/**
* @covers RoleBasedHandlerOperationPolicy
*/
public function testRoleAuthorization()
{
// Construct the user roles array.
$userRoles = array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST);
// Test the user-group/role policy with a default
// authorized request.
$request = $this->getMockRequest('permittedOperation');
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST), 'permittedOperation'));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test the user-group/role policy with a non-authorized role.
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_NON_AUTHORIZED, 'permittedOperation'));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// Test the policy with an authorized role but a non-authorized operation.
$request = $this->getMockRequest('privateOperation');
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, 'permittedOperation'));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// Test the policy with an authorized role and a
// non-authorized operation but bypass the the operation check.
// FIXME: Remove the "bypass operation check" code once we've removed the
// HandlerValidatorRole compatibility class, see #5868.
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, array(), 'some.message', false, true));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test the "all roles must match" feature.
$request = $this->getMockRequest('permittedOperation');
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST), 'permittedOperation', 'some.message', true, false));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test again the "all roles must match" feature but this time
// with one role not matching.
$rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES);
$rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy());
$rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN, ROLE_ID_NON_AUTHORIZED), 'permittedOperation', 'some.message', true, false));
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
}
/**
* @covers AuthorizationDecisionManager
*/
public function testDecide()
{
// We have to test policies and policy sets
// as well as different combining algorithms.
$denyPolicy = new AuthorizationPolicy();
$permitPolicy = $this->getMock('AuthorizationPolicy', array('effect'));
$permitPolicy->expects($this->any())->method('effect')->will($this->returnCallback(array($this, 'mockEffect')));
// deny overrides
// - permit policy
// - deny policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$decisionManager->addPolicy($denyPolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// deny overrides
// - permit policy
// - permit policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$decisionManager->addPolicy($permitPolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// deny overrides
// - permit policy
// - allow overrides
// -- deny policy
// -- deny policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$policySet = new PolicySet();
$policySet->addPolicy($denyPolicy);
$policySet->addPolicy($denyPolicy);
$decisionManager->addPolicy($policySet);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// deny overrides
// - permit policy
// - allow overrides
// -- deny policy
// -- permit policy
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($permitPolicy);
$policySet = new PolicySet(COMBINING_PERMIT_OVERRIDES);
$policySet->addPolicy($denyPolicy);
$policySet->addPolicy($permitPolicy);
$decisionManager->addPolicy($policySet);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
}
/**
* @covers RoleBasedHandlerOperationPolicy
*/
public function testRoleAuthorization()
{
// Create a test user;
import('classes.user.User');
$testUser = new User();
$testUser->setId(3);
// Create a test context.
$application = PKPApplication::getApplication();
$contextDepth = $application->getContextDepth();
if ($contextDepth > 0) {
$testContext = new DataObject();
$testContextId = 5;
$testContext->setId($testContextId);
$userHasRoleContextArgs = array($testContextId, $testUser->getId());
$userHasRoleSiteArgs = array(0, $testUser->getId());
} else {
$testContext = null;
$userHasRoleSiteArgs = $userHasRoleContextArgs = array($testUser->getId());
}
// Create a non-authorized role.
$nonAuthorizedRole = ROLE_ID_SITE_ADMIN;
// Test the user-group/role policy with a default
// authorized request.
$request = $this->getMockRequest('permittedOperation', $testContext, $testUser);
$this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true)));
$rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, $nonAuthorizedRole), 'permittedOperation');
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test the user-group/role policy with a non-authorized role.
$this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array($nonAuthorizedRole)), 'userHasRoleReturnValue' => false)));
$rolePolicy = new RoleBasedHandlerOperationPolicy($request, $nonAuthorizedRole, 'permittedOperation');
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// Test the policy with an authorized role but a non-authorized operation.
$request = $this->getMockRequest('privateOperation', null, $testUser);
$userHasRoleInvocation = array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true);
$this->mockRoleDao(array($userHasRoleInvocation));
$rolePolicy = new RoleBasedHandlerOperationPolicy($request, ROLE_ID_TEST, 'permittedOperation');
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
// Test the policy with an authorized role and a non-authorized operation
// but bypass the the operation check.
// FIXME: Remove the "bypass operation check" code once we've removed the
// HandlerValidatorRole compatibility class, see #5868.
$this->mockRoleDao(array($userHasRoleInvocation));
$rolePolicy = new RoleBasedHandlerOperationPolicy($request, ROLE_ID_TEST, array(), 'some.message', false, true);
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test the "all roles must match" feature.
$request = $this->getMockRequest('permittedOperation', $testContext, $testUser);
$this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true), array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_SITE_ADMIN)), 'userHasRoleReturnValue' => true)));
$rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN), 'permittedOperation', 'some.message', true, false);
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide());
// Test again the "all roles must match" feature but this time
// with one role not matching.
$this->mockRoleDao(array(array('userHasRoleExpectedArgs' => array_merge($userHasRoleContextArgs, array(ROLE_ID_TEST)), 'userHasRoleReturnValue' => true), array('userHasRoleExpectedArgs' => array_merge($userHasRoleSiteArgs, array(ROLE_ID_SITE_ADMIN)), 'userHasRoleReturnValue' => false)));
$rolePolicy = new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN), 'permittedOperation', 'some.message', true, false);
$decisionManager = new AuthorizationDecisionManager();
$decisionManager->addPolicy($rolePolicy);
self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide());
}