/** * * @param PKPRequest $request * @param array $args * @param array $roleAssignments * @param string $submissionParameterName */ function buildSubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName) { // We need a submission in the request. import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy'); $this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName)); // Authors, managers and series editors potentially have // access to submissions. We'll have to define differentiated // policies for those roles in a policy set. $submissionAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Managerial role // if (isset($roleAssignments[ROLE_ID_MANAGER])) { // Managers have access to all submissions. $submissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER])); } // // Author role // if (isset($roleAssignments[ROLE_ID_AUTHOR])) { // 1) Author role user groups can access whitelisted operations ... $authorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $authorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR], 'user.authorization.authorRoleMissing')); // 2) ... if they meet one of the following requirements: $authorSubmissionAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // 2a) ...the requested submission is their own ... import('lib.pkp.classes.security.authorization.internal.SubmissionAuthorPolicy'); $authorSubmissionAccessOptionsPolicy->addPolicy(new SubmissionAuthorPolicy($request)); // 2b) ...OR, at least one workflow stage has been assigned to them in the requested submission. import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy'); $authorSubmissionAccessOptionsPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request)); $authorSubmissionAccessPolicy->addPolicy($authorSubmissionAccessOptionsPolicy); $submissionAccessPolicy->addPolicy($authorSubmissionAccessPolicy); } // // Reviewer role // if (isset($roleAssignments[ROLE_ID_REVIEWER])) { // 1) Reviewers can access whitelisted operations ... $reviewerSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $reviewerSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER])); // 2) ... but only if they have been assigned to the submission as reviewers. import('lib.pkp.classes.security.authorization.internal.ReviewAssignmentAccessPolicy'); $reviewerSubmissionAccessPolicy->addPolicy(new ReviewAssignmentAccessPolicy($request)); $submissionAccessPolicy->addPolicy($reviewerSubmissionAccessPolicy); } // // Assistant role // if (isset($roleAssignments[ROLE_ID_ASSISTANT])) { // 1) Assistants can access whitelisted operations ... $contextSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $contextSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT])); // 2) ... but only if they have been assigned to the submission workflow. import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy'); $contextSubmissionAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request)); $submissionAccessPolicy->addPolicy($contextSubmissionAccessPolicy); } return $submissionAccessPolicy; }
function authorize($request, &$args, $roleAssignments) { $fileIds = $request->getUserVar('filesIdsAndRevisions'); $libraryFileId = $request->getUserVar('libraryFileId'); if (is_string($fileIds)) { $fileIdsArray = explode(';', $fileIds); // Remove empty entries (a trailing ";" will cause these) $fileIdsArray = array_filter($fileIdsArray, create_function('$a', 'return !empty($a);')); } if (!empty($fileIdsArray)) { $multipleSubmissionFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); foreach ($fileIdsArray as $fileIdAndRevision) { $multipleSubmissionFileAccessPolicy->addPolicy($this->_getAccessPolicy($request, $args, $roleAssignments, $fileIdAndRevision)); } $this->addPolicy($multipleSubmissionFileAccessPolicy); } else { if (is_numeric($libraryFileId)) { import('lib.pkp.classes.security.authorization.ContextAccessPolicy'); $this->addPolicy(new ContextAccessPolicy($request, $roleAssignments)); } else { // IDs will be specified using the default parameters. $this->addPolicy($this->_getAccessPolicy($request, $args, $roleAssignments)); } } return parent::authorize($request, $args, $roleAssignments); }
/** * Add a new policy to the Resource * * @param Policy $policy Policy instance * * @return \Xacmlphp\Resource instance */ public function addPolicy(Policy $policy) { if ($this->policySet === null) { $this->policySet = new PolicySet(); } $this->policySet->addPolicy($policy); return $this; }
/** * * @param PKPRequest $request * @param array $args * @param array $roleAssignments * @param $mode int bitfield SIGNOFF_ACCESS_... * @param $stageId int */ function buildSignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId) { // We need a submission matching the file in the request. import('lib.pkp.classes.security.authorization.internal.SignoffExistsAccessPolicy'); $this->addPolicy(new SignoffExistsAccessPolicy($request, $args)); // We need a valid workflow stage. import('lib.pkp.classes.security.authorization.internal.WorkflowStageRequiredPolicy'); $this->addPolicy(new WorkflowStageRequiredPolicy($stageId)); // Authors, context managers and sub editors potentially have // access to signoffs. We'll have to define // differentiated policies for those roles in a policy set. $signoffAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Managerial role // if (isset($roleAssignments[ROLE_ID_MANAGER])) { // Managers have all access to all signoffs. $signoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER])); } // // Assistants // if (isset($roleAssignments[ROLE_ID_ASSISTANT])) { // 1) Assistants can access all operations on signoffs... $assistantSignoffAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $assistantSignoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT])); // 2) ... but only if they have access to the workflow stage. import('classes.security.authorization.WorkflowStageAccessPolicy'); // pulled from context-specific class path. $assistantSignoffAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId)); $signoffAccessPolicy->addPolicy($assistantSignoffAccessPolicy); } // // Authors // if (isset($roleAssignments[ROLE_ID_AUTHOR])) { if ($mode & SIGNOFF_ACCESS_READ) { // 1) Authors can access read operations on signoffs... $authorSignoffAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $authorSignoffAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR])); // 2) ... but only if they are assigned to the workflow stage as an stage participant. import('classes.security.authorization.WorkflowStageAccessPolicy'); $authorSignoffAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId)); $signoffAccessPolicy->addPolicy($authorSignoffAccessPolicy); } } // // User owns the signoff (all roles): permit // import('lib.pkp.classes.security.authorization.internal.SignoffAssignedToUserAccessPolicy'); $userOwnsSignoffPolicy = new SignoffAssignedToUserAccessPolicy($request); $signoffAccessPolicy->addPolicy($userOwnsSignoffPolicy); $this->addPolicy($signoffAccessPolicy); return $signoffAccessPolicy; }
/** * @covers RoleBasedHandlerOperationPolicy */ public function testRoleAuthorization() { // Construct the user roles array. $userRoles = array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST); // Test the user-group/role policy with a default // authorized request. $request = $this->getMockRequest('permittedOperation'); $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy()); $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST), 'permittedOperation')); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); // Test the user-group/role policy with a non-authorized role. $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy()); $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_NON_AUTHORIZED, 'permittedOperation')); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); // Test the policy with an authorized role but a non-authorized operation. $request = $this->getMockRequest('privateOperation'); $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy()); $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, 'permittedOperation')); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); // Test the policy with an authorized role and a // non-authorized operation but bypass the the operation check. // FIXME: Remove the "bypass operation check" code once we've removed the // HandlerValidatorRole compatibility class, see #5868. $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy()); $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, array(), 'some.message', false, true)); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); // Test the "all roles must match" feature. $request = $this->getMockRequest('permittedOperation'); $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy()); $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_SITE_ADMIN, ROLE_ID_TEST), 'permittedOperation', 'some.message', true, false)); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); // Test again the "all roles must match" feature but this time // with one role not matching. $rolePolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $rolePolicy->addPolicy($this->getAuthorizationContextManipulationPolicy()); $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, array(ROLE_ID_TEST, ROLE_ID_SITE_ADMIN, ROLE_ID_NON_AUTHORIZED), 'permittedOperation', 'some.message', true, false)); $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($rolePolicy); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); }
/** * @copydoc PKPHandler::authorize() */ function authorize($request, &$args, $roleAssignments) { import('lib.pkp.classes.security.authorization.PolicySet'); $rolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy'); foreach ($roleAssignments as $role => $operations) { $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations)); } $this->addPolicy($rolePolicy); return parent::authorize($request, $args, $roleAssignments); }
/** * Constructor * @param $request PKPRequest * @param $roleAssignments array */ function OjsJournalAccessPolicy(&$request, $roleAssignments) { parent::JournalPolicy($request); // On journal level we don't have role-specific conditions // so we can simply add all role assignments. It's ok if // any of these role conditions permits access. $journalRolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy'); foreach ($roleAssignments as $role => $operations) { $journalRolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations)); } $this->addPolicy($journalRolePolicy); }
/** * Constructor * @param $request PKPRequest * @param $args array request arguments * @param $roleAssignments array */ function OjsAuthorDashboardAccessPolicy($request, &$args, $roleAssignments) { parent::ContextPolicy($request); $authorDashboardPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); // AuthorDashboard requires a valid monograph in request. import('classes.security.authorization.SubmissionAccessPolicy'); $authorDashboardPolicy->addPolicy(new SubmissionAccessPolicy($request, $args, $roleAssignments), true); // Check if the user has an stage assignment with the monograph in request. // Any workflow stage assignment is suficient to access the author dashboard. import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy'); $authorDashboardPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request)); $this->addPolicy($authorDashboardPolicy); }
/** * Constructor * @param $request PKPRequest */ function JournalPolicy(&$request) { parent::PolicySet(); // Ensure that we have a journal in the context. import('lib.pkp.classes.security.authorization.ContextRequiredPolicy'); $this->addPolicy(new ContextRequiredPolicy($request, 'user.authorization.noJournal')); }
/** * @see PKPHandler::authorize() */ function authorize($request, &$args, $roleAssignments) { import('lib.pkp.classes.security.authorization.PolicySet'); $rolePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); import('lib.pkp.classes.security.authorization.RoleBasedHandlerOperationPolicy'); foreach ($roleAssignments as $role => $operations) { $rolePolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $role, $operations)); } $this->addPolicy($rolePolicy); $this->reviewFormId = (int) $request->getUserVar('reviewFormId'); $reviewFormDao = DAORegistry::getDAO('ReviewFormDAO'); if (!$reviewFormDao->reviewFormExists($this->reviewFormId, Application::getContextAssocType(), $request->getContext()->getId())) { return false; } return parent::authorize($request, $args, $roleAssignments); }
/** * Constructor * @param $request PKPRequest */ function PressPolicy(&$request) { parent::PolicySet(); // Ensure we're in a press import('lib.pkp.classes.security.authorization.ContextRequiredPolicy'); $this->addPolicy(new ContextRequiredPolicy($request, 'user.authorization.noPress')); }
/** * Constructor * @param $request PKPRequest */ function __construct($request) { parent::__construct(); // Ensure we're in a context import('lib.pkp.classes.security.authorization.ContextRequiredPolicy'); $this->addPolicy(new ContextRequiredPolicy($request, 'user.authorization.noContext')); }
/** * Constructor * @param $request PKPRequest * @param $args array * @param $roleAssignments array * @param $submissionParameterName string */ function OjsSubmissionAccessPolicy(&$request, &$args, $roleAssignments, $submissionParameterName = 'articleId') { parent::JournalPolicy($request); // Create a "permit overrides" policy set that specifies // editor and copyeditor access to submissions. $submissionEditingPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Editor roles (Editor and Section Editor) policy // $editorsPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); // Editorial components can only be called if there's a // valid section editor submission in the request. // FIXME: We should find a way to check whether the user actually // is a (section) editor before we execute this expensive policy. import('classes.security.authorization.internal.SectionEditorSubmissionRequiredPolicy'); $editorsPolicy->addPolicy(new SectionEditorSubmissionRequiredPolicy($request, $args, $submissionParameterName)); $editorRolesPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // Editors can access all operations. $editorRolesPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_EDITOR, $roleAssignments[ROLE_ID_EDITOR])); // Section editors $sectionEditorPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); // 1) Section editors can access all remote operations ... $sectionEditorPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SECTION_EDITOR, $roleAssignments[ROLE_ID_SECTION_EDITOR])); // 2) ... but only if the requested submission has been explicitly assigned to them. import('classes.security.authorization.internal.SectionSubmissionAssignmentPolicy'); $sectionEditorPolicy->addPolicy(new SectionSubmissionAssignmentPolicy($request)); $editorRolesPolicy->addPolicy($sectionEditorPolicy); $editorsPolicy->addPolicy($editorRolesPolicy); $submissionEditingPolicy->addPolicy($editorsPolicy); // // Copyeditor policy // $copyeditorPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); // 1) Copyeditors can only access editorial components when a valid // copyeditor submission is in the request ... import('classes.security.authorization.internal.CopyeditorSubmissionRequiredPolicy'); $copyeditorPolicy->addPolicy(new CopyeditorSubmissionRequiredPolicy($request, $args, $submissionParameterName)); // 2) ... If that's the case then copyeditors can access all remote operations ... $copyeditorPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_COPYEDITOR, $roleAssignments[ROLE_ID_SECTION_EDITOR])); // 3) ... but only if the requested submission has been explicitly assigned to them. import('classes.security.authorization.internal.CopyeditorSubmissionAssignmentPolicy'); $copyeditorPolicy->addPolicy(new CopyeditorSubmissionAssignmentPolicy($request)); $submissionEditingPolicy->addPolicy($copyeditorPolicy); // Add the submission editing policies to this policy set. $this->addPolicy($submissionEditingPolicy); }
/** * Constructor * @param $request PKPRequest * @param $args array request parameters * @param $roleAssignments array * @param $mode int bitfield SIGNOFF_ACCESS_... * @param $stageId int */ function SignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId) { parent::PKPSignoffAccessPolicy($request, $args, $roleAssignments, $mode, $stageId); $signoffAccessPolicy = $this->_baseSignoffAccessPolicy; // // Series editor role // if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) { // 1) Section editors can access all operations on signoffs ... $sectionEditorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $sectionEditorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR])); // 2) ... but only if the requested signoff submission is part of their series. import('classes.security.authorization.internal.SectionAssignmentPolicy'); $sectionEditorFileAccessPolicy->addPolicy(new SectionAssignmentPolicy($request)); $signoffAccessPolicy->addPolicy($sectionEditorFileAccessPolicy); } }
/** * Constructor * @param $request PKPRequest * @param $args array request parameters * @param $roleAssignments array * @param $submissionParameterName string the request parameter we * expect the submission id in. */ function OmpPublishedMonographAccessPolicy($request, $args, $roleAssignments, $submissionParameterName = 'submissionId') { parent::ContextPolicy($request); // Access may be made either as a member of the public, or // via pre-publication access to editorial users. $monographAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // Published monograph access for the public $publishedMonographAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy'); $publishedMonographAccessPolicy->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName)); import('classes.security.authorization.internal.MonographPublishedPolicy'); $publishedMonographAccessPolicy->addPolicy(new MonographPublishedPolicy($request)); $monographAccessPolicy->addPolicy($publishedMonographAccessPolicy); // Pre-publication access for editorial roles import('classes.security.authorization.SubmissionAccessPolicy'); $monographAccessPolicy->addPolicy(new SubmissionAccessPolicy($request, $args, array_intersect_key($roleAssignments, array(ROLE_ID_MANAGER, ROLE_ID_SUB_EDITOR)), $submissionParameterName)); $this->addPolicy($monographAccessPolicy); }
/** * Constructor * @param $request PKPRequest * @param $args array request parameters * @param $roleAssignments array * @param $mode int bitfield SUBMISSION_FILE_ACCESS_... * @param $fileIdAndRevision string * @param $submissionParameterName string the request parameter we expect * the submission id in. */ function SubmissionFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision = null, $submissionParameterName = 'submissionId') { parent::PKPSubmissionFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName); $fileAccessPolicy = $this->_baseFileAccessPolicy; // // Series editor role // if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) { // 1) Series editors can access all operations on submissions ... $seriesEditorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $seriesEditorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR])); // 2) ... but only if the requested submission is part of their series. import('classes.security.authorization.internal.SeriesAssignmentPolicy'); $seriesEditorFileAccessPolicy->addPolicy(new SeriesAssignmentPolicy($request)); $fileAccessPolicy->addPolicy($seriesEditorFileAccessPolicy); } $this->addPolicy($fileAccessPolicy); }
/** * Evaluate the given set of policies against the subject * * @param Subject $subject Current subject * @param PolicySet $policySet Set of policies * @param Action $action * * @return bool */ public function evaluate(Subject $subject, PolicySet $policySet, Action $action) { // get the subject's attributes $this->setSubjectAttributes($subject->getAttributes()); $policyResults = $this->handlePolicies($policySet->getPolicies()); if (count($policyResults) == 1) { return array_shift($policyResults); } else { // we're working with a set of policies, go with the algorithm // if we have one... $algorithm = $policySet->getAlgorithm(); if ($algorithm === null) { // default to most secure - deny overrides! $algorithm = new Algorithm\DenyOverrides(); } return $algorithm = $algorithm->evaluate($policyResults); } }
/** * Constructor * @param $request PKPRequest * @param $args array request arguments * @param $roleAssignments array * @param $submissionParameterName string * @param $stageId integer One of the WORKFLOW_STAGE_ID_* constants. */ function ReviewStageAccessPolicy($request, &$args, $roleAssignments, $submissionParameterName = 'submissionId', $stageId) { parent::ContextPolicy($request); // Create a "permit overrides" policy set that specifies // role-specific access to submission stage operations. $workflowStagePolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // Add the workflow policy, for editorial / press roles import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy'); $workflowStagePolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, $submissionParameterName, $stageId)); if ($stageId == WORKFLOW_STAGE_ID_INTERNAL_REVIEW || $stageId == WORKFLOW_STAGE_ID_EXTERNAL_REVIEW) { // Add the submission policy, for reviewer roles import('lib.pkp.classes.security.authorization.SubmissionAccessPolicy'); $submissionPolicy = new SubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName); $submissionPolicy->addPolicy(new WorkflowStageRequiredPolicy($stageId)); $workflowStagePolicy->addPolicy($submissionPolicy); } // Add the role-specific policies to this policy set. $this->addPolicy($workflowStagePolicy); }
/** * @see AuthorizationPolicy::effect() */ function effect() { // Retrieve the user from the session. $request = $this->getRequest(); $user = $request->getUser(); if (!is_a($user, 'User')) { return AUTHORIZATION_DENY; } // Execute handler operation checks. return parent::effect(); }
/** * Constructor * @param $request PKPRequest * @param $args array request arguments * @param $roleAssignments array * @param $submissionParameterName string * @param $stageId integer One of the WORKFLOW_STAGE_ID_* constants. */ function WorkflowStageAccessPolicy($request, &$args, $roleAssignments, $submissionParameterName = 'submissionId', $stageId) { parent::PKPWorkflowStageAccessPolicy($request, $args, $roleAssignments, $submissionParameterName, $stageId); // A workflow stage component can only be called if there's a // valid section editor submission in the request. import('classes.security.authorization.internal.SectionEditorSubmissionRequiredPolicy'); $this->addPolicy(new SectionEditorSubmissionRequiredPolicy($request, $args, $submissionParameterName)); // Add the user accessible workflow stages object to the authorized context. import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy'); $this->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request)); // Users can access all whitelisted operations for submissions and workflow stages... $roleBasedPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); foreach ($roleAssignments as $roleId => $operations) { $roleBasedPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, $roleId, $operations)); } $this->addPolicy($roleBasedPolicy); // ... if they can access the requested workflow stage. import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStagePolicy'); $this->addPolicy(new UserAccessibleWorkflowStagePolicy($stageId)); }
/** * Constructor * @param $request PKPRequest * @param $args array request arguments * @param $roleAssignments array */ function OhsPluginAccessPolicy(&$request, &$args, $roleAssignments) { parent::PolicySet(); // A valid plugin is required. $this->addPolicy(new PluginRequiredPolicy($request)); // // Site administrator role // if (isset($roleAssignments[ROLE_ID_SITE_ADMIN])) { // Site admin have access to all plugins... $this->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, $roleAssignments[ROLE_ID_SITE_ADMIN])); } }
/** * Test the evaluation of all policies when no policy name is given */ public function testAllPolicyEvaluateAllAny() { $set = PolicySet::instance()->add('policy1', Policy::instance()->hasUsername('ccornutt')); $user = (object) ['username' => 'ccornutt']; $subject = new Subject($user); $subject->setAuth(true); $context = new Context(['policies' => $set]); $gateway = new Gateway($subject, $context); // Evaluate the result of the policy above, true because they're: // 1. set correctly, 2. policy passes $result = $gateway->evaluate(); $this->assertTrue($result); }
/** * Constructor * @param $request PKPRequest * @param $args array request arguments * @param $roleAssignments array * @param $accessMode int */ function OjsPluginAccessPolicy($request, &$args, $roleAssignments, $accessMode = ACCESS_MODE_ADMIN) { parent::PolicySet(); // A valid plugin is required. $this->addPolicy(new PluginRequiredPolicy($request)); // Journal managers and site admin have // access to plugins. We'll have to define // differentiated policies for those roles in a policy set. $pluginAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); $pluginAccessPolicy->setEffectIfNoPolicyApplies(AUTHORIZATION_DENY); // // Managerial role // if (isset($roleAssignments[ROLE_ID_MANAGER])) { if ($accessMode & ACCESS_MODE_MANAGE) { // Journal managers have edit settings access mode... $journalManagerPluginAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $journalManagerPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER])); // ...only to journal level plugins. $journalManagerPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, CONTEXT_JOURNAL)); $pluginAccessPolicy->addPolicy($journalManagerPluginAccessPolicy); } } // // Site administrator role // if (isset($roleAssignments[ROLE_ID_SITE_ADMIN])) { // Site admin have access to all plugins... $siteAdminPluginAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $siteAdminPluginAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SITE_ADMIN, $roleAssignments[ROLE_ID_SITE_ADMIN])); if ($accessMode & ACCESS_MODE_MANAGE) { // ...of site level only. $siteAdminPluginAccessPolicy->addPolicy(new PluginLevelRequiredPolicy($request, CONTEXT_SITE)); } $pluginAccessPolicy->addPolicy($siteAdminPluginAccessPolicy); } $this->addPolicy($pluginAccessPolicy); }
/** * @covers PolicySet */ public function testPolicySet() { // Test combining algorithm and default effect. $policySet = new PolicySet(); self::assertEquals(COMBINING_DENY_OVERRIDES, $policySet->getCombiningAlgorithm()); self::assertEquals(AUTHORIZATION_DENY, $policySet->getEffectIfNoPolicyApplies()); $policySet = new PolicySet(COMBINING_PERMIT_OVERRIDES); $policySet->setEffectIfNoPolicyApplies(AUTHORIZATION_PERMIT); self::assertEquals(COMBINING_PERMIT_OVERRIDES, $policySet->getCombiningAlgorithm()); self::assertEquals(AUTHORIZATION_PERMIT, $policySet->getEffectIfNoPolicyApplies()); // Test adding policies. $policySet->addPolicy($policy1 = new AuthorizationPolicy('policy1')); $policySet->addPolicy($policy2 = new AuthorizationPolicy('policy2')); $policySet->addPolicy($policy3 = new AuthorizationPolicy('policy3'), $addToTop = true); self::assertEquals(array($policy3, $policy1, $policy2), $policySet->getPolicies()); }
/** * Constructor * @param $request PKPRequest * @param $args array request parameters * @param $roleAssignments array * @param $submissionParameterName string the request parameter we * expect the submission id in. */ function SubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName = 'submissionId') { parent::PKPSubmissionAccessPolicy($request, $args, $roleAssignments, $submissionParameterName); $submissionAccessPolicy = $this->_baseSubmissionAccessPolicy; // // Series editor role // if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) { // 1) Series editors can access all operations on submissions ... $subEditorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $subEditorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR])); // but only if ... $subEditorAssignmentOrSeriesPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // 2a) ... the requested submission is part of their series ... import('classes.security.authorization.internal.SeriesAssignmentPolicy'); $subEditorAssignmentOrSeriesPolicy->addPolicy(new SeriesAssignmentPolicy($request)); // 2b) ... or they have been assigned to the requested submission. import('classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy'); $subEditorAssignmentOrSeriesPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request)); $subEditorSubmissionAccessPolicy->addPolicy($subEditorAssignmentOrSeriesPolicy); $submissionAccessPolicy->addPolicy($subEditorSubmissionAccessPolicy); } $this->addPolicy($submissionAccessPolicy); }
/** * Constructor * @param $request PKPRequest * @param $args array request parameters * @param $roleAssignments array * @param $submissionParameterName string the request parameter we expect * the submission id in. */ function OmpSubmissionAccessPolicy(&$request, $args, $roleAssignments, $submissionParameterName = 'monographId') { parent::PressPolicy($request); // We need a submission in the request. import('classes.security.authorization.internal.MonographRequiredPolicy'); $this->addPolicy(new MonographRequiredPolicy($request, $args, $submissionParameterName)); // Authors, press managers and series editors potentially have access // to submissions. We'll have to define differentiated policies for those // roles in a policy set. $submissionAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Managerial role // if (isset($roleAssignments[ROLE_ID_PRESS_MANAGER])) { // Press managers have access to all submissions. $submissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_PRESS_MANAGER, $roleAssignments[ROLE_ID_PRESS_MANAGER])); } // // Series editor role // if (isset($roleAssignments[ROLE_ID_SERIES_EDITOR])) { // 1) Series editors can access all operations on submissions ... $seriesEditorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $seriesEditorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SERIES_EDITOR, $roleAssignments[ROLE_ID_SERIES_EDITOR])); // 2) ... but only if the requested submission is part of their series. import('classes.security.authorization.internal.SeriesAssignmentPolicy'); $seriesEditorSubmissionAccessPolicy->addPolicy(new SeriesAssignmentPolicy($request)); $submissionAccessPolicy->addPolicy($seriesEditorSubmissionAccessPolicy); } // // Author role // if (isset($roleAssignments[ROLE_ID_AUTHOR])) { // 1) Author role user groups can access whitelisted operations ... $authorSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $authorSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR])); // 2) ... if the requested submission is their own ... import('classes.security.authorization.internal.MonographAuthorPolicy'); $authorSubmissionAccessPolicy->addPolicy(new MonographAuthorPolicy($request)); $submissionAccessPolicy->addPolicy($authorSubmissionAccessPolicy); } // // Reviewer role // if (isset($roleAssignments[ROLE_ID_REVIEWER])) { // 1) Reviewers can access whitelisted operations ... $reviewerSubmissionAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $reviewerSubmissionAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER])); // 2) ... but only if they have been assigned to the submission as reviewers. import('classes.security.authorization.internal.ReviewAssignmentAccessPolicy'); $reviewerSubmissionAccessPolicy->addPolicy(new ReviewAssignmentAccessPolicy($request)); $submissionAccessPolicy->addPolicy($reviewerSubmissionAccessPolicy); } $this->addPolicy($submissionAccessPolicy); }
/** * * @param PKPRequest $request * @param array $args * @param array $roleAssignments * @param int bitfield $mode * @param string $fileIdAndRevision * @param string $submissionParameterName */ function buildFileAccessPolicy($request, $args, $roleAssignments, $mode, $fileIdAndRevision, $submissionParameterName) { // We need a submission matching the file in the request. import('lib.pkp.classes.security.authorization.internal.SubmissionRequiredPolicy'); $this->addPolicy(new SubmissionRequiredPolicy($request, $args, $submissionParameterName)); import('lib.pkp.classes.security.authorization.internal.SubmissionFileMatchesSubmissionPolicy'); $this->addPolicy(new SubmissionFileMatchesSubmissionPolicy($request, $fileIdAndRevision)); // Authors, managers and series editors potentially have // access to submission files. We'll have to define // differentiated policies for those roles in a policy set. $fileAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Managerial role // if (isset($roleAssignments[ROLE_ID_MANAGER])) { // Managers have all access to all submissions. $fileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER])); } // // Author role // if (isset($roleAssignments[ROLE_ID_AUTHOR])) { // 1) Author role user groups can access whitelisted operations ... $authorFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $authorFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR])); // 2) ...if they are assigned to the workflow stage. Note: This loads the application-specific policy class. import('classes.security.authorization.WorkflowStageAccessPolicy'); $authorFileAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $request->getUserVar('stageId'))); // 3) ...and if they meet one of the following requirements: $authorFileAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // 3a) If the file was uploaded by the current user, allow... import('lib.pkp.classes.security.authorization.internal.SubmissionFileUploaderAccessPolicy'); $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileUploaderAccessPolicy($request, $fileIdAndRevision)); // 3b) ...or if the file is a file in a review round with requested revision decision, allow... // Note: This loads the application-specific policy class import('classes.security.authorization.internal.SubmissionFileRequestedRevisionRequiredPolicy'); $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileRequestedRevisionRequiredPolicy($request, $fileIdAndRevision)); // ...or if we don't want to modify the file... if (!($mode & SUBMISSION_FILE_ACCESS_MODIFY)) { // 3c) ...and the file is at submission stage... import('lib.pkp.classes.security.authorization.internal.SubmissionFileSubmissionStageRequiredPolicy'); $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileSubmissionStageRequiredPolicy($request, $fileIdAndRevision)); // 3d) ...or the file is a viewable reviewer response... import('lib.pkp.classes.security.authorization.internal.SubmissionFileViewableReviewerResponseRequiredPolicy'); $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileViewableReviewerResponseRequiredPolicy($request, $fileIdAndRevision)); // 3e) ...or if the file is part of a signoff assigned to the user, allow. import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedAuditorAccessPolicy'); $authorFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedAuditorAccessPolicy($request, $fileIdAndRevision)); } // Add the rules from 3) $authorFileAccessPolicy->addPolicy($authorFileAccessOptionsPolicy); $fileAccessPolicy->addPolicy($authorFileAccessPolicy); } // // Reviewer role // if (isset($roleAssignments[ROLE_ID_REVIEWER])) { // 1) Reviewers can access whitelisted operations ... $reviewerFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $reviewerFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_REVIEWER, $roleAssignments[ROLE_ID_REVIEWER])); // 2) ...if they meet one of the following requirements: $reviewerFileAccessOptionsPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // 2a) If the file was uploaded by the current user, allow. import('lib.pkp.classes.security.authorization.internal.SubmissionFileUploaderAccessPolicy'); $reviewerFileAccessOptionsPolicy->addPolicy(new SubmissionFileUploaderAccessPolicy($request, $fileIdAndRevision)); // 2b) If the file is part of an assigned review, and we're not // trying to modify it, allow. import('lib.pkp.classes.security.authorization.internal.SubmissionFileAssignedReviewerAccessPolicy'); if (!($mode & SUBMISSION_FILE_ACCESS_MODIFY)) { $reviewerFileAccessOptionsPolicy->addPolicy(new SubmissionFileAssignedReviewerAccessPolicy($request, $fileIdAndRevision)); } // Add the rules from 2) $reviewerFileAccessPolicy->addPolicy($reviewerFileAccessOptionsPolicy); // Add this policy set $fileAccessPolicy->addPolicy($reviewerFileAccessPolicy); } // // Assistant role. // if (isset($roleAssignments[ROLE_ID_ASSISTANT])) { // 1) Assistants can access whitelisted operations... $contextAssistantFileAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $contextAssistantFileAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT])); // 2) ... but only if they have been assigned to the submission workflow. // Note: This loads the application-specific policy class import('classes.security.authorization.WorkflowStageAccessPolicy'); $contextAssistantFileAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $request->getUserVar('stageId'))); $fileAccessPolicy->addPolicy($contextAssistantFileAccessPolicy); } return $fileAccessPolicy; }
/** * Constructor * @param $request PKPRequest * @param $args array request parameters * @param $roleAssignments array * @param $stageId int */ function __construct($request, $args, $roleAssignments, $stageId) { parent::__construct($request); // We need a valid workflow stage. import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy'); $this->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId)); // We need a query matching the submission in the request. import('lib.pkp.classes.security.authorization.internal.QueryRequiredPolicy'); $this->addPolicy(new QueryRequiredPolicy($request, $args)); // Authors, context managers and sub editors potentially have // access to queries. We'll have to define // differentiated policies for those roles in a policy set. $queryAccessPolicy = new PolicySet(COMBINING_PERMIT_OVERRIDES); // // Managerial role // if (isset($roleAssignments[ROLE_ID_MANAGER])) { // Managers have all access to all queries. $queryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_MANAGER, $roleAssignments[ROLE_ID_MANAGER])); } // // Assistants // if (isset($roleAssignments[ROLE_ID_ASSISTANT])) { // 1) Assistants can access all operations on queries... $assistantQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $assistantQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_ASSISTANT, $roleAssignments[ROLE_ID_ASSISTANT])); // 2) ... but only if they have access to the workflow stage. import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy'); // pulled from context-specific class path. $assistantQueryAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId)); // 3) ... and the assistant is assigned to the query. import('lib.pkp.classes.security.authorization.internal.QueryAssignedToUserAccessPolicy'); $assistantQueryAccessPolicy->addPolicy(new QueryAssignedToUserAccessPolicy($request)); $queryAccessPolicy->addPolicy($assistantQueryAccessPolicy); } // // Authors // if (isset($roleAssignments[ROLE_ID_AUTHOR])) { // 1) Authors can access read operations on queries... $authorQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $authorQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_AUTHOR, $roleAssignments[ROLE_ID_AUTHOR])); // 2) ... but only if they are assigned to the workflow stage as an stage participant... import('lib.pkp.classes.security.authorization.WorkflowStageAccessPolicy'); $authorQueryAccessPolicy->addPolicy(new WorkflowStageAccessPolicy($request, $args, $roleAssignments, 'submissionId', $stageId)); // 3) ... and the author is assigned to the query. import('lib.pkp.classes.security.authorization.internal.QueryAssignedToUserAccessPolicy'); $authorQueryAccessPolicy->addPolicy(new QueryAssignedToUserAccessPolicy($request)); $queryAccessPolicy->addPolicy($authorQueryAccessPolicy); } // // Sub editor role // if (isset($roleAssignments[ROLE_ID_SUB_EDITOR])) { // 1) Sub editors can access all operations on submissions ... $subEditorQueryAccessPolicy = new PolicySet(COMBINING_DENY_OVERRIDES); $subEditorQueryAccessPolicy->addPolicy(new RoleBasedHandlerOperationPolicy($request, ROLE_ID_SUB_EDITOR, $roleAssignments[ROLE_ID_SUB_EDITOR])); // 2) ... but only if they have been assigned to the requested submission. import('lib.pkp.classes.security.authorization.internal.UserAccessibleWorkflowStageRequiredPolicy'); $subEditorQueryAccessPolicy->addPolicy(new UserAccessibleWorkflowStageRequiredPolicy($request)); $queryAccessPolicy->addPolicy($subEditorQueryAccessPolicy); } $this->addPolicy($queryAccessPolicy); return $queryAccessPolicy; }
/** * @covers AuthorizationDecisionManager */ public function testDecide() { // We have to test policies and policy sets // as well as different combining algorithms. $denyPolicy = new AuthorizationPolicy(); $permitPolicy = $this->getMock('AuthorizationPolicy', array('effect')); $permitPolicy->expects($this->any())->method('effect')->will($this->returnCallback(array($this, 'mockEffect'))); // deny overrides // - permit policy // - deny policy $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($permitPolicy); $decisionManager->addPolicy($denyPolicy); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); // deny overrides // - permit policy // - permit policy $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($permitPolicy); $decisionManager->addPolicy($permitPolicy); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); // deny overrides // - permit policy // - allow overrides // -- deny policy // -- deny policy $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($permitPolicy); $policySet = new PolicySet(); $policySet->addPolicy($denyPolicy); $policySet->addPolicy($denyPolicy); $decisionManager->addPolicy($policySet); self::assertEquals(AUTHORIZATION_DENY, $decisionManager->decide()); // deny overrides // - permit policy // - allow overrides // -- deny policy // -- permit policy $decisionManager = new AuthorizationDecisionManager(); $decisionManager->addPolicy($permitPolicy); $policySet = new PolicySet(COMBINING_PERMIT_OVERRIDES); $policySet->addPolicy($denyPolicy); $policySet->addPolicy($permitPolicy); $decisionManager->addPolicy($policySet); self::assertEquals(AUTHORIZATION_PERMIT, $decisionManager->decide()); }
/** * Test that an exception is thrown when teh policy name isn't found * * @expectedException \InvalidArgumentException */ public function testPolicyNameNotFoundAllows() { $policySet = PolicySet::instance(); $subject = new Subject((object) ['username' => 'ccornutt']); $en = new Enforcer($policySet); $en->allows('policy1', $subject); }