/** * Given a SecurableItem, add and remove permissions * based on what the provided ExplicitReadWriteModelPermissions indicates should be done. * Sets @see SecurableItem->setTreatCurrentUserAsOwnerForPermissions as true in order to ensure the current user * can effectively add permissions even if the current user is no longer the owner. * @param SecurableItem $securableItem * @param ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions * @return boolean * @throws NotSupportedException() */ public static function resolveExplicitReadWriteModelPermissions(SecurableItem $securableItem, ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions) { assert('$securableItem->id > 0'); $securableItem->setTreatCurrentUserAsOwnerForPermissions(true); $saveSecurableItem = false; if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($saveSecurableItem) { $setBackToProcess = false; if ($securableItem->shouldProcessWorkflowOnSave()) { $securableItem->setDoNotProcessWorkflowOnSave(); $setBackToProcess = true; } $saved = $securableItem->save(); if ($setBackToProcess) { $securableItem->setProcessWorkflowOnSave(); } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return $saved; } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return true; }
/** * @param SecurableItem $securableItem * @param User $user */ public static function securableItemLostReadPermissionsForUser(SecurableItem $securableItem, User $user) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $user); AllPermissionsOptimizationCache::forgetSecurableItemForRead($securableItem); }
/** * @depends testGroupGivenReadOnOwnedSecurableItem_Slide6 */ public function testUserLosesReadOnOwnedSecurableItem_Slide7() { $u1 = User::getByUsername('u1.'); $u2 = User::getByUsername('u2.'); $u3 = User::getByUsername('u3.'); Yii::app()->user->userModel = $u1; $a1 = new Account(); $a1->name = 'A1.'; $a1->addPermissions($u2, Permission::READ); $a1->addPermissions($u3, Permission::READ); $this->assertTrue($a1->save()); //Called in OwnedSecurableItem::afterSave(); //ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a1); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($a1, $u2); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($a1, $u3); $this->assertEquals(array(array('R2', 1), array('R3', 1), array('R5', 2), array('R6', 2), array('U2', 1), array('U3', 1)), self::getAccountMungeRows($a1)); $this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); $a1->removePermissions($u2, Permission::READ); $this->assertTrue($a1->save()); ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($a1, $u2); $this->assertEquals(array(array('R2', 1), array('R3', 1), array('R5', 1), array('R6', 1), array('U3', 1)), self::getAccountMungeRows($a1)); $this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); $a1->removePermissions($u3, Permission::READ); $this->assertTrue($a1->save()); ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($a1, $u3); $this->assertEquals(array(array('R2', 1), array('R3', 1)), self::getAccountMungeRows($a1)); $this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); $a1->delete(); }