public static function setUpBeforeClass() { parent::setUpBeforeClass(); SecurityTestHelper::createSuperAdmin(); $super = User::getByUsername('super'); Yii::app()->user->userModel = $super; ReadPermissionsOptimizationUtil::rebuild(); //Add the nobody user to an account, but only read only. $nobody = User::getByUsername('nobody'); $account = AccountTestHelper::createAccountByNameForOwner('superAccountReadableByNobody', Yii::app()->user->userModel); $account->addPermissions($nobody, Permission::READ, Permission::ALLOW); assert($account->save()); // Not Coding Standard ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $nobody); //Give the nobody user rights to the accounts module. $nobody->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS); $nobody->setRight('AccountsModule', AccountsModule::RIGHT_CREATE_ACCOUNTS); assert($nobody->save()); // Not Coding Standard $everyoneGroup = Group::getByName(Group::EVERYONE_GROUP_NAME); assert($everyoneGroup->save()); // Not Coding Standard $group1 = new Group(); $group1->name = 'Group1'; assert($group1->save()); // Not Coding Standard }
public static function setUpBeforeClass() { parent::setUpBeforeClass(); SecurityTestHelper::createSuperAdmin(); Yii::app()->user->userModel = User::getByUsername('super'); ReadPermissionsOptimizationUtil::rebuild(); SecurityTestHelper::createUsers(); $billy = User::getByUsername('billy'); EmailMessageTestHelper::createEmailAccount($billy); $billy->setRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS); $billy->setRight('ContactsModule', ContactsModule::RIGHT_CREATE_CONTACTS); $billy->setRight('ContactsModule', ContactsModule::RIGHT_DELETE_CONTACTS); assert($billy->save()); // Not Coding Standard $contact = ContactTestHelper::createContactByNameForOwner('sally', Yii::app()->user->userModel); $contact->primaryEmail = new Email(); $contact->primaryEmail->emailAddress = '*****@*****.**'; $contact->secondaryEmail->emailAddress = '*****@*****.**'; $contact->addPermissions($billy, Permission::READ); $contact->addPermissions($billy, Permission::WRITE); $contact->save(); $molly = ContactTestHelper::createContactByNameForOwner('molly', User::getByUsername('bobby')); $molly->primaryEmail = new Email(); $molly->primaryEmail->emailAddress = '*****@*****.**'; $molly->secondaryEmail->emailAddress = '*****@*****.**'; $contact->save(); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contact, $billy); }
/** * Walkthrough test for synchronous download */ public function testDownloadDefaultControllerActions() { $super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super'); $products = array(); for ($i = 0; $i < 2; $i++) { $products[] = ProductTestHelper::createProductByNameForOwner('superProduct' . $i, $super); } // Check if access is denied if user doesn't have access privileges at all to export actions Yii::app()->user->userModel = User::getByUsername('nobody'); $nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody'); $this->runControllerShouldResultInAccessFailureAndGetContent('products/default/list'); $this->setGetArray(array('Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => '')); $this->runControllerShouldResultInAccessFailureAndGetContent('products/default/export'); // Check if user have access to module action, but not to export action // Now test peon with elevated rights to accounts $nobody->setRight('ProductsModule', ProductsModule::RIGHT_ACCESS_PRODUCTS); $nobody->setRight('ProductsModule', ProductsModule::RIGHT_CREATE_PRODUCTS); $nobody->setRight('ProductsModule', ProductsModule::RIGHT_DELETE_PRODUCTS); $nobody->setRight('ExportModule', ExportModule::RIGHT_ACCESS_EXPORT); $this->assertTrue($nobody->save()); // Check if access is denied if user doesn't have access privileges at all to export actions $nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody'); Yii::app()->user->userModel = User::getByUsername('nobody'); $this->runControllerWithNoExceptionsAndGetContent('products/default/list'); $this->setGetArray(array('Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => '')); $response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export'); $this->assertTrue(strstr($response, 'products/default/index') !== false); $this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '1', 'selectedIds' => '')); //TODO Need to ask jason $response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export'); $this->assertTrue(strstr($response, 'products/default/index') !== false); $this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => "{$products[0]->id}, {$products[1]->id}")); $response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export'); $this->assertTrue(strstr($response, 'products/default/index') !== false); $this->assertContains('There is no data to export.', Yii::app()->user->getFlash('notification')); //give nobody access to read and write Yii::app()->user->userModel = $super; foreach ($products as $product) { $product->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($product, $nobody); $this->assertTrue($product->save()); } //Now the nobody user should be able to access the edit view and still the details view. Yii::app()->user->userModel = $nobody; $this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '1', 'selectedIds' => '')); //TODO Need to ask jason $response = $this->runControllerWithExitExceptionAndGetContent('products/default/export'); $this->assertEquals('Testing download.', $response); $this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'superProduct'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '', 'selectedIds' => "{$products[0]->id}, {$products[1]->id}")); $response = $this->runControllerWithExitExceptionAndGetContent('products/default/export'); $this->assertEquals('Testing download.', $response); // No mathces $this->setGetArray(array('ProductsSearchForm' => array('anyMixedAttributesScope' => array(0 => 'All'), 'anyMixedAttributes' => '', 'name' => 'missingName'), 'multiselect_ProductsSearchForm_anyMixedAttributesScope' => 'All', 'Product_page' => '1', 'export' => '', 'ajax' => '', 'selectAll' => '1', 'selectedIds' => '')); $response = $this->runControllerWithRedirectExceptionAndGetUrl('products/default/export'); $this->assertTrue(strstr($response, 'products/default/index') !== false); }
/** * @param SecurableItem $securableItem * @param User $user */ public static function securableItemGivenReadPermissionsForUser(SecurableItem $securableItem, User $user) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $user); AllPermissionsOptimizationCache::forgetSecurableItemForRead($securableItem); }
/** * Given a SecurableItem, add and remove permissions * based on what the provided ExplicitReadWriteModelPermissions indicates should be done. * Sets @see SecurableItem->setTreatCurrentUserAsOwnerForPermissions as true in order to ensure the current user * can effectively add permissions even if the current user is no longer the owner. * @param SecurableItem $securableItem * @param ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions * @return boolean * @throws NotSupportedException() */ public static function resolveExplicitReadWriteModelPermissions(SecurableItem $securableItem, ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions) { assert('$securableItem->id > 0'); $securableItem->setTreatCurrentUserAsOwnerForPermissions(true); $saveSecurableItem = false; if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($saveSecurableItem) { $setBackToProcess = false; if ($securableItem->shouldProcessWorkflowOnSave()) { $securableItem->setDoNotProcessWorkflowOnSave(); $setBackToProcess = true; } $saved = $securableItem->save(); if ($setBackToProcess) { $securableItem->setProcessWorkflowOnSave(); } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return $saved; } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return true; }
/** * @depends testGetGlobalSearchResultsByPartialTermUsingScope */ public function testGetGlobalSearchResultsByPartialTermWithRegularUserAndElevationStepsForRegularUser() { //Unfrozen, there are too many attributes that have to be columns in the database at this point, so //now this is just a frozen test. if (RedBeanDatabase::isFrozen()) { $super = User::getByUsername('super'); $jimmy = User::getByUsername('jimmy'); Yii::app()->user->userModel = $super; //Jimmy does not have read access, so he should not be able to see any results. $this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS)); $this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS)); $this->assertEquals(Right::DENY, $jimmy->getEffectiveRight('OpportunitiesModule', OpportunitiesModule::RIGHT_ACCESS_OPPORTUNITIES)); Yii::app()->user->userModel = $jimmy; $data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel); $this->assertEquals(array(array('href' => '', 'label' => 'No Results Found', 'iconClass' => '')), $data); //Give Jimmy access to the module, he still will not be able to see results. Yii::app()->user->userModel = $super; $jimmy->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS); $jimmy->setRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS); $jimmy->setRight('LeadsModule', LeadsModule::RIGHT_ACCESS_LEADS); $jimmy->setRight('OpportunitiesModule', OpportunitiesModule::RIGHT_ACCESS_OPPORTUNITIES); $this->assertTrue($jimmy->save()); Yii::app()->user->userModel = $jimmy; $data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel); $this->assertEquals(array(array('href' => '', 'label' => 'No Results Found', 'iconClass' => '')), $data); //Give Jimmy read on 1 model. The search then should pick up this model. Yii::app()->user->userModel = $super; $accounts = Account::getByName('The Zoo'); $this->assertEquals(1, count($accounts)); $account = $accounts[0]; $this->assertEquals(Permission::NONE, $account->getEffectivePermissions($jimmy)); $account->addPermissions($jimmy, Permission::READ); $this->assertTrue($account->save()); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account, $jimmy); Yii::app()->user->userModel = $jimmy; $data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel); $this->assertEquals(1, count($data)); $this->assertEquals('The Zoo', $data[0]['label']); //Give Jimmy read on 2 more models. The search then should pick up these models. Yii::app()->user->userModel = $super; $contacts = Contact::getByName('Big Elephant'); $this->assertEquals(1, count($contacts)); $contact = $contacts[0]; $this->assertEquals(Permission::NONE, $contact->getEffectivePermissions($jimmy)); $contact->addPermissions($jimmy, Permission::READ); $this->assertTrue($contact->save()); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contact, $jimmy); $opportunities = Opportunity::getByName('Animal Crackers'); $this->assertEquals(1, count($opportunities)); $opportunity = $opportunities[0]; $this->assertEquals(Permission::NONE, $opportunity->getEffectivePermissions($jimmy)); $opportunity->addPermissions($jimmy, Permission::READ); $this->assertTrue($opportunity->save()); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($opportunity, $jimmy); Yii::app()->user->userModel = $jimmy; $data = ModelAutoCompleteUtil::getGlobalSearchResultsByPartialTerm('animal', 5, Yii::app()->user->userModel); $this->assertEquals(3, count($data)); $this->assertEquals('The Zoo', $data[0]['label']); $this->assertEquals('Big Elephant', $data[1]['label']); $this->assertEquals('Animal Crackers', $data[2]['label']); } }
/** * @depends testGroupDeleted_Slide15 */ public function testUserDeleted_Slide16() { $u1 = User::getByUsername('u1.'); $u99 = User::getByUsername('u99.'); Yii::app()->user->userModel = $u99; $g1 = Group::getByName('G1.'); $g2 = Group::getByName('G2.'); $g3 = Group::getByName('G3.'); $g1->users->add($u1); $this->assertTrue($g1->save()); $g2->groups->add($g1); $this->assertTrue($g2->save()); $g1->groups->add($g3); $this->assertTrue($g1->save()); Yii::app()->user->userModel = $u1; $a1 = new Account(); $a1->name = 'A1.'; $this->assertTrue($a1->save()); //Called in OwnedSecurableItem::afterSave(); //ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a1); Yii::app()->user->userModel = $u99; $a2 = new Account(); $a2->name = 'A2.'; $a2->addPermissions($u1, Permission::READ); $this->assertTrue($a2->save()); //Called in OwnedSecurableItem::afterSave(); //ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a2); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($a2, $u1); $a3 = new Account(); $a3->name = 'A3.'; $a3->addPermissions($g1, Permission::READ); $this->assertTrue($a3->save()); //Called in OwnedSecurableItem::afterSave(); //ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a3); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($a3, $g1); $this->assertEquals(array(array('A1', 'R2', 1), array('A1', 'R3', 1), array('A2', 'R2', 1), array('A2', 'R3', 1), array('A2', 'U1', 1), array('A3', 'G1', 1), array('A3', 'G3', 1), array('A3', 'R2', 1), array('A3', 'R3', 1)), self::getAccountMungeRows()); $this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); $u1->testBeforeDelete(); //Called in User->beforeDelete(); //ReadPermissionsOptimizationUtil::userBeingDeleted($u1); // $u1->delete(); // Not really deleting it, to avoid messing up the ids. $this->assertEquals(array(array('A3', 'G1', 1), array('A3', 'G3', 1)), self::getAccountMungeRows()); //$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); // Can't do this because // of not really deleting Yii::app()->user->userModel = $u1; // the group. $a1->delete(); Yii::app()->user->userModel = $u99; $a2->delete(); $a3->delete(); $g1->users->removeAll(); $g1->groups->removeAll(); $this->assertTrue($g1->save()); $g2->groups->removeall(); $this->assertTrue($g2->save()); }
public function testGettingWithPermissions() { $accounts = Account::getAll(); $this->assertTrue(count($accounts) >= 2); $account1 = $accounts[0]; $account2 = $accounts[1]; $user = User::getByUsername('bobby'); $group = Group::getByName('Sales Staff'); $this->assertTrue($group->contains($user)); $this->assertEquals(Permission::NONE, $account1->getEffectivePermissions($user)); $this->assertEquals(Permission::NONE, $account1->getEffectivePermissions($group)); $this->assertEquals(Permission::NONE, $account2->getEffectivePermissions($user)); $this->assertEquals(Permission::NONE, $account2->getEffectivePermissions($group)); $account1->addPermissions($user, Permission::READ); $account1->addPermissions($group, Permission::WRITE); $this->assertTrue($account1->save()); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($account1, $user); $account2->addPermissions($user, Permission::WRITE); $account2->addPermissions($group, Permission::CHANGE_OWNER); $this->assertTrue($account2->save()); $this->assertEquals(Permission::READ | Permission::WRITE, $account1->getEffectivePermissions($user)); $this->assertEquals(Permission::WRITE, $account1->getEffectivePermissions($group)); $this->assertEquals(Permission::WRITE | Permission::CHANGE_OWNER, $account2->getEffectivePermissions($user)); $this->assertEquals(Permission::CHANGE_OWNER, $account2->getEffectivePermissions($group)); Yii::app()->user->userModel = $user; $models = Account::getAll(); $this->assertEquals(1, count($models)); $this->assertTrue($models[0]->isSame($account1)); unset($account1); unset($account2); unset($user); unset($group); RedBeanModel::forgetAll(); Permission::removeAll(); }