public function testAddingUserToRole()
{
Yii::app()->user->userModel = User::getByUsername('super');
$role = new Role();
$role->name = 'myRole';
$role->validate();
$saved = $role->save();
$this->assertTrue($saved);
$benny = User::getByUsername('benny');
//Add the role to benny
$benny->role = $role;
$saved = $benny->save();
$this->assertTrue($saved);
$roleId = $role->id;
unset($role);
$role = Role::getById($roleId);
$this->assertEquals(1, $role->users->count());
$this->assertTrue($role->users[0]->isSame($benny));
//Now try adding billy to the role but from the other side, from the role side.
$billy = User::getByUsername('billy');
$role->users->add($billy);
$saved = $role->save();
$this->assertTrue($saved);
$billy->forget();
//need to forget billy otherwise it won't pick up the change. i tried unset(), test fails
$billy = User::getByUsername('billy');
$this->assertTrue($billy->role->id > 0);
$this->assertTrue($billy->role->isSame($role));
}
/**
* Constructor
*
* @param array $data The data to set to the user
*/
public function __construct($data = array())
{
parent::__construct($data);
if (!empty($this->roleId)) {
$this->role = Role::getById($this->roleId);
}
}
/**
* Remove a role
*/
public function remove()
{
$role = Role::getById($this->roleId);
if ($role && $role->isRemovable()) {
User::getDbInstance()->update(User::getTable(), new DBExample(array('roleId' => $role->id)), array('roleId' => Option::get('roles.default-role')));
$role->delete();
}
}
public function testMakeDataProviderBySearchAttributeData()
{
$role = Role::getById(self::$roleId);
$searchAttributeData = UsersByModelModalListControllerUtil::makeModalSearchAttributeDataByModel($role, 'role');
$dataProvider = UsersByModelModalListControllerUtil::makeDataProviderBySearchAttributeData($searchAttributeData);
$this->assertTrue($dataProvider instanceof RedBeanModelDataProvider);
$data = $dataProvider->getData();
$this->assertEquals(1, count($data));
$this->assertEquals($role->id, $data[0]->role->id);
}
/**
* Display the main page of the permission settings
*/
public function index()
{
$permissionGroups = Permission::getAllGroupByPlugin();
$example = isset($this->roleId) ? array('roleId' => $this->roleId) : array();
$data = RolePermission::getListByExample(new DBExample($example));
$values = array();
foreach ($data as $value) {
$values[$value->permissionId][$value->roleId] = $value->value;
}
$roles = isset($this->roleId) ? array(Role::getById($this->roleId)) : Role::getAll(null, array(), array(), true);
$param = array('id' => 'permissions-form', 'fieldsets' => array('form' => array(), '_submits' => array(new SubmitInput(array('name' => 'valid', 'value' => Lang::get('main.valid-button'))))));
foreach ($roles as $role) {
foreach ($permissionGroups as $group => $permissions) {
if (Plugin::get($group)) {
foreach ($permissions as $permission) {
if ($role->id == Role::ADMIN_ROLE_ID) {
$default = 1;
} elseif (isset($values[$permission->id][$role->id])) {
$default = $values[$permission->id][$role->id];
} else {
$default = 0;
}
$param['fieldsets']['form'][] = new CheckboxInput(array('name' => "permission-{$permission->id}-{$role->id}", 'disabled' => $role->id == Role::ADMIN_ROLE_ID || $role->id == Role::GUEST_ROLE_ID && !$permission->availableForGuests, 'default' => $default, 'class' => $permission->id == Permission::ALL_PRIVILEGES_ID ? 'select-all' : '', 'nl' => false));
}
}
}
}
$form = new Form($param);
if (!$form->submitted()) {
$page = View::make(Plugin::current()->getView("permissions.tpl"), array('permissions' => $permissionGroups, 'fields' => $form->inputs, 'roles' => $roles));
return NoSidebarTab::make(array('icon' => 'unlock-alt', 'title' => Lang::get('permissions.page-title'), 'page' => $form->wrap($page)));
} else {
try {
foreach ($form->inputs as $name => $field) {
if (preg_match('/^permission\\-(\\d+)\\-(\\d+)$/', $name, $match)) {
$permissionId = $match[1];
$roleId = $match[2];
$value = App::request()->getBody($name) ? 1 : 0;
if ($roleId != Role::ADMIN_ROLE_ID && !($roleId == Role::GUEST_ROLE_ID && !$permission->availableForGuests)) {
$permission = new RolePermission();
$permission->set(array('roleId' => $roleId, 'permissionId' => $permissionId, 'value' => $value));
$permission->save();
}
}
}
App::logger()->info('Permissions were succesfully updated');
return $form->response(Form::STATUS_SUCCESS, Lang::get("roles.permissions-update-success"));
} catch (Exception $e) {
App::logger()->error('An error occured while updating permissions');
return $form->response(Form::STATUS_ERROR, DEBUG_MODE ? $e->getMessage() : Lang::get("roles.permissions-update-error"));
}
}
}
/**
* @param RedBeanModel $model
* @param User $triggeredByUser
* @return array
*/
public function makeRecipients(RedBeanModel $model, User $triggeredByUser)
{
try {
$role = Role::getById((int) $this->roleId);
} catch (NotFoundException $e) {
return array();
}
$recipients = array();
foreach ($role->users as $user) {
if ($user->primaryEmail->emailAddress != null) {
$recipient = new EmailMessageRecipient();
$recipient->toAddress = $user->primaryEmail->emailAddress;
$recipient->toName = strval($user);
$recipient->type = $this->audienceType;
$recipient->personOrAccount = $user;
$recipients[] = $recipient;
}
}
return $recipients;
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create superAccount owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$superAccount = AccountTestHelper::createAccountByNameForOwner('AccountsForElevationToModelTest', $super);
//Test nobody, access to details of superAccount should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->setGetArray(array('id' => $superAccount->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//give nobody access to read
Yii::app()->user->userModel = $super;
$superAccount->addPermissions($nobody, Permission::READ);
$this->assertTrue($superAccount->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($superAccount, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $superAccount->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//create meeting for an superAccount using the super user
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$meeting = MeetingTestHelper::createMeetingWithOwnerAndRelatedAccount('meetingCreatedByNobody', $super, $superAccount);
//Test nobody, access to edit, details and delete of meeting should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give nobody access to details view only
Yii::app()->user->userModel = $super;
$meeting->addPermissions($nobody, Permission::READ);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($meeting, $nobody);
//Now access to meetings view by Nobody should not fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Now access to meetings edit and delete by Nobody should fail
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give nobody access to both details and edit view
Yii::app()->user->userModel = $super;
$meeting->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($meeting, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting, $nobody);
//Now access to meetings view and edit by Nobody should not fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Now access to meetings delete by Nobody should fail
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//revoke the permission from the nobody user to access the meeting
Yii::app()->user->userModel = $super;
$meeting->removePermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($meeting, $nobody);
//Now nobodys, access to edit, details and delete of meetings should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give nobody access to both details and edit view
Yii::app()->user->userModel = $super;
$meeting->addPermissions($nobody, Permission::READ_WRITE_DELETE);
$this->assertTrue($meeting->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting, $nobody);
//Now nobodys, access to delete of meetings should not fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $meeting->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('meetings/default/delete');
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create account owned by super
$account2 = AccountTestHelper::createAccountByNameForOwner('AccountsParentRolePermission', $super);
//Test userInParentRole, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $account2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$account2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($account2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($account2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $account2->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $account2->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//create a meeting owned by super
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$meeting2 = MeetingTestHelper::createMeetingWithOwnerAndRelatedAccount('meetingCreatedBySuperForRole', $super, $account2);
//Test userInChildRole, access to meetings details, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to meetings details, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give userInChildRole access to READ permision for meetings
Yii::app()->user->userModel = $super;
$meeting2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($meeting2, $userInChildRole);
//Test userInChildRole, access to meetings details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInChildRole, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to meetings details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInParentRole, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give userInChildRole access to read and write for the meetings
Yii::app()->user->userModel = $super;
$meeting2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($meeting2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting2, $userInChildRole);
//Test userInChildRole, access to meetings edit should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInChildRole, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to meetings edit should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInParentRole, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//revoke userInChildRole access to read and write meetings
Yii::app()->user->userModel = $super;
$meeting2->removePermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($meeting2, $userInChildRole);
//Test userInChildRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give userInChildRole access to read and write for the meetings
Yii::app()->user->userModel = $super;
$meeting2->addPermissions($userInChildRole, Permission::READ_WRITE_DELETE);
$this->assertTrue($meeting2->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($meeting2, $userInChildRole);
//Test userInParentRole, access to delete should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $meeting2->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('meetings/default/delete');
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to accounts and creation of accounts.
$userInChildGroup->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$this->assertTrue($userInChildGroup->save());
//create account owned by super
$account3 = AccountTestHelper::createAccountByNameForOwner('testingAccountsParentGroupPermission', $super);
//Test userInParentGroup, access to details should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//Test userInChildGroup, access to details should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('accounts/default/details');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$account3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($account3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($account3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//Test userInChildGroup, access to details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $account3->id));
$this->runControllerWithNoExceptionsAndGetContent('accounts/default/details');
//create a meeting owned by super
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$meeting3 = MeetingTestHelper::createMeetingWithOwnerAndRelatedAccount('mettingCreatedBySuperForGroup', $super, $account3);
//Add access for the confused user to accounts and creation of accounts.
$userInChildGroup->setRight('MeetingsModule', MeetingsModule::RIGHT_ACCESS_MEETINGS);
$userInChildGroup->setRight('MeetingsModule', MeetingsModule::RIGHT_CREATE_MEETINGS);
$userInChildGroup->setRight('MeetingsModule', MeetingsModule::RIGHT_DELETE_MEETINGS);
$this->assertTrue($userInChildGroup->save());
//Test userInParentGroup, access to meetings details and edit should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInChildGroup, access to meetings details and edit should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$meeting3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($meeting3, $parentGroup);
//Test userInParentGroup, access to meetings details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInParentGroup, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInChildGroup, access to meetings details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/details');
//Test userInChildGroup, access to meetings edit and delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$meeting3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($meeting3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($meeting3, $parentGroup);
//Test userInParentGroup, access to edit meetings should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInParentGroup, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInChildGroup, access to edit meetings should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerWithNoExceptionsAndGetContent('meetings/default/edit');
//Test userInChildGroup, access to meetings delete should fail.
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//revoke parentGroup access to meetings read and write
Yii::app()->user->userModel = $super;
$meeting3->removePermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($meeting3, $parentGroup);
//Test userInChildGroup, access to meetings detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//Test userInParentGroup, access to meetings detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/details');
$this->setGetArray(array('id' => $meeting3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/edit');
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerShouldResultInAccessFailureAndGetContent('meetings/default/delete');
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$meeting3->addPermissions($parentGroup, Permission::READ_WRITE_DELETE);
$this->assertTrue($meeting3->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($meeting3, $parentGroup);
//Test userInChildGroup, access to meetings delete should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $meeting3->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('meetings/default/delete');
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
public function testArePermissionsFlushedOnRemovingParentFromChildRole()
{
Contact::deleteAll();
try {
$role = Role::getByName('Parent');
$role->delete();
} catch (NotFoundException $e) {
}
try {
$user = User::getByUsername('jim');
$user->delete();
} catch (NotFoundException $e) {
}
try {
$user = User::getByUsername('jane');
$user->delete();
} catch (NotFoundException $e) {
}
// we could have used helpers to do a lot of the following stuff (such as creating users, roles,
// etc) but we wanted to mimic user's interaction as closely as possible. Hence using walkthroughs
// for everything
// create Parent and Child Roles, Create Jim to be member of Child role
// create parent role
$this->resetGetArray();
$this->setPostArray(array('Role' => array('name' => 'Parent')));
$this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/role/create');
$parentRole = Role::getByName('Parent');
$this->assertNotNull($parentRole);
$this->assertEquals('Parent', strval($parentRole));
$parentRoleId = $parentRole->id;
// create child role
$this->resetGetArray();
$this->setPostArray(array('Role' => array('name' => 'Child', 'role' => array('id' => $parentRoleId))));
$this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/role/create');
$childRole = Role::getByName('Child');
$this->assertNotNull($childRole);
$this->assertEquals('Child', strval($childRole));
$parentRole->forgetAll();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forgetAll();
$childRole = Role::getById($childRoleId);
$this->assertEquals($childRole->id, $parentRole->roles[0]->id);
// create jim's user
$this->resetGetArray();
$this->setPostArray(array('UserPasswordForm' => array('firstName' => 'Some', 'lastName' => 'Body', 'username' => 'jim', 'newPassword' => 'myPassword123', 'newPassword_repeat' => 'myPassword123', 'officePhone' => '456765421', 'userStatus' => 'Active', 'role' => array('id' => $childRoleId))));
$this->runControllerWithRedirectExceptionAndGetContent('/users/default/create');
$jim = User::getByUsername('jim');
$this->assertNotNull($jim);
$childRole->forgetAll();
$childRole = Role::getById($childRoleId);
$this->assertEquals($childRole->id, $jim->role->id);
// give jim rights to contact's module
$jim->setRight('ContactsModule', ContactsModule::getAccessRight());
$jim->setRight('ContactsModule', ContactsModule::getCreateRight());
$this->assertTrue($jim->save());
$jim->forgetAll();
$jim = User::getByUsername('jim');
// create jane's user
$this->resetGetArray();
$this->setPostArray(array('UserPasswordForm' => array('firstName' => 'Some', 'lastName' => 'Body', 'username' => 'jane', 'newPassword' => 'myPassword123', 'newPassword_repeat' => 'myPassword123', 'officePhone' => '456765421', 'userStatus' => 'Active', 'role' => array('id' => $parentRoleId))));
$this->runControllerWithRedirectExceptionAndGetContent('/users/default/create');
$jane = User::getByUsername('jane');
$this->assertNotNull($jane);
$parentRole->forgetAll();
$parentRole = Role::getById($parentRoleId);
$this->assertEquals($parentRole->id, $jane->role->id);
// give jane rights to contact's module, we need to do this because once the link between parent and child
// role is broken jane won't be able to access the listview of contacts
$jane->setRight('ContactsModule', ContactsModule::getAccessRight());
$this->assertTrue($jane->save());
$jane->forgetAll();
$jane = User::getByUsername('jane');
// create a contact from jim's account
// create ContactStates
ContactsModule::loadStartingData();
// ensure contact states have been created
$this->assertEquals(6, count(ContactState::GetAll()));
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jim');
// go ahead and create contact with parent role given readwrite.
$startingState = ContactsUtil::getStartingState();
$this->resetGetArray();
$this->setPostArray(array('Contact' => array('firstName' => 'Jim', 'lastName' => 'Doe', 'officePhone' => '456765421', 'state' => array('id' => $startingState->id))));
$url = $this->runControllerWithRedirectExceptionAndGetUrl('/contacts/default/create');
$jimDoeContactId = intval(substr($url, strpos($url, 'id=') + 3));
$jimDoeContact = Contact::getById($jimDoeContactId);
$this->assertNotNull($jimDoeContact);
$this->resetPostArray();
$this->setGetArray(array('id' => $jimDoeContactId));
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->assertContains('Who can read and write Owner', $content);
// create a contact using jane which she would see at all times
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jane');
$this->resetGetArray();
$this->setPostArray(array('Contact' => array('firstName' => 'Jane', 'lastName' => 'Doe', 'officePhone' => '456765421', 'state' => array('id' => $startingState->id))));
$url = $this->runControllerWithRedirectExceptionAndGetUrl('/contacts/default/create');
$janeDoeContactId = intval(substr($url, strpos($url, 'id=') + 3));
$janeDoeContact = Contact::getById($jimDoeContactId);
$this->assertNotNull($janeDoeContact);
$this->resetPostArray();
$this->setGetArray(array('id' => $janeDoeContactId));
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->assertContains('Who can read and write Owner', $content);
// ensure jim can see that contact everywhere
// jim should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jim');
$this->resetGetArray();
// get the page, ensure the name of contact does show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertContains('Jim Doe</a></td><td>', $content);
$this->assertNotContains('Jane Doe</a></td><td>', $content);
// jim should have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jim should have access to jimDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jim should not have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->fail('Accessing details action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// jim should have access to janeDoeContact's edit view
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
$this->fail('Accessing edit action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// ensure jane can see that contact everywhere
// jane should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jane');
$this->resetGetArray();
// get the page, ensure the name of contact does show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertContains('Jim Doe</a></td><td>', $content);
$this->assertContains('Jane Doe</a></td><td>', $content);
// jane should have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jane should have access to jimDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jane should have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jane should have access to janeDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// unlink Parent role from child
$this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$this->setGetArray(array('id' => $childRoleId));
$this->setPostArray(array('Role' => array('name' => 'Child', 'role' => array('id' => ''))));
$this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/role/edit');
$childRole = Role::getByName('Child');
$this->assertNotNull($childRole);
$this->assertEquals('Child', strval($childRole));
$parentRole->forgetAll();
$parentRole = Role::getById($parentRoleId);
$this->assertNotNull($parentRole);
$this->assertCount(0, $parentRole->roles);
// ensure jim can still see that contact everywhere
// jim should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jim');
$this->resetGetArray();
// get the page, ensure the name of contact does show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertContains('Jim Doe</a></td><td>', $content);
$this->assertNotContains('Jane Doe</a></td><td>', $content);
// jim should have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jim should have access to jimDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jim should not have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->fail('Accessing details action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// jim should have access to janeDoeContact's edit view
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
$this->fail('Accessing edit action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// ensure jane can not see that contact anywhere
// jane should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jane');
$this->resetGetArray();
// get the page, ensure the name of contact does not show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertNotContains('Jim Doe</a></td><td>', $content);
$this->assertContains('Jane Doe</a></td><td>', $content);
// jane should have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jane should have access to janeDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jane should not have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->fail('Accessing details action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// jane should not have access to jimDoeContact's edit view
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
$this->fail('Accessing edit action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create project owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$project = ProjectTestHelper::createProjectByNameForOwner('projectForElevationToModelTest', $super);
//Test nobody, access to edit and details should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->runControllerWithNoExceptionsAndGetContent('projects/default/dashboardDetails');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/delete');
//give nobody access to read
Yii::app()->user->userModel = $super;
$project->addPermissions($nobody, Permission::READ);
$this->assertTrue($project->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($project, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $project->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
//Test nobody, access to edit should fail.
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/delete');
$projectId = $project->id;
$project->forget();
$project = Project::getById($projectId);
//give nobody access to read and write
Yii::app()->user->userModel = $super;
$project->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
//TODO :Its wierd that giving opportunity errors
$this->assertTrue($project->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($project, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($project, $nobody);
//Now the nobody user should be able to access the edit view and still the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $project->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
$projectId = $project->id;
$project->forget();
$project = Project::getById($projectId);
//revoke nobody access to read
Yii::app()->user->userModel = $super;
$project->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS, Permission::DENY);
$this->assertTrue($project->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($project, $nobody);
//Test nobody, access to detail should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create project owned by super
$project2 = ProjectTestHelper::createProjectByNameForOwner('testingParentRolePermission', $super);
//Test userInParentRole, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$project2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($project2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($project2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
$projectId = $project2->id;
$project2->forget();
$project2 = Project::getById($projectId);
//give userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$project2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($project2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($project2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($project2, $userInChildRole);
//Test userInChildRole, access to edit should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
//Test userInParentRole, access to edit should not fail.
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInParentRole->username);
$this->setGetArray(array('id' => $project2->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
$projectId = $project2->id;
$project2->forget();
$project2 = Project::getById($projectId);
//revoke userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$project2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS, Permission::DENY);
$this->assertTrue($project2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($project2, $userInChildRole);
//Test userInChildRole, access to detail should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//Test userInParentRole, access to detail should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to Products and creation of Products.
$userInChildGroup->setRight('ProjectsModule', ProjectsModule::RIGHT_ACCESS_PROJECTS);
$userInChildGroup->setRight('ProjectsModule', ProjectsModule::RIGHT_CREATE_PROJECTS);
$this->assertTrue($userInChildGroup->save());
//create project owned by super
$project3 = ProjectTestHelper::createProjectByNameForOwner('testingParentGroupPermission', $super);
//Test userInParentGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//Test userInChildGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$project3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($project3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($project3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
//Test userInChildGroup, access to details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/details');
$projectId = $project3->id;
$project3->forget();
$project3 = Project::getById($projectId);
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$project3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($project3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($project3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($project3, $parentGroup);
//Test userInParentGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
//Test userInChildGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $project3->id));
$this->runControllerWithNoExceptionsAndGetContent('projects/default/edit');
$projectId = $project3->id;
$project3->forget();
$project3 = Project::getById($projectId);
//revoke parentGroup access to read and write
Yii::app()->user->userModel = $super;
$project3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS, Permission::DENY);
$this->assertTrue($project3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($project3, $parentGroup);
//Test userInChildGroup, access to detail should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//Test userInParentGroup, access to detail should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/details');
$this->setGetArray(array('id' => $project3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('projects/default/edit');
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
//clear up the role relationships between users so not to effect next assertions
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create contact web form owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$contactWebForm = ContactWebFormTestHelper::createContactWebFormByName('contactWebFormForElevationToModelTest', $super);
//Test nobody, access to edit and details should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
//give nobody access to read
Yii::app()->user->userModel = $super;
$contactWebForm->addPermissions($nobody, Permission::READ);
$this->assertTrue($contactWebForm->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($contactWebForm, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
//Test nobody, access to edit should fail.
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm->id;
$contactWebForm->forget();
$contactWebForm = ContactWebForm::getById($contactWebFormId);
//give nobody access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($contactWebForm, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contactWebForm, $nobody);
//Now the nobody user should be able to access the edit view and still the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm->id;
$contactWebForm->forget();
$contactWebForm = ContactWebForm::getById($contactWebFormId);
//revoke nobody access to read
Yii::app()->user->userModel = $super;
$contactWebForm->removePermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($contactWebForm, $nobody);
//Test nobody, access to detail should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create web form owned by super
$contactWebForm2 = ContactWebFormTestHelper::createContactWebFormByName('testingParentRolePermission', $super);
//Test userInParentRole, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$contactWebForm2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($contactWebForm2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($contactWebForm2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
$contactWebFormId = $contactWebForm2->id;
$contactWebForm2->forget();
$contactWebForm2 = ContactWebForm::getById($contactWebFormId);
//give userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($contactWebForm2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($contactWebForm2, $userInChildRole);
//Test userInChildRole, access to edit should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
//Test userInParentRole, access to edit should not fail.
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInParentRole->username);
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm2->id;
$contactWebForm2->forget();
$contactWebForm2 = ContactWebForm::getById($contactWebFormId);
//revoke userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm2->removePermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($contactWebForm2, $userInChildRole);
//Test userInChildRole, access to detail should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//Test userInParentRole, access to detail should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to ContactWebForms and creation of ContactWebForms.
$userInChildGroup->setRight('ContactWebFormsModule', ContactWebFormsModule::RIGHT_ACCESS_CONTACT_WEB_FORMS);
$userInChildGroup->setRight('ContactWebFormsModule', ContactWebFormsModule::RIGHT_CREATE_CONTACT_WEB_FORMS);
$this->assertTrue($userInChildGroup->save());
//create web form owned by super
$contactWebForm3 = ContactWebFormTestHelper::createContactWebFormByName('testingParentGroupPermission', $super);
//Test userInParentGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//Test userInChildGroup, access to details and edit should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$contactWebForm3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($contactWebForm3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($contactWebForm3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
//Test userInChildGroup, access to details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/details');
$contactWebFormId = $contactWebForm3->id;
$contactWebForm3->forget();
$contactWebForm3 = ContactWebForm::getById($contactWebFormId);
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($contactWebForm3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($contactWebForm3, $parentGroup);
//Test userInParentGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
//Test userInChildGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerWithNoExceptionsAndGetContent('contactWebForms/default/edit');
$contactWebFormId = $contactWebForm3->id;
$contactWebForm3->forget();
$contactWebForm3 = ContactWebForm::getById($contactWebFormId);
//revoke parentGroup access to read and write
Yii::app()->user->userModel = $super;
$contactWebForm3->removePermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($contactWebForm3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($contactWebForm3, $parentGroup);
//Test userInChildGroup, access to detail should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//Test userInParentGroup, access to detail should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/details');
$this->setGetArray(array('id' => $contactWebForm3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('contactWebForms/default/edit');
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
//clear up the role relationships between users so not to effect next assertions
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
protected function beforeSave()
{
if (parent::beforeSave()) {
if (isset($this->originalAttributeValues['role']) && $this->originalAttributeValues['role'][1] > 0) {
//copy to new object, so we can populate the old parent role as the related role.
//otherwise it gets passed by reference. We need the old $this->role information to properly
//utilize the roleParentBeingRemoved method.
$role = unserialize(serialize($this));
$role->role = Role::getById($this->originalAttributeValues['role'][1]);
AllPermissionsOptimizationUtil::roleParentBeingRemoved($role);
ReadPermissionsSubscriptionUtil::roleParentBeingRemoved();
assert('$this->originalAttributeValues["role"][1] != $this->role->id');
}
return true;
} else {
return false;
}
}
/**
* @depends testRegularUserControllerActionsWithElevationToAccessAndCreate
*/
public function testRegularUserControllerActionsWithElevationToModels()
{
//Create lead owned by user super.
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$lead = LeadTestHelper::createLeadByNameForOwner('leadForElevationToModelTest', $super);
//Test nobody, access to edit, details and delete should fail.
$nobody = $this->logoutCurrentUserLoginNewUserAndGetByUsername('nobody');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give nobody access to read
Yii::app()->user->userModel = $super;
$lead->addPermissions($nobody, Permission::READ);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($lead, $nobody);
//Now the nobody user can access the details view.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test nobody, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give nobody access to read and write
Yii::app()->user->userModel = $super;
$lead->addPermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($lead, $nobody);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead, $nobody);
//Now the nobody user should be able to access the edit view and still the details view
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test nobody, access to delete should fail.
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//revoke nobody access to read
Yii::app()->user->userModel = $super;
$lead->removePermissions($nobody, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($lead, $nobody);
//Test nobody, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give nobody access to read, write and delete
Yii::app()->user->userModel = $super;
$lead->addPermissions($nobody, Permission::READ_WRITE_DELETE);
$this->assertTrue($lead->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead, $nobody);
//now nobody should be able to delete a lead
Yii::app()->user->userModel = $nobody;
$this->setGetArray(array('id' => $lead->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('leads/default/delete', Yii::app()->createUrl('leads/default/index'));
//create some roles
Yii::app()->user->userModel = $super;
$parentRole = new Role();
$parentRole->name = 'AAA';
$this->assertTrue($parentRole->save());
$childRole = new Role();
$childRole->name = 'BBB';
$this->assertTrue($childRole->save());
$userInParentRole = User::getByUsername('confused');
$userInChildRole = User::getByUsername('nobody');
$childRole->users->add($userInChildRole);
$this->assertTrue($childRole->save());
$parentRole->users->add($userInParentRole);
$parentRole->roles->add($childRole);
$this->assertTrue($parentRole->save());
$userInChildRole->forget();
$userInChildRole = User::getByUsername('nobody');
$userInParentRole->forget();
$userInParentRole = User::getByUsername('confused');
$parentRoleId = $parentRole->id;
$parentRole->forget();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forget();
$childRole = Role::getById($childRoleId);
//create lead owned by super
$lead2 = LeadTestHelper::createLeadByNameForOwner('leadsParentRolePermission', $super);
//Test userInChildRole, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give userInChildRole access to READ
Yii::app()->user->userModel = $super;
$lead2->addPermissions($userInChildRole, Permission::READ);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForUser($lead2, $userInChildRole);
//Test userInChildRole, access to details should not fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInChildRole, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to details should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInParentRole, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$lead2->addPermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForUser($lead2, $userInChildRole);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead2, $userInChildRole);
//Test userInChildRole, access to edit and delete should not fail and also detaisl view must be accessible.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInChildRole, access to delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to edit should not fail.
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInParentRole->username);
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInParentRole, access to delete should fail.
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//revoke userInChildRole access to read and write
Yii::app()->user->userModel = $super;
$lead2->removePermissions($userInChildRole, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForUser($lead2, $userInChildRole);
//Test userInChildRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentRole, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead2->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give userInChildRole access to read, write and delete
Yii::app()->user->userModel = $super;
$lead2->addPermissions($userInChildRole, Permission::READ_WRITE_DELETE);
$this->assertTrue($lead2->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($lead2, $userInChildRole);
//Test userInParentRole, access to delete should not fail.
Yii::app()->user->userModel = $userInParentRole;
$this->setGetArray(array('id' => $lead2->id));
$this->resetPostArray();
$this->runControllerWithRedirectExceptionAndGetContent('leads/default/delete', Yii::app()->createUrl('leads/default/index'));
//clear up the role relationships between users so not to effect next assertions
$parentRole->users->remove($userInParentRole);
$parentRole->roles->remove($childRole);
$this->assertTrue($parentRole->save());
$childRole->users->remove($userInChildRole);
$this->assertTrue($childRole->save());
//create some groups and assign users to groups
Yii::app()->user->userModel = $super;
$parentGroup = new Group();
$parentGroup->name = 'AAA';
$this->assertTrue($parentGroup->save());
$childGroup = new Group();
$childGroup->name = 'BBB';
$this->assertTrue($childGroup->save());
$userInChildGroup = User::getByUsername('confused');
$userInParentGroup = User::getByUsername('nobody');
$childGroup->users->add($userInChildGroup);
$this->assertTrue($childGroup->save());
$parentGroup->users->add($userInParentGroup);
$parentGroup->groups->add($childGroup);
$this->assertTrue($parentGroup->save());
$parentGroup->forget();
$childGroup->forget();
$parentGroup = Group::getByName('AAA');
$childGroup = Group::getByName('BBB');
//Add access for the confused user to leads and creation of leads.
$userInChildGroup->setRight('LeadsModule', LeadsModule::RIGHT_ACCESS_LEADS);
$userInChildGroup->setRight('LeadsModule', LeadsModule::RIGHT_CREATE_LEADS);
$userInChildGroup->setRight('LeadsModule', LeadsModule::RIGHT_DELETE_LEADS);
$this->assertTrue($userInChildGroup->save());
//create lead owned by super
$lead3 = LeadTestHelper::createLeadByNameForOwner('leadsParentGroupPermission', $super);
//Test userInParentGroup, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInChildGroup, access to details, edit and delete should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give parentGroup access to READ
Yii::app()->user->userModel = $super;
$lead3->addPermissions($parentGroup, Permission::READ);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemGivenReadPermissionsForGroup($lead3, $parentGroup);
//Test userInParentGroup, access to details should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInParentGroup, access to delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInChildGroup, access to edit and details should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/details');
//Test userInChildGroup, access to edit and delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give parentGroup access to read and write
Yii::app()->user->userModel = $super;
$lead3->addPermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemLostReadPermissionsForGroup($lead3, $parentGroup);
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($lead3, $parentGroup);
//Test userInParentGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInParentGroup, access to delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInChildGroup, access to edit should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithNoExceptionsAndGetContent('leads/default/edit');
//Test userInChildGroup, access to delete should fail.
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//revoke parentGroup access to read and write
Yii::app()->user->userModel = $super;
$lead3->removePermissions($parentGroup, Permission::READ_WRITE_CHANGE_PERMISSIONS);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($lead3, $parentGroup);
//Test userInChildGroup, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//Test userInParentGroup, access to detail, edit and delete should fail.
Yii::app()->user->userModel = $userInParentGroup;
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/details');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/edit');
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerShouldResultInAccessFailureAndGetContent('leads/default/delete');
//give parentGroup access to read, write and delete
Yii::app()->user->userModel = $super;
$lead3->addPermissions($parentGroup, Permission::READ_WRITE_DELETE);
$this->assertTrue($lead3->save());
AllPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($lead3, $parentGroup);
//Test userInChildGroup, access to delete should not fail.
Yii::app()->user->userModel = $userInChildGroup;
$this->logoutCurrentUserLoginNewUserAndGetByUsername($userInChildGroup->username);
$this->setGetArray(array('id' => $lead3->id));
$this->runControllerWithRedirectExceptionAndGetContent('leads/default/delete', Yii::app()->createUrl('leads/default/index'));
//clear up the role relationships between users so not to effect next assertions
$super = $this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$userInParentGroup->forget();
$userInChildGroup->forget();
$childGroup->forget();
$parentGroup->forget();
$userInParentGroup = User::getByUsername('nobody');
$userInChildGroup = User::getByUsername('confused');
$childGroup = Group::getByName('BBB');
$parentGroup = Group::getByName('AAA');
$parentGroup->users->remove($userInParentGroup);
$parentGroup->groups->remove($childGroup);
$this->assertTrue($parentGroup->save());
$childGroup->users->remove($userInChildGroup);
$this->assertTrue($childGroup->save());
}
public function actionUsersInRoleModalList($id)
{
$model = Role::getById((int) $id);
ControllerSecurityUtil::resolveAccessCanCurrentUserReadModel($model);
$searchAttributeData = UsersByRoleModalListControllerUtil::makeModalSearchAttributeDataByRoleModel($model);
$dataProvider = UsersByRoleModalListControllerUtil::makeDataProviderBySearchAttributeData($searchAttributeData);
Yii::app()->getClientScript()->setToAjaxMode();
echo UsersByRoleModalListControllerUtil::renderList($this, $dataProvider);
}
/**
* @param DemoDataHelper $demoDataHelper
*/
public function makeAll(&$demoDataHelper)
{
assert('$demoDataHelper instanceof DemoDataHelper');
assert('$demoDataHelper->isSetRange("Group")');
assert('$demoDataHelper->isSetRange("Role")');
$super = User::getByUsername('super');
$email = new Email();
$email->emailAddress = static::resolveDemoEmailAddress('Super.test');
$super->primaryEmail = $email;
$saved = $super->save();
assert('$saved');
UserConfigurationFormAdapter::setValue($super, true, 'turnOffEmailNotifications');
$userAvatarForm = new UserAvatarForm($super);
$userAvatarForm->avatarType = User::AVATAR_TYPE_PRIMARY_EMAIL;
$saved = $userAvatarForm->save();
assert('$saved');
$user = new User();
$this->populateModel($user);
$user->username = '******';
$user->title->value = 'Sir';
$user->firstName = 'Jason';
$user->lastName = 'Blue';
$user->lastLoginDateTime = DateTimeUtil::convertTimestampToDbFormatDateTime(time());
$email = new Email();
$email->emailAddress = static::resolveDemoEmailAddress('Jason.Blue');
$user->primaryEmail = $email;
$user->setPassword($user->username);
$saved = $user->save();
assert('$saved');
UserConfigurationFormAdapter::setValue($user, true, 'turnOffEmailNotifications');
$userAvatarForm = new UserAvatarForm($user);
$userAvatarForm->avatarType = User::AVATAR_TYPE_PRIMARY_EMAIL;
$saved = $userAvatarForm->save();
assert('$saved');
$userStartId = $user->id;
$roleIdRange = $demoDataHelper->getRangeByModelName('Role');
$role = Role::getById($roleIdRange['startId']);
assert('$role instanceof Role');
$role->users->add($user);
$saved = $role->save();
assert('$saved');
foreach (array('jim' => 'Mr.', 'john' => 'Mr.', 'sally' => 'Dr.', 'mary' => 'Mrs.', 'katie' => 'Ms.', 'jill' => 'Ms.', 'sam' => 'Mr.') as $username => $title) {
$user = new User();
$this->populateModel($user);
$user->username = $username;
$user->setPassword($user->username);
$user->title->value = $title;
$user->firstName = ucfirst($username);
$user->lastName = 'Smith';
$email = new Email();
$email->emailAddress = static::resolveDemoEmailAddress($user->firstName);
$user->primaryEmail = $email;
$user->lastLoginDateTime = DateTimeUtil::convertTimestampToDbFormatDateTime(time());
$saved = $user->save();
assert('$saved');
UserConfigurationFormAdapter::setValue($user, true, 'turnOffEmailNotifications');
$userAvatarForm = new UserAvatarForm($user);
$userAvatarForm->avatarType = User::AVATAR_TYPE_PRIMARY_EMAIL;
$saved = $userAvatarForm->save();
assert('$saved');
$roleIdRange = $demoDataHelper->getRangeByModelName('Role');
$role = Role::getById($roleIdRange['startId'] + 1);
assert('$role instanceof Role');
$role->users->add($user);
$saved = $role->save();
assert('$saved');
}
$demoDataHelper->setRangeByModelName('User', $userStartId, $user->id);
}
/**
* If a user is removed from a role, raise two events signaling a potential change in
* Rights/Policies for this user.
* @see Item::beforeSave()
*/
protected function beforeSave()
{
if (parent::beforeSave()) {
if (isset($this->originalAttributeValues['role']) && $this->originalAttributeValues['role'][1] > 0) {
AllPermissionsOptimizationUtil::userBeingRemovedFromRole($this, Role::getById($this->originalAttributeValues['role'][1]));
$this->onChangeRights();
$this->onChangePolicies();
}
return true;
} else {
return false;
}
}
/**
* @depends testAddingUserToRoleWithNoParentsAndNoUsers
*/
public function testAddingUserToRoleWithNoParentsAndOneUser()
{
// create a role with no parents
$role = $this->createRole('twoUsers');
// create 2 users
$users = UserTestHelper::generateBasicUsers(2);
foreach ($users as $user) {
$this->addUserToRole($user, $role);
}
// ensure we have got the user part of the role.
$roleId = $role->id;
$role->forgetAll();
unset($role);
$role = Role::getById($roleId);
$this->assertEquals(count($users), $role->users->count());
foreach ($users as $i => $user) {
$this->assertTrue($role->users[$i]->isSame($user));
}
$this->roleWithTwoUsers = $role;
}
