/**
* Create a new permission token, and save it to the permission tokens table
* @param string $name The name of the permission
* @param string $description The description of the permission
* @param string $group The token group for organizational purposes
* @param bool $crud Indicates if the token is a CRUD or boolean type token (default is boolean)
* @return mixed the ID of the newly created permission, or boolean false
*/
public static function create_token($name, $description, $group, $crud = false)
{
$name = self::normalize_token($name);
$crud = $crud ? 1 : 0;
// first, make sure this isn't a duplicate
if (ACL::token_exists($name)) {
return false;
}
$allow = true;
// Plugins have the opportunity to prevent adding this token
$allow = Plugins::filter('token_create_allow', $allow, $name, $description, $group, $crud);
if (!$allow) {
return false;
}
Plugins::act('token_create_before', $name, $description, $group, $crud);
$result = DB::query('INSERT INTO {tokens} (name, description, token_group, token_type) VALUES (?, ?, ?, ?)', array($name, $description, $group, $crud));
if (!$result) {
// if it didn't work, don't bother trying to log it
return false;
}
self::clear_caches();
// Add the token to the admin group
$token = ACL::token_id($name);
$admin = UserGroup::get('admin');
if ($admin) {
ACL::grant_group($admin->id, $token, 'full');
}
EventLog::log('New permission token created: ' . $name, 'info', 'default', 'habari');
Plugins::act('permission_create_after', $name, $description, $group, $crud);
return $result;
}
function test_creategroup()
{
$user = User::create( array( 'username' => 'testcaseuser', 'email' => '*****@*****.**', 'password' => 'test') );
$this->assert_true(
$user instanceof User,
'Could not create test user.'
);
$group = UserGroup::create( array( 'name' => 'new test group' ) );
$this->assert_true(
$group instanceof UserGroup,
'Could not create a new group named "new test group".'
);
ACL::create_token( 'test permission', 'A permission for test cases', 'Administration' );
ACL::create_token( 'test deny permission', 'A permission for test cases', 'Administration' );
$this->assert_true(
ACL::token_exists('test permission'),
'The test permission was not created.'
);
$this->assert_true(
ACL::token_exists(' test PeRmission '),
'Permission names are not normalized.'
);
$group->add( 'testcaseuser' );
$group->grant( 'test permission' );
$group->deny( 'test deny permisSion' );
$group->update();
$newgroup = UserGroup::get( 'new test group' );
$this->assert_true(
in_array( $user->id, $newgroup->members ),
'The created user is not a member of the new group.'
);
$this->assert_true(
in_array( ACL::token_id( 'test permission' ), array_keys( $newgroup->permissions ) ),
'The group does not have the new permission.'
);
$this->assert_true(
ACL::group_can( 'new test group', 'test permission' ),
'The group does not have the new permission.'
);
$this->assert_false(
ACL::group_can( 'new test group', 'test deny permission' ),
'The group has a denied permission.'
);
$this->assert_true(
$user->can( 'test permission' ),
'The user does not have a permission his group has been granted.'
);
}
public function test_group_permissions()
{
ACL::create_token( 'acltest', 'A test ACL permission', 'Administration' );
$this->assert_true(
ACL::token_exists( 'acltest' ),
'Could not create acltest permission.'
);
$this->assert_true(
ACL::token_exists( 'acLtEst ' ),
'Permission names are not normalized.'
);
$token_id = ACL::token_id( 'acltest' );
ACL::grant_group( $this->acl_group->id, $token_id, 'full' );
$this->assert_true(
$this->acl_group->can( 'acltest', 'full' ),
'Could not grant acltest permission to acltest-group.'
);
ACL::revoke_group_token( $this->acl_group->id, $token_id );
$this->assert_false(
ACL::group_can( $this->acl_group->id, $token_id, 'full' ),
'Could not revoke acltest permission from acltest-group.'
);
// check alternate means of granting a permission
$this->acl_group->grant( 'acltest', 'full' );
$this->assert_true(
$this->acl_group->can( 'acltest', 'full' ),
'Could not grant acltest permission to acltest-group through UserGroup call.'
);
// full > read/edit
$this->assert_true(
$this->acl_group->can( 'acltest', 'read' ),
"Group with 'full' acltest permission cannot 'read'."
);
$this->assert_true(
$this->acl_group->can( 'acltest', 'edit' ),
"Group with 'full' acltest permission cannot 'edit'."
);
$this->assert_true(
$this->acl_group->can( 'acltest', 'full' ),
"Group with 'full' acltest permission cannot 'full'."
);
$this->assert_exception( 'InvalidArgumentException', "'write' is an invalid token flag." );
$this->acl_group->can( 'acltest', 'write' );
ACL::destroy_token( 'acltest' );
}
public function test_group_permissions()
{
$this->markTestSkipped('Test does not match class code; needs updating');
ACL::create_permission('acltest', 'A test ACL permission');
$this->assertTrue(ACL::token_exists('acltest'), 'Could not create acltest permission.');
$token_id = ACL::token_id('acltest');
ACL::grant_group($this->acl_group->id, $token_id, 'full');
$this->assertTrue($this->acl_group->can('acltest', 'full'), 'Could not grant acltest permission to acltest-group.');
ACL::revoke_group_permission($this->acl_group->id, $token_id);
$this->assert_false(ACL::group_can($this->acl_group->id, $token_id, 'full'), 'Could not revoke acltest permission from acltest-group.');
// check alternate means of granting a permission
$this->acl_group->grant('acltest', 'full');
$this->assertTrue($this->acl_group->can('acltest', 'full'), 'Could not grant acltest permission to acltest-group through UserGroup call.');
// full > read/write
$this->assertTrue($this->acl_group->can('acltest', 'read'), "Group with 'full' acltest permission cannot 'read'.");
$this->assertTrue($this->acl_group->can('acltest', 'write'), "Group with 'full' acltest permission cannot 'write'.");
}
private function upgrade_db_post_5097()
{
/* Add the 'manage_dash_modules' token if it doesn't exist. This is effectively
re-doing upgrade_db_post_3701() for those who didn't upgrade from a db_version
before 3701 or those who have performed a clean install as this token
wasn't set in the list of default tokens until r5142. */
if (!ACL::token_exists('manage_dash_modules')) {
$this->upgrade_db_post_3701();
}
}
