public function testHandle() { DAV::$REGISTRY->setResourceClass('DAVACL_Test_Resource'); $readPriv = new DAVACL_Element_supported_privilege('DAV: read', false, 'Read permissions'); $allPriv = new DAVACL_Element_supported_privilege('DAV: all', false, 'Read permissions'); $allPriv->add_supported_privilege($readPriv); DAV::$ACLPROVIDER->setSupportedPrivilegeSet(array($allPriv)); // First we expect the output of a succesful call to DAVACL_Test_Resource::set_acl() and the an error that not all privileges are supported $this->expectOutputString(<<<EOS Array ( [0] => DAVACL_Element_ace Object ( [principal] => DAV: all [invert] => [deny] => [privileges] => Array ( [0] => DAV: read ) [protected] => [inherited] => ) [1] => DAVACL_Element_ace Object ( [principal] => /path/to/user [invert] => [deny] => [privileges] => Array ( [0] => DAV: all ) [protected] => [inherited] => ) ) Content-Type: application/xml; charset="UTF-8" HTTP/1.1 403 Forbidden <?xml version="1.0" encoding="utf-8"?> <D:error xmlns:D="DAV:"> <D:not-supported-privilege/> </D:error> EOS ); $this->obj->handleRequest(); // Not supported privileges should trigger an error DAV::$ACLPROVIDER->setSupportedPrivilegeSet(array()); $this->obj->handleRequest(); }
public function user_prop_supported_privilege_set() { static $retval = null; if (!is_null($retval)) { return $retval; } $read_content = new DAVACL_Element_supported_privilege(BeeHub::PRIV_READ_CONTENT, true, 'Read the content'); $read_acl = new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_ACL, true, 'Read ACL'); $read_cups = new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_CURRENT_USER_PRIVILEGE_SET, true, 'Read current user privilege set'); $write_content = new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE_CONTENT, true, 'Write the content'); $unbind = new DAVACL_Element_supported_privilege(DAVACL::PRIV_UNBIND, false, 'Remove child resources from collections (this also requires write privilege on resource itself)'); $read = new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ, false, 'Read'); $write = new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE, false, 'Write'); $write_acl = new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE_ACL, false, 'Manage the ACL'); $retval = new DAVACL_Element_supported_privilege(DAVACL::PRIV_ALL, false, 'All'); $read->add_supported_privilege($read_content); $read->add_supported_privilege($read_acl); $read->add_supported_privilege($read_cups); $write->add_supported_privilege($write_content); $write->add_supported_privilege($unbind); $retval->add_supported_privilege($read)->add_supported_privilege($write)->add_supported_privilege($write_acl); $retval = array($retval); return $retval; }
/** * Prepares a mocked DAVACL_Resource object which is needed by multiple tests (but not all) * * @return DAVACL_Resource The mocked object */ private function prepareObjWithAcl() { $_SERVER['REQUEST_URI'] = '/path/to/principal'; $allAce = new DAVACL_Element_supported_privilege(DAVACL::PRIV_ALL, false, ''); $allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_BIND, false, '')); $allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ, false, '')); $allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_ACL, false, '')); $allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_READ_CURRENT_USER_PRIVILEGE_SET, false, '')); $allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_UNBIND, false, '')); $allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_UNLOCK, false, '')); $allAce->add_supported_privilege(new DAVACL_Element_supported_privilege(DAVACL::PRIV_WRITE_CONTENT, false, '')); $supportedPrivs = array($allAce); DAV::$ACLPROVIDER = new DAVACL_Test_ACL_Provider(); DAV::$ACLPROVIDER->setSupportedPrivilegeSet($supportedPrivs); $acl = array(new DAVACL_Element_ace('/path/to/principal', true, array(DAVACL::PRIV_BIND), false), new DAVACL_Element_ace('/path/to/other/principal', false, array(DAVACL::PRIV_READ), false), new DAVACL_Element_ace('/path/to/other/principal', true, array(DAVACL::PRIV_READ_ACL), false), new DAVACL_Element_ace(DAVACL::PRINCIPAL_ALL, false, array(DAVACL::PRIV_READ_CURRENT_USER_PRIVILEGE_SET), true), new DAVACL_Element_ace(DAVACL::PRINCIPAL_AUTHENTICATED, false, array(DAVACL::PRIV_UNBIND), false), new DAVACL_Element_ace(DAVACL::PRINCIPAL_UNAUTHENTICATED, false, array(DAVACL::PRIV_UNLOCK), false), new DAVACL_Element_ace(DAVACL::PRINCIPAL_SELF, false, array(DAVACL::PRIV_WRITE_CONTENT), false)); $obj = $this->getMock('DAVACL_Resource', array('user_prop_acl', 'user_prop_current_user_principal', 'user_prop_supported_privilege_set'), array($_SERVER['REQUEST_URI'])); $obj->expects($this->any())->method('user_prop_acl')->will($this->returnValue($acl)); $obj->expects($this->any())->method('user_prop_current_user_principal')->will($this->returnValue('/path/to/principal')); $obj->expects($this->any())->method('user_prop_supported_privilege_set')->will($this->returnValue($supportedPrivs)); return $obj; }
/** * Checks the validity of the ACL and sets it on the resource * * @param DAVACL_Resource $resource * @return void * @throws DAV_Status */ protected function handle($resource) { $resource->assertLock(); if (!$resource instanceof DAVACL_Resource) { throw new DAV_Status(DAV::HTTP_METHOD_NOT_ALLOWED); } $supported = $resource->user_prop_supported_privilege_set(); $supported = DAVACL_Element_supported_privilege::flatten($supported); foreach ($this->aces as $ace) { foreach ($ace->privileges as $privilege) { // Check if the privilege is supported... if (!isset($supported[$privilege])) { throw new DAV_Status(DAV::HTTP_FORBIDDEN, DAV::COND_NOT_SUPPORTED_PRIVILEGE); } elseif ($supported[$privilege]['abstract']) { throw new DAV_Status(DAV::HTTP_FORBIDDEN, DAV::COND_NO_ABSTRACT); } } if ($ace->principal instanceof DAV_Element_href) { $path = $ace->principal->URIs[0]; if (!($principal = DAV::$REGISTRY->resource($path)) || !$principal instanceof DAVACL_Principal) { throw new DAV_Status(DAV::HTTP_FORBIDDEN, DAV::COND_RECOGNIZED_PRINCIPAL); } } } //TODO: enforce ACL restrictions $resource->set_acl($this->aces); }
public function testFlatten() { $priv2 = new DAVACL_Element_supported_privilege('NS1 privilege2', false, 'Can I do something else?'); $this->obj->add_supported_privilege($priv2); $expected = array('NS1 privilege2' => array('children' => array('NS1 privilege2'), 'abstract' => false), 'NS1 privilege1' => array('children' => array('NS1 privilege1', 'NS1 privilege2'), 'abstract' => true)); $this->assertSame($expected, DAVACL_Element_supported_privilege::flatten(array($this->obj)), 'DAVACL_Element_supported_privilege::flatten() should return a correctly flattened array'); }