime;
         // The false tells it to not forget the
         // db level cached permissions.
         PermissionsCache::forgetAll(false);
         AllPermissionsOptimizationCache::forgetAll();
         $startTime = microtime(true);
         $permissions = $account->getEffectivePermissions($user);
         $endTime = microtime(true);
         $thirdTime += $endTime - $startTime;
         // Will forget the db level cached permissions.
         PermissionsCache::forgetAll();
         AllPermissionsOptimizationCache::forgetAll();
         $startTime = microtime(true);
         $permissions = $account->getEffectivePermissions($user);
         $endTime = microtime(true);
         $fourthTime += $endTime - $startTime;
         // Will forget the db level cached permissions
         // to leave it clean for the next loop.
         PermissionsCache::forgetAll();
         AllPermissionsOptimizationCache::forgetAll();
     }
     $firstTime /= $loops;
     $secondTime /= $loops;
     $thirdTime /= $loops;
     $fourthTime /= $loops;
     // The first time is at least 10 times faster than
     // the second time because it will get it from the
     // php cached permissions.
     if ($secondTime > 0) {
         $this->assertGreaterThan(10, $firstTime / $secondTime);
     }
     // The first time is at least 2 times faster than
     // the third time even though the php level permissions
     // cache is cleared (or it's a different request)
     // because it will get it from the db cached permissions.
     if ($thirdTime > 0) {
         $this->assertGreaterThan(2, $firstTime / $thirdTime);
     }
     // The first time is at least 10 times faster than
     // the third time even though the php level permissions
     // cache is cleared (or it's a different request)
     // because it will get it from the db cached permissions.
     $this->assertWithinTolerance($firstTime, $fourthTime, 0.005);
     Permission::deleteAll();
 }
 public function testPermissionsPropagationViaRolesWhenChildRoleHaveNoUsers()
 {
     $childRole = Role::getByName('Sales Person');
     foreach ($childRole->users as $user) {
         $childRole->users->remove($user);
         $this->assertTrue($childRole->save());
     }
     $parentRole = Role::getByName('Sales Manager');
     $childChildRole = Role::getByName('Junior Sales Person');
     $userInParentRole = $parentRole->users[0];
     $userInChildChildRole = $childChildRole->users[0];
     $this->assertEquals(0, count($childRole->users));
     Permission::deleteAll();
     $accounts = Account::getAll();
     $account = $accounts[0];
     $this->assertEquals(Permission::ALL, $account->getEffectivePermissions($account->owner));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($userInParentRole));
     $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($userInChildChildRole));
     $account->addPermissions($userInChildChildRole, Permission::READ);
     $this->assertTrue($account->save());
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($userInParentRole));
     $this->assertEquals(Permission::READ, $account->getEffectivePermissions($userInChildChildRole));
 }