/**
*
* @param PKPRequest $request
* @param array $args
* @param array $roleAssignments
* @param string $submissionParameterName
*/
function buildSubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName)
{
// We need a submission in the request.
import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
$this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
// Authors, managers and series editors potentially have
// access to submissions. We'll have to define differentiated
// policies for those roles in a policy set.
$submissionAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
// Managers have access to all submissions.
$submissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
}
//
// Author role
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
// 1) Author role user groups can access whitelisted operations ...
$authorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR], 'user.authorization.authorRoleMissing'));
// 2) ... if they meet one of the following requirements:
$authorSubmissionAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// 2a) ...the requested submission is their own ...
import('lib.pkp.classes.security.authorization.internal.SubmissionAuthorPolicy');
$authorSubmissionAccessOptionsPolicy->addPolicy(new SubmissionAuthorPolicy($request));
// 2b) ...OR, at least one workflow stage has been assigned to them in the requested submission.
import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$authorSubmissionAccessOptionsPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$authorSubmissionAccessPolicy->addPolicy($authorSubmissionAccessOptionsPolicy);
$submissionAccessPolicy->addPolicy($authorSubmissionAccessPolicy);
}
//
// Reviewer role
//
if (isset($roleAssignments[ROLE_ID_REVIEWER])) {
// 1) Reviewers can access whitelisted operations ...
$reviewerSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$reviewerSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER]));
// 2) ... but only if they have been assigned to the submission as reviewers.
import('lib.pkp.classes.security.authorization.internal.ReviewAssignmentAccessPolicy');
$reviewerSubmissionAccessPolicy->addPolicy(new ReviewAssignmentAccessPolicy($request));
$submissionAccessPolicy->addPolicy($reviewerSubmissionAccessPolicy);
}
//
// Assistant role
//
if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
// 1) Assistants can access whitelisted operations ...
$contextSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$contextSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
// 2) ... but only if they have been assigned to the submission workflow.
import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$contextSubmissionAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$submissionAccessPolicy->addPolicy($contextSubmissionAccessPolicy);
}
return $submissionAccessPolicy;
}
function authorize($request, &$args, $roleAssignments)
{
$fileIds = $request->getUserVar('filesIdsAndRevisions');
$libraryFileId = $request->getUserVar('libraryFileId');
if (is_string($fileIds)) {
$fileIdsArray = explode(';', $fileIds);
// Remove empty entries (a trailing ";" will cause these)
$fileIdsArray = array_filter($fileIdsArray, create_function('$a', 'return !empty($a);'));
}
if (!empty($fileIdsArray)) {
$multipleSubmissionFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
foreach ($fileIdsArray as $fileIdAndRevision) {
$multipleSubmissionFileAccessPolicy->addPolicy($this->_getAccessPolicy($request, $args, $roleAssignments, $fileIdAndRevision));
}
$this->addPolicy($multipleSubmissionFileAccessPolicy);
} else {
if (is_numeric($libraryFileId)) {
import('lib.pkp.classes.security.authorization.ContextAccessPolicy');
$this->addPolicy(new ContextAccessPolicy($request, $roleAssignments));
} else {
// IDs will be specified using the default parameters.
$this->addPolicy($this->_getAccessPolicy($request, $args, $roleAssignments));
}
}
return parent::authorize($request, $args, $roleAssignments);
}
/**
* Add a new policy to the Resource
*
* @param Policy $policy Policy instance
*
* @return \Xacmlphp\Resource instance
*/
public function addPolicy(Policy $policy)
{
if ($this->policySet === null) {
$this->policySet = new PolicySet();
}
$this->policySet->addPolicy($policy);
return $this;
}
/**
*
* @param PKPRequest $request
* @param array $args
* @param array $roleAssignments
* @param $mode int bitfield SIGNOFF_ACCESS_...
* @param $stageId int
*/
function buildSignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId)
{
// We need a submission matching the file in the request.
import('lib.pkp.classes.security.authorization.internal.SignoffExistsAccessPolicy');
$this->addPolicy(new SignoffExistsAccessPolicy($request, $args));
// We need a valid workflow stage.
import('lib.pkp.classes.security.authorization.internal.WorkflowStageRequiredPolicy');
$this->addPolicy(new WorkflowStageRequiredPolicy($stageId));
// Authors, context managers and sub editors potentially have
// access to signoffs. We'll have to define
// differentiated policies for those roles in a policy set.
$signoffAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
// Managers have all access to all signoffs.
$signoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
}
//
// Assistants
//
if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
// 1) Assistants can access all operations on signoffs...
$assistantSignoffAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$assistantSignoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
// 2) ... but only if they have access to the workflow stage.
import('classes.security.authorization.WorkflowStageAccessPolicy');
// pulled from context-specific class path.
$assistantSignoffAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
$signoffAccessPolicy->addPolicy($assistantSignoffAccessPolicy);
}
//
// Authors
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
if ($mode & SIGNOFF_ACCESS_READ) {
// 1) Authors can access read operations on signoffs...
$authorSignoffAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorSignoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR]));
// 2) ... but only if they are assigned to the workflow stage as an stage participant.
import('classes.security.authorization.WorkflowStageAccessPolicy');
$authorSignoffAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
$signoffAccessPolicy->addPolicy($authorSignoffAccessPolicy);
}
}
//
// User owns the signoff (all roles): permit
//
import('lib.pkp.classes.security.authorization.internal.SignoffAssignedToUserAccessPolicy');
$userOwnsSignoffPolicy = new SignoffAssignedToUserAccessPolicy($request);
$signoffAccessPolicy->addPolicy($userOwnsSignoffPolicy);
$this->addPolicy($signoffAccessPolicy);
return $signoffAccessPolicy;
}
/**
* @covers RoleBasedHandlerOperationPolicy
*/
public function testRoleAuthorization()
{
// Construct the user roles array.
$userRoles = array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST);
// Test the user-group/role policy with a default
// authorized request.
$request = $this->getMockRequest('permittedOperation');
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST), 'permittedOperation'));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test the user-group/role policy with a non-authorized role.
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_NON_AUTHORIZED, 'permittedOperation'));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// Test the policy with an authorized role but a non-authorized operation.
$request = $this->getMockRequest('privateOperation');
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, 'permittedOperation'));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// Test the policy with an authorized role and a
// non-authorized operation but bypass the the operation check.
// FIXME: Remove the "bypass operation check" code once we've removed the
// HandlerValidatorRole compatibility class, see #5868.
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, array(), 'some.message', false, true));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test the "all roles must match" feature.
$request = $this->getMockRequest('permittedOperation');
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST), 'permittedOperation', 'some.message', true, false));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test again the "all roles must match" feature but this time
// with one role not matching.
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN, ROLE_ID_NON_AUTHORIZED), 'permittedOperation', 'some.message', true, false));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
}
/**
* @copydoc PKPHandler::authorize()
*/
function authorize($request, &$args, $roleAssignments)
{
import('lib.pkp.classes.security.authorization.PolicySet');
$rolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
foreach ($roleAssignments as $role => $operations) {
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations));
}
$this->addPolicy($rolePolicy);
return parent::authorize($request, $args, $roleAssignments);
}
/**
* Constructor
* @param $request PKPRequest
* @param $roleAssignments array
*/
function OjsJournalAccessPolicy(&$request, $roleAssignments)
{
parent::JournalPolicy($request);
// On journal level we don't have role-specific conditions
// so we can simply add all role assignments. It's ok if
// any of these role conditions permits access.
$journalRolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
foreach ($roleAssignments as $role => $operations) {
$journalRolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations));
}
$this->addPolicy($journalRolePolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
*/
function OjsAuthorDashboardAccessPolicy($request, &$args, $roleAssignments)
{
parent::ContextPolicy($request);
$authorDashboardPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
// AuthorDashboard requires a valid monograph in request.
import('classes.security.authorization.SubmissionAccessPolicy');
$authorDashboardPolicy->addPolicy(new SubmissionAccessPolicy($request, $args, $roleAssignments), true);
// Check if the user has an stage assignment with the monograph in request.
// Any workflow stage assignment is suficient to access the author dashboard.
import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$authorDashboardPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$this->addPolicy($authorDashboardPolicy);
}
/**
* Constructor
* @param $request PKPRequest
*/
function JournalPolicy(&$request)
{
parent::PolicySet();
// Ensure that we have a journal in the context.
import('lib.pkp.classes.security.authorization.ContextRequiredPolicy');
$this->addPolicy(new ContextRequiredPolicy($request, 'user.authorization.noJournal'));
}
/**
* @see PKPHandler::authorize()
*/
function authorize($request, &$args, $roleAssignments)
{
import('lib.pkp.classes.security.authorization.PolicySet');
$rolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy');
foreach ($roleAssignments as $role => $operations) {
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations));
}
$this->addPolicy($rolePolicy);
$this->reviewFormId = (int) $request->getUserVar('reviewFormId');
$reviewFormDao = DAORegistry::getDAO('ReviewFormDAO');
if (!$reviewFormDao->reviewFormExists($this->reviewFormId, Application::getContextAssocType(), $request->getContext()->getId())) {
return false;
}
return parent::authorize($request, $args, $roleAssignments);
}
/**
* Constructor
* @param $request PKPRequest
*/
function PressPolicy(&$request)
{
parent::PolicySet();
// Ensure we're in a press
import('lib.pkp.classes.security.authorization.ContextRequiredPolicy');
$this->addPolicy(new ContextRequiredPolicy($request, 'user.authorization.noPress'));
}
/**
* Constructor
* @param $request PKPRequest
*/
function __construct($request)
{
parent::__construct();
// Ensure we're in a context
import('lib.pkp.classes.security.authorization.ContextRequiredPolicy');
$this->addPolicy(new ContextRequiredPolicy($request, 'user.authorization.noContext'));
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array
* @param $roleAssignments array
* @param $submissionParameterName string
*/
function OjsSubmissionAccessPolicy(&$request, &$args, $roleAssignments, $submissionParameterName = 'articleId')
{
parent::JournalPolicy($request);
// Create a "permit overrides" policy set that specifies
// editor and copyeditor access to submissions.
$submissionEditingPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Editor roles (Editor and Section Editor) policy
//
$editorsPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
// Editorial components can only be called if there's a
// valid section editor submission in the request.
// FIXME: We should find a way to check whether the user actually
// is a (section) editor before we execute this expensive policy.
import('classes.security.authorization.internal.SectionEditorSubmissionRequiredPolicy');
$editorsPolicy->addPolicy(new SectionEditorSubmissionRequiredPolicy($request, $args, $submissionParameterName));
$editorRolesPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// Editors can access all operations.
$editorRolesPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_EDITOR, $roleAssignments[ROLE_ID_EDITOR]));
// Section editors
$sectionEditorPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
// 1) Section editors can access all remote operations ...
$sectionEditorPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SECTION_EDITOR, $roleAssignments[ROLE_ID_SECTION_EDITOR]));
// 2) ... but only if the requested submission has been explicitly assigned to them.
import('classes.security.authorization.internal.SectionSubmissionAssignmentPolicy');
$sectionEditorPolicy->addPolicy(new SectionSubmissionAssignmentPolicy($request));
$editorRolesPolicy->addPolicy($sectionEditorPolicy);
$editorsPolicy->addPolicy($editorRolesPolicy);
$submissionEditingPolicy->addPolicy($editorsPolicy);
//
// Copyeditor policy
//
$copyeditorPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
// 1) Copyeditors can only access editorial components when a valid
// copyeditor submission is in the request ...
import('classes.security.authorization.internal.CopyeditorSubmissionRequiredPolicy');
$copyeditorPolicy->addPolicy(new CopyeditorSubmissionRequiredPolicy($request, $args, $submissionParameterName));
// 2) ... If that's the case then copyeditors can access all remote operations ...
$copyeditorPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_COPYEDITOR, $roleAssignments[ROLE_ID_SECTION_EDITOR]));
// 3) ... but only if the requested submission has been explicitly assigned to them.
import('classes.security.authorization.internal.CopyeditorSubmissionAssignmentPolicy');
$copyeditorPolicy->addPolicy(new CopyeditorSubmissionAssignmentPolicy($request));
$submissionEditingPolicy->addPolicy($copyeditorPolicy);
// Add the submission editing policies to this policy set.
$this->addPolicy($submissionEditingPolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $mode int bitfield SIGNOFF_ACCESS_...
* @param $stageId int
*/
function SignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId)
{
parent::PKPSignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId);
$signoffAccessPolicy = $this->_baseSignoffAccessPolicy;
//
// Series editor role
//
if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
// 1) Section editors can access all operations on signoffs ...
$sectionEditorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$sectionEditorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
// 2) ... but only if the requested signoff submission is part of their series.
import('classes.security.authorization.internal.SectionAssignmentPolicy');
$sectionEditorFileAccessPolicy->addPolicy(new SectionAssignmentPolicy($request));
$signoffAccessPolicy->addPolicy($sectionEditorFileAccessPolicy);
}
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $submissionParameterName string the request parameter we
* expect the submission id in.
*/
function OmpPublishedMonographAccessPolicy($request, $args, $roleAssignments, $submissionParameterName = 'submissionId')
{
parent::ContextPolicy($request);
// Access may be made either as a member of the public, or
// via pre-publication access to editorial users.
$monographAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// Published monograph access for the public
$publishedMonographAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
$publishedMonographAccessPolicy->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
import('classes.security.authorization.internal.MonographPublishedPolicy');
$publishedMonographAccessPolicy->addPolicy(new MonographPublishedPolicy($request));
$monographAccessPolicy->addPolicy($publishedMonographAccessPolicy);
// Pre-publication access for editorial roles
import('classes.security.authorization.SubmissionAccessPolicy');
$monographAccessPolicy->addPolicy(new SubmissionAccessPolicy($request, $args, array_intersect_key($roleAssignments, array(ROLE_ID_MANAGER, ROLE_ID_SUB_EDITOR)), $submissionParameterName));
$this->addPolicy($monographAccessPolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $mode int bitfield SUBMISSION_FILE_ACCESS_...
* @param $fileIdAndRevision string
* @param $submissionParameterName string the request parameter we expect
* the submission id in.
*/
function SubmissionFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision = null, $submissionParameterName = 'submissionId')
{
parent::PKPSubmissionFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName);
$fileAccessPolicy = $this->_baseFileAccessPolicy;
//
// Series editor role
//
if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
// 1) Series editors can access all operations on submissions ...
$seriesEditorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$seriesEditorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
// 2) ... but only if the requested submission is part of their series.
import('classes.security.authorization.internal.SeriesAssignmentPolicy');
$seriesEditorFileAccessPolicy->addPolicy(new SeriesAssignmentPolicy($request));
$fileAccessPolicy->addPolicy($seriesEditorFileAccessPolicy);
}
$this->addPolicy($fileAccessPolicy);
}
/**
* Evaluate the given set of policies against the subject
*
* @param Subject $subject Current subject
* @param PolicySet $policySet Set of policies
* @param Action $action
*
* @return bool
*/
public function evaluate(Subject $subject, PolicySet $policySet, Action $action)
{
// get the subject's attributes
$this->setSubjectAttributes($subject->getAttributes());
$policyResults = $this->handlePolicies($policySet->getPolicies());
if (count($policyResults) == 1) {
return array_shift($policyResults);
} else {
// we're working with a set of policies, go with the algorithm
// if we have one...
$algorithm = $policySet->getAlgorithm();
if ($algorithm === null) {
// default to most secure - deny overrides!
$algorithm = new Algorithm\DenyOverrides();
}
return $algorithm = $algorithm->evaluate($policyResults);
}
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
* @param $submissionParameterName string
* @param $stageId integer One of the WORKFLOW_STAGE_ID_* constants.
*/
function ReviewStageAccessPolicy($request, &$args, $roleAssignments, $submissionParameterName = 'submissionId', $stageId)
{
parent::ContextPolicy($request);
// Create a "permit overrides" policy set that specifies
// role-specific access to submission stage operations.
$workflowStagePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// Add the workflow policy, for editorial / press roles
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$workflowStagePolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, $submissionParameterName, $stageId));
if ($stageId == WORKFLOW_STAGE_ID_INTERNAL_REVIEW || $stageId == WORKFLOW_STAGE_ID_EXTERNAL_REVIEW) {
// Add the submission policy, for reviewer roles
import('lib.pkp.classes.security.authorization.SubmissionAccessPolicy');
$submissionPolicy = new SubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName);
$submissionPolicy->addPolicy(new WorkflowStageRequiredPolicy($stageId));
$workflowStagePolicy->addPolicy($submissionPolicy);
}
// Add the role-specific policies to this policy set.
$this->addPolicy($workflowStagePolicy);
}
/**
* @see AuthorizationPolicy::effect()
*/
function effect()
{
// Retrieve the user from the session.
$request = $this->getRequest();
$user = $request->getUser();
if (!is_a($user, 'User')) {
return AUTHORIZATION_DENY;
}
// Execute handler operation checks.
return parent::effect();
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
* @param $submissionParameterName string
* @param $stageId integer One of the WORKFLOW_STAGE_ID_* constants.
*/
function WorkflowStageAccessPolicy($request, &$args, $roleAssignments, $submissionParameterName = 'submissionId', $stageId)
{
parent::PKPWorkflowStageAccessPolicy($request, $args, $roleAssignments, $submissionParameterName, $stageId);
// A workflow stage component can only be called if there's a
// valid section editor submission in the request.
import('classes.security.authorization.internal.SectionEditorSubmissionRequiredPolicy');
$this->addPolicy(new SectionEditorSubmissionRequiredPolicy($request, $args, $submissionParameterName));
// Add the user accessible workflow stages object to the authorized context.
import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$this->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
// Users can access all whitelisted operations for submissions and workflow stages...
$roleBasedPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
foreach ($roleAssignments as $roleId => $operations) {
$roleBasedPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $roleId, $operations));
}
$this->addPolicy($roleBasedPolicy);
// ... if they can access the requested workflow stage.
import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStagePolicy');
$this->addPolicy(new UserAccessibleWorkflowStagePolicy($stageId));
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
*/
function OhsPluginAccessPolicy(&$request, &$args, $roleAssignments)
{
parent::PolicySet();
// A valid plugin is required.
$this->addPolicy(new PluginRequiredPolicy($request));
//
// Site administrator role
//
if (isset($roleAssignments[ROLE_ID_SITE_ADMIN])) {
// Site admin have access to all plugins...
$this->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, $roleAssignments[ROLE_ID_SITE_ADMIN]));
}
}
/**
* Test the evaluation of all policies when no policy name is given
*/
public function testAllPolicyEvaluateAllAny()
{
$set = PolicySet::instance()->add('policy1', Policy::instance()->hasUsername('ccornutt'));
$user = (object) ['username' => 'ccornutt'];
$subject = new Subject($user);
$subject->setAuth(true);
$context = new Context(['policies' => $set]);
$gateway = new Gateway($subject, $context);
// Evaluate the result of the policy above, true because they're:
// 1. set correctly, 2. policy passes
$result = $gateway->evaluate();
$this->assertTrue($result);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request arguments
* @param $roleAssignments array
* @param $accessMode int
*/
function OjsPluginAccessPolicy($request, &$args, $roleAssignments, $accessMode = ACCESS_MODE_ADMIN)
{
parent::PolicySet();
// A valid plugin is required.
$this->addPolicy(new PluginRequiredPolicy($request));
// Journal managers and site admin have
// access to plugins. We'll have to define
// differentiated policies for those roles in a policy set.
$pluginAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
$pluginAccessPolicy->setEffectIfNoPolicyApplies(AUTHORIZATION_DENY);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
if ($accessMode & ACCESS_MODE_MANAGE) {
// Journal managers have edit settings access mode...
$journalManagerPluginAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$journalManagerPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
// ...only to journal level plugins.
$journalManagerPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, CONTEXT_JOURNAL));
$pluginAccessPolicy->addPolicy($journalManagerPluginAccessPolicy);
}
}
//
// Site administrator role
//
if (isset($roleAssignments[ROLE_ID_SITE_ADMIN])) {
// Site admin have access to all plugins...
$siteAdminPluginAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$siteAdminPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, $roleAssignments[ROLE_ID_SITE_ADMIN]));
if ($accessMode & ACCESS_MODE_MANAGE) {
// ...of site level only.
$siteAdminPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, CONTEXT_SITE));
}
$pluginAccessPolicy->addPolicy($siteAdminPluginAccessPolicy);
}
$this->addPolicy($pluginAccessPolicy);
}
/**
* @covers PolicySet
*/
public function testPolicySet()
{
// Test combining algorithm and default effect.
$policySet = new PolicySet();
self::assertEquals(COMBINING_DENY_OVERRIDES, $policySet->getCombiningAlgorithm());
self::assertEquals(AUTHORIZATION_DENY, $policySet->getEffectIfNoPolicyApplies());
$policySet = new PolicySet(COMBINING_PERMIT_OVERRIDES);
$policySet->setEffectIfNoPolicyApplies(AUTHORIZATION_PERMIT);
self::assertEquals(COMBINING_PERMIT_OVERRIDES, $policySet->getCombiningAlgorithm());
self::assertEquals(AUTHORIZATION_PERMIT, $policySet->getEffectIfNoPolicyApplies());
// Test adding policies.
$policySet->addPolicy($policy1 = new AuthorizationPolicy('policy1'));
$policySet->addPolicy($policy2 = new AuthorizationPolicy('policy2'));
$policySet->addPolicy($policy3 = new AuthorizationPolicy('policy3'), $addToTop = true);
self::assertEquals(array($policy3, $policy1, $policy2), $policySet->getPolicies());
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $submissionParameterName string the request parameter we
* expect the submission id in.
*/
function SubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName = 'submissionId')
{
parent::PKPSubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName);
$submissionAccessPolicy = $this->_baseSubmissionAccessPolicy;
//
// Series editor role
//
if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
// 1) Series editors can access all operations on submissions ...
$subEditorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$subEditorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
// but only if ...
$subEditorAssignmentOrSeriesPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// 2a) ... the requested submission is part of their series ...
import('classes.security.authorization.internal.SeriesAssignmentPolicy');
$subEditorAssignmentOrSeriesPolicy->addPolicy(new SeriesAssignmentPolicy($request));
// 2b) ... or they have been assigned to the requested submission.
import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$subEditorAssignmentOrSeriesPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$subEditorSubmissionAccessPolicy->addPolicy($subEditorAssignmentOrSeriesPolicy);
$submissionAccessPolicy->addPolicy($subEditorSubmissionAccessPolicy);
}
$this->addPolicy($submissionAccessPolicy);
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $submissionParameterName string the request parameter we expect
* the submission id in.
*/
function OmpSubmissionAccessPolicy(&$request, $args, $roleAssignments, $submissionParameterName = 'monographId')
{
parent::PressPolicy($request);
// We need a submission in the request.
import('classes.security.authorization.internal.MonographRequiredPolicy');
$this->addPolicy(new MonographRequiredPolicy($request, $args, $submissionParameterName));
// Authors, press managers and series editors potentially have access
// to submissions. We'll have to define differentiated policies for those
// roles in a policy set.
$submissionAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_PRESS_MANAGER])) {
// Press managers have access to all submissions.
$submissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_PRESS_MANAGER, $roleAssignments[ROLE_ID_PRESS_MANAGER]));
}
//
// Series editor role
//
if (isset($roleAssignments[ROLE_ID_SERIES_EDITOR])) {
// 1) Series editors can access all operations on submissions ...
$seriesEditorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$seriesEditorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SERIES_EDITOR, $roleAssignments[ROLE_ID_SERIES_EDITOR]));
// 2) ... but only if the requested submission is part of their series.
import('classes.security.authorization.internal.SeriesAssignmentPolicy');
$seriesEditorSubmissionAccessPolicy->addPolicy(new SeriesAssignmentPolicy($request));
$submissionAccessPolicy->addPolicy($seriesEditorSubmissionAccessPolicy);
}
//
// Author role
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
// 1) Author role user groups can access whitelisted operations ...
$authorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR]));
// 2) ... if the requested submission is their own ...
import('classes.security.authorization.internal.MonographAuthorPolicy');
$authorSubmissionAccessPolicy->addPolicy(new MonographAuthorPolicy($request));
$submissionAccessPolicy->addPolicy($authorSubmissionAccessPolicy);
}
//
// Reviewer role
//
if (isset($roleAssignments[ROLE_ID_REVIEWER])) {
// 1) Reviewers can access whitelisted operations ...
$reviewerSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$reviewerSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER]));
// 2) ... but only if they have been assigned to the submission as reviewers.
import('classes.security.authorization.internal.ReviewAssignmentAccessPolicy');
$reviewerSubmissionAccessPolicy->addPolicy(new ReviewAssignmentAccessPolicy($request));
$submissionAccessPolicy->addPolicy($reviewerSubmissionAccessPolicy);
}
$this->addPolicy($submissionAccessPolicy);
}
/**
*
* @param PKPRequest $request
* @param array $args
* @param array $roleAssignments
* @param int bitfield $mode
* @param string $fileIdAndRevision
* @param string $submissionParameterName
*/
function buildFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName)
{
// We need a submission matching the file in the request.
import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy');
$this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName));
import('lib.pkp.classes.security.authorization.internal.SubmissionFileMatchesSubmissionPolicy');
$this->addPolicy(new SubmissionFileMatchesSubmissionPolicy($request, $fileIdAndRevision));
// Authors, managers and series editors potentially have
// access to submission files. We'll have to define
// differentiated policies for those roles in a policy set.
$fileAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
// Managers have all access to all submissions.
$fileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
}
//
// Author role
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
// 1) Author role user groups can access whitelisted operations ...
$authorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR]));
// 2) ...if they are assigned to the workflow stage. Note: This loads the application-specific policy class.
import('classes.security.authorization.WorkflowStageAccessPolicy');
$authorFileAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $request->getUserVar('stageId')));
// 3) ...and if they meet one of the following requirements:
$authorFileAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// 3a) If the file was uploaded by the current user, allow...
import('lib.pkp.classes.security.authorization.internal.SubmissionFileUploaderAccessPolicy');
$authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileUploaderAccessPolicy($request, $fileIdAndRevision));
// 3b) ...or if the file is a file in a review round with requested revision decision, allow...
// Note: This loads the application-specific policy class
import('classes.security.authorization.internal.SubmissionFileRequestedRevisionRequiredPolicy');
$authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileRequestedRevisionRequiredPolicy($request, $fileIdAndRevision));
// ...or if we don't want to modify the file...
if (!($mode & SUBMISSION_FILE_ACCESS_MODIFY)) {
// 3c) ...and the file is at submission stage...
import('lib.pkp.classes.security.authorization.internal.SubmissionFileSubmissionStageRequiredPolicy');
$authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileSubmissionStageRequiredPolicy($request, $fileIdAndRevision));
// 3d) ...or the file is a viewable reviewer response...
import('lib.pkp.classes.security.authorization.internal.SubmissionFileViewableReviewerResponseRequiredPolicy');
$authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileViewableReviewerResponseRequiredPolicy($request, $fileIdAndRevision));
// 3e) ...or if the file is part of a signoff assigned to the user, allow.
import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedAuditorAccessPolicy');
$authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedAuditorAccessPolicy($request, $fileIdAndRevision));
}
// Add the rules from 3)
$authorFileAccessPolicy->addPolicy($authorFileAccessOptionsPolicy);
$fileAccessPolicy->addPolicy($authorFileAccessPolicy);
}
//
// Reviewer role
//
if (isset($roleAssignments[ROLE_ID_REVIEWER])) {
// 1) Reviewers can access whitelisted operations ...
$reviewerFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$reviewerFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER]));
// 2) ...if they meet one of the following requirements:
$reviewerFileAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
// 2a) If the file was uploaded by the current user, allow.
import('lib.pkp.classes.security.authorization.internal.SubmissionFileUploaderAccessPolicy');
$reviewerFileAccessOptionsPolicy->addPolicy(new SubmissionFileUploaderAccessPolicy($request, $fileIdAndRevision));
// 2b) If the file is part of an assigned review, and we're not
// trying to modify it, allow.
import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedReviewerAccessPolicy');
if (!($mode & SUBMISSION_FILE_ACCESS_MODIFY)) {
$reviewerFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedReviewerAccessPolicy($request, $fileIdAndRevision));
}
// Add the rules from 2)
$reviewerFileAccessPolicy->addPolicy($reviewerFileAccessOptionsPolicy);
// Add this policy set
$fileAccessPolicy->addPolicy($reviewerFileAccessPolicy);
}
//
// Assistant role.
//
if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
// 1) Assistants can access whitelisted operations...
$contextAssistantFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$contextAssistantFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
// 2) ... but only if they have been assigned to the submission workflow.
// Note: This loads the application-specific policy class
import('classes.security.authorization.WorkflowStageAccessPolicy');
$contextAssistantFileAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $request->getUserVar('stageId')));
$fileAccessPolicy->addPolicy($contextAssistantFileAccessPolicy);
}
return $fileAccessPolicy;
}
/**
* Constructor
* @param $request PKPRequest
* @param $args array request parameters
* @param $roleAssignments array
* @param $stageId int
*/
function __construct($request, $args, $roleAssignments, $stageId)
{
parent::__construct($request);
// We need a valid workflow stage.
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$this->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
// We need a query matching the submission in the request.
import('lib.pkp.classes.security.authorization.internal.QueryRequiredPolicy');
$this->addPolicy(new QueryRequiredPolicy($request, $args));
// Authors, context managers and sub editors potentially have
// access to queries. We'll have to define
// differentiated policies for those roles in a policy set.
$queryAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES);
//
// Managerial role
//
if (isset($roleAssignments[ROLE_ID_MANAGER])) {
// Managers have all access to all queries.
$queryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER]));
}
//
// Assistants
//
if (isset($roleAssignments[ROLE_ID_ASSISTANT])) {
// 1) Assistants can access all operations on queries...
$assistantQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$assistantQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT]));
// 2) ... but only if they have access to the workflow stage.
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
// pulled from context-specific class path.
$assistantQueryAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
// 3) ... and the assistant is assigned to the query.
import('lib.pkp.classes.security.authorization.internal.QueryAssignedToUserAccessPolicy');
$assistantQueryAccessPolicy->addPolicy(new QueryAssignedToUserAccessPolicy($request));
$queryAccessPolicy->addPolicy($assistantQueryAccessPolicy);
}
//
// Authors
//
if (isset($roleAssignments[ROLE_ID_AUTHOR])) {
// 1) Authors can access read operations on queries...
$authorQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$authorQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR]));
// 2) ... but only if they are assigned to the workflow stage as an stage participant...
import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy');
$authorQueryAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId));
// 3) ... and the author is assigned to the query.
import('lib.pkp.classes.security.authorization.internal.QueryAssignedToUserAccessPolicy');
$authorQueryAccessPolicy->addPolicy(new QueryAssignedToUserAccessPolicy($request));
$queryAccessPolicy->addPolicy($authorQueryAccessPolicy);
}
//
// Sub editor role
//
if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) {
// 1) Sub editors can access all operations on submissions ...
$subEditorQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$subEditorQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR]));
// 2) ... but only if they have been assigned to the requested submission.
import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy');
$subEditorQueryAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request));
$queryAccessPolicy->addPolicy($subEditorQueryAccessPolicy);
}
$this->addPolicy($queryAccessPolicy);
return $queryAccessPolicy;
}
/**
* @covers AuthorizationDecisionManager
*/
public function testDecide()
{
// We have to test policies and policy sets
// as well as different combining algorithms.
$denyPolicy = new AuthorizationPolicy();
$permitPolicy = $this->getMock('AuthorizationPolicy', array('effect'));
$permitPolicy->expects($this->any())->method('effect')->will($this->returnCallback(array($this, 'mockEffect')));
// deny overrides
// - permit policy
// - deny policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$decisionManager->addPolicy($denyPolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// deny overrides
// - permit policy
// - permit policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$decisionManager->addPolicy($permitPolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// deny overrides
// - permit policy
// - allow overrides
// -- deny policy
// -- deny policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$policySet = new PolicySet();
$policySet->addPolicy($denyPolicy);
$policySet->addPolicy($denyPolicy);
$decisionManager->addPolicy($policySet);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// deny overrides
// - permit policy
// - allow overrides
// -- deny policy
// -- permit policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$policySet = new PolicySet(COMBINING_PERMIT_OVERRIDES);
$policySet->addPolicy($denyPolicy);
$policySet->addPolicy($permitPolicy);
$decisionManager->addPolicy($policySet);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
}
/**
* Test that an exception is thrown when teh policy name isn't found
*
* @expectedException \InvalidArgumentException
*/
public function testPolicyNameNotFoundAllows()
{
$policySet = PolicySet::instance();
$subject = new Subject((object) ['username' => 'ccornutt']);
$en = new Enforcer($policySet);
$en->allows('policy1', $subject);
}
