/** * Given a SecurableItem, add and remove permissions * based on what the provided ExplicitReadWriteModelPermissions indicates should be done. * Sets @see SecurableItem->setTreatCurrentUserAsOwnerForPermissions as true in order to ensure the current user * can effectively add permissions even if the current user is no longer the owner. * @param SecurableItem $securableItem * @param ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions * @return boolean * @throws NotSupportedException() */ public static function resolveExplicitReadWriteModelPermissions(SecurableItem $securableItem, ExplicitReadWriteModelPermissions $explicitReadWriteModelPermissions) { assert('$securableItem->id > 0'); $securableItem->setTreatCurrentUserAsOwnerForPermissions(true); $saveSecurableItem = false; if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitables() as $permitable) { $securableItem->addPermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadOnlyPermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemoveCount() > 0) { $saveSecurableItem = true; foreach ($explicitReadWriteModelPermissions->getReadWritePermitablesToRemove() as $permitable) { $securableItem->removePermissions($permitable, Permission::READ_WRITE_CHANGE_PERMISSIONS_CHANGE_OWNER, Permission::ALLOW); if ($permitable instanceof Group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $permitable); } elseif ($permitable instanceof User) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForUser($securableItem, $permitable); } else { throw new NotSupportedException(); } } } if ($saveSecurableItem) { $setBackToProcess = false; if ($securableItem->shouldProcessWorkflowOnSave()) { $securableItem->setDoNotProcessWorkflowOnSave(); $setBackToProcess = true; } $saved = $securableItem->save(); if ($setBackToProcess) { $securableItem->setProcessWorkflowOnSave(); } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return $saved; } $securableItem->setTreatCurrentUserAsOwnerForPermissions(false); return true; }
/** * @param SecurableItem $securableItem * @param Group $group */ public static function securableItemLostReadPermissionsForGroup(SecurableItem $securableItem, Group $group) { ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($securableItem, $group); AllPermissionsOptimizationCache::forgetSecurableItemForRead($securableItem); }
/** * @depends testUserLosesReadOnOwnedSecurableItem_Slide7 */ public function testGroupLosesReadOnOwnedSecurableItem_Slide8() { $u1 = User::getByUsername('u1.'); $u2 = User::getByUsername('u2.'); $u3 = User::getByUsername('u3.'); $u99 = User::getByUsername('u99.'); Yii::app()->user->userModel = $u99; $g1 = Group::getByName('G1.'); $g1->users->add($u2); $g1->users->add($u3); $this->assertTrue($g1->save()); Yii::app()->user->userModel = $u1; $a1 = new Account(); $a1->name = 'A1.'; $a1->addPermissions($g1, Permission::READ); $this->assertTrue($a1->save()); //Called in OwnedSecurableItem::afterSave(); //ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a1); ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($a1, $g1); $this->assertEquals(array(array('G1', 1), array('R2', 1), array('R3', 1), array('R5', 2), array('R6', 2)), self::getAccountMungeRows($a1)); $this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); $a1->removePermissions($g1, Permission::READ); $this->assertTrue($a1->save()); ReadPermissionsOptimizationUtil::securableItemLostPermissionsForGroup($a1, $g1); $this->assertEquals(array(array('R2', 1), array('R3', 1)), self::getAccountMungeRows($a1)); $this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt()); $a1->delete(); $g1->users->removeAll(); $this->assertTrue($g1->save()); }