public function test_group_permissions()
{
ACL::create_token( 'acltest', 'A test ACL permission', 'Administration' );
$this->assert_true(
ACL::token_exists( 'acltest' ),
'Could not create acltest permission.'
);
$this->assert_true(
ACL::token_exists( 'acLtEst ' ),
'Permission names are not normalized.'
);
$token_id = ACL::token_id( 'acltest' );
ACL::grant_group( $this->acl_group->id, $token_id, 'full' );
$this->assert_true(
$this->acl_group->can( 'acltest', 'full' ),
'Could not grant acltest permission to acltest-group.'
);
ACL::revoke_group_token( $this->acl_group->id, $token_id );
$this->assert_false(
ACL::group_can( $this->acl_group->id, $token_id, 'full' ),
'Could not revoke acltest permission from acltest-group.'
);
// check alternate means of granting a permission
$this->acl_group->grant( 'acltest', 'full' );
$this->assert_true(
$this->acl_group->can( 'acltest', 'full' ),
'Could not grant acltest permission to acltest-group through UserGroup call.'
);
// full > read/edit
$this->assert_true(
$this->acl_group->can( 'acltest', 'read' ),
"Group with 'full' acltest permission cannot 'read'."
);
$this->assert_true(
$this->acl_group->can( 'acltest', 'edit' ),
"Group with 'full' acltest permission cannot 'edit'."
);
$this->assert_true(
$this->acl_group->can( 'acltest', 'full' ),
"Group with 'full' acltest permission cannot 'full'."
);
$this->assert_exception( 'InvalidArgumentException', "'write' is an invalid token flag." );
$this->acl_group->can( 'acltest', 'write' );
ACL::destroy_token( 'acltest' );
}
public function test_group_permissions()
{
$this->markTestSkipped('Test does not match class code; needs updating');
ACL::create_permission('acltest', 'A test ACL permission');
$this->assertTrue(ACL::token_exists('acltest'), 'Could not create acltest permission.');
$token_id = ACL::token_id('acltest');
ACL::grant_group($this->acl_group->id, $token_id, 'full');
$this->assertTrue($this->acl_group->can('acltest', 'full'), 'Could not grant acltest permission to acltest-group.');
ACL::revoke_group_permission($this->acl_group->id, $token_id);
$this->assert_false(ACL::group_can($this->acl_group->id, $token_id, 'full'), 'Could not revoke acltest permission from acltest-group.');
// check alternate means of granting a permission
$this->acl_group->grant('acltest', 'full');
$this->assertTrue($this->acl_group->can('acltest', 'full'), 'Could not grant acltest permission to acltest-group through UserGroup call.');
// full > read/write
$this->assertTrue($this->acl_group->can('acltest', 'read'), "Group with 'full' acltest permission cannot 'read'.");
$this->assertTrue($this->acl_group->can('acltest', 'write'), "Group with 'full' acltest permission cannot 'write'.");
}
/**
* Assign one or more new permission tokens to this group
* @param mixed A permission token ID, name, or array of the same
*/
public function grant( $tokens, $access = 'full' )
{
$tokens = Utils::single_array( $tokens );
// Use ids internally for all tokens
$tokens = array_map( array( 'ACL', 'token_id' ), $tokens );
// grant the new permissions
foreach ( $tokens as $token ) {
ACL::grant_group( $this->id, $token, $access );
}
}
/**
* Add user groups to the groups table, randomly assign them existing tokens.
* @param integer $num number of groups to add, or configured value if null.
*/
private function populate_groups_add($num = null)
{
if (!isset($num)) {
$num = Options::get('populate__groups');
}
// Get all tokens that we have created.
$tokens = $this->populate_tokens_get();
// Add all these groups.
$count = 0;
while ($count++ < $num) {
// Create a new group.
$group = Usergroup::create(array('name' => 'populate_' . $this->helper_random_name()));
// assign tokens to this new group.
$max_tokens = count($tokens) - 1;
$num_tokens = rand(0, $max_tokens);
while ($num_tokens-- > 0) {
$token = rand(0, $max_tokens);
ACL::grant_group($group->id, $tokens[$token]->id);
}
}
return;
}
/**
* Create a new permission token, and save it to the permission tokens table
* @param string $name The name of the permission
* @param string $description The description of the permission
* @param string $group The token group for organizational purposes
* @param bool $crud Indicates if the token is a CRUD or boolean type token (default is boolean)
* @return mixed the ID of the newly created permission, or boolean false
*/
public static function create_token($name, $description, $group, $crud = false)
{
$name = self::normalize_token($name);
$crud = $crud ? 1 : 0;
// first, make sure this isn't a duplicate
if (ACL::token_exists($name)) {
return false;
}
$allow = true;
// Plugins have the opportunity to prevent adding this token
$allow = Plugins::filter('token_create_allow', $allow, $name, $description, $group, $crud);
if (!$allow) {
return false;
}
Plugins::act('token_create_before', $name, $description, $group, $crud);
$result = DB::query('INSERT INTO {tokens} (name, description, token_group, token_type) VALUES (?, ?, ?, ?)', array($name, $description, $group, $crud));
if (!$result) {
// if it didn't work, don't bother trying to log it
return false;
}
self::clear_caches();
// Add the token to the admin group
$token = ACL::token_id($name);
$admin = UserGroup::get('admin');
if ($admin) {
ACL::grant_group($admin->id, $token, 'full');
}
EventLog::log('New permission token created: ' . $name, 'info', 'default', 'habari');
Plugins::act('permission_create_after', $name, $description, $group, $crud);
return $result;
}
