/** * {@inheritdoc} */ public function cascadeAuthorization(Authorization $authorization, ResourceInterface $resource) { $subResources = $this->resourceGraphTraverser->getAllSubResources($resource); // Cascade authorizations $authorizations = []; foreach ($subResources as $subResource) { $authorizations[] = $authorization->createChildAuthorization($subResource); } return $authorizations; }
/** * Give an authorization from a role to a resource. * * This method should only be called in roles. * * @param Role $role * @param Actions $actions * @param ResourceInterface $resource * @param bool $cascade Should the authorization cascade to sub-resources? */ public function allow(Role $role, Actions $actions, ResourceInterface $resource, $cascade = true) { $authorization = Authorization::create($role, $actions, $resource, $cascade); if ($cascade) { $cascadedAuthorizations = $this->cascadeStrategy->cascadeAuthorization($authorization, $resource); $authorizations = array_merge([$authorization], $cascadedAuthorizations); } else { $authorizations = [$authorization]; } /** @var AuthorizationRepository $repository */ $repository = $this->entityManager->getRepository('MyCLabs\\ACL\\Model\\Authorization'); $repository->insertBulk($authorizations); }
public function testCreateChildAuthorization() { $user = $this->getMockForAbstractClass('MyCLabs\\ACL\\Model\\SecurityIdentityInterface'); $role = $this->getMock('MyCLabs\\ACL\\Model\\Role', [], [], '', false); $role->expects($this->any())->method('getSecurityIdentity')->will($this->returnValue($user)); $resource = new ClassResource(get_class()); $subResource = new ClassResource(get_class()); $authorization = Authorization::create($role, Actions::all(), $resource); $childAuthorization = $authorization->createChildAuthorization($subResource); $this->assertInstanceOf('MyCLabs\\ACL\\Model\\Authorization', $childAuthorization); $this->assertSame($authorization->getRole(), $childAuthorization->getRole()); $this->assertSame($authorization->getSecurityIdentity(), $childAuthorization->getSecurityIdentity()); $this->assertEquals($authorization->getActions(), $childAuthorization->getActions()); $this->assertEquals(get_class(), $childAuthorization->getEntityClass()); $this->assertNull($childAuthorization->getEntityId()); $this->assertSame($authorization, $childAuthorization->getParentAuthorization()); $this->assertTrue($childAuthorization->isCascadable()); $this->assertFalse($childAuthorization->isRoot()); }
public function testFindRolesDirectlyLinkedToResource() { $user = new User(); $this->em->persist($user); $resource = new File(); $this->em->persist($resource); $directRole = new FileOwnerRole($user, $resource); $this->em->persist($directRole); $parentRole = new FileOwnerRole($user, $resource); $this->em->persist($parentRole); $this->em->flush(); $classResource = new ClassResource('\\Tests\\MyCLabs\\ACL\\Unit\\Repository\\Model\\File'); $parentView = Authorization::create($parentRole, new Actions([Actions::VIEW]), $classResource, true); $authorizations = [Authorization::create($directRole, new Actions([Actions::EDIT]), $resource, true), Authorization::create($directRole, new Actions([Actions::DELETE]), $resource, true), $parentView, $parentView->createChildAuthorization($resource)]; /** @var AuthorizationRepository $authorizationRepository */ $authorizationRepository = $this->em->getRepository('MyCLabs\\ACL\\Model\\Authorization'); $authorizationRepository->insertBulk($authorizations); // Check user can VIEW and EDIT the Resource $this->assertTrue($authorizationRepository->isAllowedOnEntity($user, Actions::VIEW, $resource)); $this->assertTrue($authorizationRepository->isAllowedOnEntity($user, Actions::EDIT, $resource)); $this->assertTrue($authorizationRepository->isAllowedOnEntity($user, Actions::DELETE, $resource)); // Check user can only VIEW the ClassResource $this->assertTrue($authorizationRepository->isAllowedOnEntityClass($user, Actions::VIEW, $classResource->getClass())); $this->assertFalse($authorizationRepository->isAllowedOnEntityClass($user, Actions::EDIT, $classResource->getClass())); $this->assertFalse($authorizationRepository->isAllowedOnEntityClass($user, Actions::DELETE, $classResource->getClass())); /** @var RoleRepository $roleRepository */ $roleRepository = $this->em->getRepository('MyCLabs\\ACL\\Model\\Role'); // Test for entity resource $result = $roleRepository->findRolesDirectlyLinkedToResource($resource); $this->assertCount(1, $result); $this->assertSame($directRole, $result[0]); // Test for class resource $result = $roleRepository->findRolesDirectlyLinkedToResource($classResource); $this->assertCount(1, $result); $this->assertSame($parentRole, $result[0]); }
/** * @depends testInsertBulk */ public function testRemoveForResource() { $user = new User(); $this->em->persist($user); $resource1 = new File(); $this->em->persist($resource1); $role1 = new FileOwnerRole($user, $resource1); $this->em->persist($role1); $this->em->flush(); $resource2 = new File(); $this->em->persist($resource2); $role2 = new FileOwnerRole($user, $resource2); $this->em->persist($role2); $this->em->flush(); $authorizations = [Authorization::create($role1, new Actions([Actions::VIEW]), $resource1), Authorization::create($role2, new Actions([Actions::VIEW]), $resource2)]; /** @var AuthorizationRepository $repository */ $repository = $this->em->getRepository('MyCLabs\\ACL\\Model\\Authorization'); $repository->insertBulk($authorizations); // We remove the authorizations for the resource 1 $repository->removeAuthorizationsForResource($resource1); // We check that they were removed $this->assertFalse($repository->isAllowedOnEntity($user, Actions::VIEW, $resource1)); // and that authorizations for the resource 2 weren't removed $this->assertTrue($repository->isAllowedOnEntity($user, Actions::VIEW, $resource2)); }