public function testCachingNamedSecurableItemActualPermissions() { if (PermissionsCache::supportsAndAllowsMemcache() || PermissionsCache::supportsAndAllowsDatabaseCaching()) { Yii::app()->user->userModel = User::getByUsername('super'); $super = User::getByUsername('super'); $namedSecurableItem = 'AccountsModule'; $item = NamedSecurableItem::getByName('AccountsModule'); $actualPermissions = $item->getActualPermissions(); PermissionsCache::cacheNamedSecurableItemActualPermissions($namedSecurableItem, $super, $actualPermissions); $actualPermissionsFromCache = PermissionsCache::getNamedSecurableItemActualPermissions($namedSecurableItem, $super); $this->assertEquals($actualPermissions, $actualPermissionsFromCache); } }
/** * @param null|Permitable $permitable * @return array * @throws NoCurrentUserSecurityException */ public function getActualPermissions($permitable = null) { assert('$permitable === null || $permitable instanceof Permitable'); if ($permitable === null) { $permitable = Yii::app()->user->userModel; if (!$permitable instanceof User) { throw new NoCurrentUserSecurityException(); } } if (!SECURITY_OPTIMIZED || $this->processGetActualPermissionsAsNonOptimized()) { // The slow way will remain here as documentation // for what the optimized way is doing. $allowPermissions = Permission::NONE; $denyPermissions = Permission::NONE; if (Group::getByName(Group::SUPER_ADMINISTRATORS_GROUP_NAME)->contains($permitable)) { $allowPermissions = Permission::ALL; } else { foreach ($this->unrestrictedGet('permissions') as $permission) { $effectivePermissions = $permission->getEffectivePermissions($permitable); if ($permission->type == Permission::ALLOW) { $allowPermissions |= $effectivePermissions; } else { $denyPermissions |= $effectivePermissions; } } $allowPermissions |= $this->getPropagatedActualAllowPermissions($permitable); if (!$this instanceof NamedSecurableItem) { foreach (array(get_class($this), static::getModuleClassName()) as $securableItemName) { try { $securableType = NamedSecurableItem::getByName($securableItemName); $typeAllowPermissions = Permission::NONE; $typeDenyPermissions = Permission::NONE; foreach ($securableType->unrestrictedGet('permissions') as $permission) { $effectivePermissions = $permission->getEffectivePermissions($permitable); if ($permission->type == Permission::ALLOW) { $typeAllowPermissions |= $effectivePermissions; } else { $typeDenyPermissions |= $effectivePermissions; } // We shouldn't see something that isn't owned having CHANGE_OWNER. // assert('$typeAllowPermissions & Permission::CHANGE_OWNER == Permission::NONE'); } $allowPermissions |= $typeAllowPermissions; $denyPermissions |= $typeDenyPermissions; } catch (NotFoundException $e) { } } } } } else { try { $combinedPermissions = PermissionsCache::getCombinedPermissions($this, $permitable); } catch (NotFoundException $e) { $securableItemId = $this->getClassId('SecurableItem'); $permitableId = $permitable->getClassId('Permitable'); // Optimizations work on the database, // anything not saved will not work. assert('$permitableId > 0'); $className = get_class($this); $moduleName = static::getModuleClassName(); $cachingOn = PermissionsCache::supportsAndAllowsDatabaseCaching() ? 1 : 0; $combinedPermissions = intval(ZurmoDatabaseCompatibilityUtil::callFunction("get_securableitem_actual_permissions_for_permitable({$securableItemId}, {$permitableId}, '{$className}', '{$moduleName}', {$cachingOn})")); PermissionsCache::cacheCombinedPermissions($this, $permitable, $combinedPermissions); } $allowPermissions = $combinedPermissions >> 8 & Permission::ALL; $denyPermissions = $combinedPermissions & Permission::ALL; } assert("({$allowPermissions} & ~Permission::ALL) == 0"); assert("({$denyPermissions} & ~Permission::ALL) == 0"); return array($allowPermissions, $denyPermissions); }