public function testThrowExceptionIfIdentityIsWrongType() { $this->setExpectedException('ZfjRbac\\Exception\\RuntimeException', 'ZfjRbac expects your identity to implement ZfjRbac\\Identity\\IdentityInterface, "stdClass" given'); $identityProvider = $this->getMock('ZfjRbac\\Identity\\IdentityProviderInterface'); $identityProvider->expects($this->any())->method('getIdentity')->will($this->returnValue(new \stdClass())); $roleService = new RoleService($identityProvider, $this->getMock('ZfjRbac\\Role\\RoleProviderInterface'), $this->getMock('Rbac\\Traversal\\Strategy\\TraversalStrategyInterface')); $roleService->getIdentityRoles(); }
/** * Create an object * * @param ContainerInterface $container * @param string $requestedName * @param null|array $options * @return object * @throws ServiceNotFoundException if unable to resolve the service. * @throws ServiceNotCreatedException if an exception is raised when * creating a service. * @throws ContainerException if any other error occurs */ public function __invoke(ContainerInterface $container, $requestedName, array $options = null) { /* @var \ZfjRbac\Options\ModuleOptions $moduleOptions */ $moduleOptions = $container->get('ZfjRbac\\Options\\ModuleOptions'); /* @var \ZfjRbac\Identity\IdentityProviderInterface $identityProvider */ $identityProvider = $container->get($moduleOptions->getIdentityProvider()); $roleProviderConfig = $moduleOptions->getRoleProvider(); if (empty($roleProviderConfig)) { throw new RuntimeException('No role provider has been set for ZfjRbac'); } /* @var \ZfjRbac\Role\RoleProviderPluginManager $pluginManager */ $pluginManager = $container->get('ZfjRbac\\Role\\RoleProviderPluginManager'); /* @var \ZfjRbac\Role\RoleProviderInterface $roleProvider */ $roleProvider = $pluginManager->get(key($roleProviderConfig), current($roleProviderConfig)); $roleService = new RoleService($identityProvider, $roleProvider); $roleService->setGuestRole($moduleOptions->getGuestRole()); return $roleService; }
/** * Check if the permission is granted to the current identity * * @param string|PermissionInterface $permission * @param mixed $context * @return bool */ public function isGranted($permission, $context = null) { $roles = $this->roleService->getIdentityRoles(); if (empty($roles)) { return false; } if (!$this->rbac->isGranted($roles, $permission)) { return false; } if ($this->hasAssertion($permission)) { return $this->assert($this->assertions[(string) $permission], $context); } return true; }
/** * {@inheritDoc} */ public function isGranted(MvcEvent $event) { $matchedRouteName = $event->getRouteMatch()->getMatchedRouteName(); $allowedRoles = null; foreach (array_keys($this->rules) as $routeRule) { if (fnmatch($routeRule, $matchedRouteName, FNM_CASEFOLD)) { $allowedRoles = $this->rules[$routeRule]; break; } } // If no rules apply, it is considered as granted or not based on the protection policy if (null === $allowedRoles) { return $this->protectionPolicy === self::POLICY_ALLOW; } if (in_array('*', $allowedRoles)) { return true; } return $this->roleService->matchIdentityRoles($allowedRoles); }
/** * {@inheritDoc} */ public function isGranted(MvcEvent $event) { $routeMatch = $event->getRouteMatch(); $controller = strtolower($routeMatch->getParam('controller')); $action = strtolower($routeMatch->getParam('action')); // If no rules apply, it is considered as granted or not based on the protection policy if (!isset($this->rules[$controller])) { return $this->protectionPolicy === self::POLICY_ALLOW; } // Algorithm is as follow: we first check if there is an exact match (controller + action), if not // we check if there are rules set globally for the whole controllers (see the index "0"), and finally // if nothing is matched, we fallback to the protection policy logic if (isset($this->rules[$controller][$action])) { $allowedRoles = $this->rules[$controller][$action]; } elseif (isset($this->rules[$controller][0])) { $allowedRoles = $this->rules[$controller][0]; } else { return $this->protectionPolicy === self::POLICY_ALLOW; } if (in_array('*', $allowedRoles)) { return true; } return $this->roleService->matchIdentityRoles($allowedRoles); }
/** * @param string|string[] $roleOrRoles * @return bool */ public function __invoke($roleOrRoles) { return $this->roleService->matchIdentityRoles((array) $roleOrRoles); }
/** * Collect roles and permissions * * @param RoleService $roleService * @return void */ private function collectIdentityRolesAndPermissions(RoleService $roleService) { $identityRoles = $roleService->getIdentityRoles(); foreach ($identityRoles as $role) { $roleName = $role->getName(); if (!$role instanceof HierarchicalRoleInterface) { $this->collectedRoles[] = $roleName; } else { $iteratorIterator = new RecursiveIteratorIterator(new \RecursiveArrayIterator($role->getChildren()), RecursiveIteratorIterator::SELF_FIRST); foreach ($iteratorIterator as $childRole) { $this->collectedRoles[$roleName][] = $childRole->getName(); $this->collectPermissions($childRole); } } $this->collectPermissions($role); } }