public function testArePermissionsFlushedOnRemovingParentFromChildRole()
{
Contact::deleteAll();
try {
$role = Role::getByName('Parent');
$role->delete();
} catch (NotFoundException $e) {
}
try {
$user = User::getByUsername('jim');
$user->delete();
} catch (NotFoundException $e) {
}
try {
$user = User::getByUsername('jane');
$user->delete();
} catch (NotFoundException $e) {
}
// we could have used helpers to do a lot of the following stuff (such as creating users, roles,
// etc) but we wanted to mimic user's interaction as closely as possible. Hence using walkthroughs
// for everything
// create Parent and Child Roles, Create Jim to be member of Child role
// create parent role
$this->resetGetArray();
$this->setPostArray(array('Role' => array('name' => 'Parent')));
$this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/role/create');
$parentRole = Role::getByName('Parent');
$this->assertNotNull($parentRole);
$this->assertEquals('Parent', strval($parentRole));
$parentRoleId = $parentRole->id;
// create child role
$this->resetGetArray();
$this->setPostArray(array('Role' => array('name' => 'Child', 'role' => array('id' => $parentRoleId))));
$this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/role/create');
$childRole = Role::getByName('Child');
$this->assertNotNull($childRole);
$this->assertEquals('Child', strval($childRole));
$parentRole->forgetAll();
$parentRole = Role::getById($parentRoleId);
$childRoleId = $childRole->id;
$childRole->forgetAll();
$childRole = Role::getById($childRoleId);
$this->assertEquals($childRole->id, $parentRole->roles[0]->id);
// create jim's user
$this->resetGetArray();
$this->setPostArray(array('UserPasswordForm' => array('firstName' => 'Some', 'lastName' => 'Body', 'username' => 'jim', 'newPassword' => 'myPassword123', 'newPassword_repeat' => 'myPassword123', 'officePhone' => '456765421', 'userStatus' => 'Active', 'role' => array('id' => $childRoleId))));
$this->runControllerWithRedirectExceptionAndGetContent('/users/default/create');
$jim = User::getByUsername('jim');
$this->assertNotNull($jim);
$childRole->forgetAll();
$childRole = Role::getById($childRoleId);
$this->assertEquals($childRole->id, $jim->role->id);
// give jim rights to contact's module
$jim->setRight('ContactsModule', ContactsModule::getAccessRight());
$jim->setRight('ContactsModule', ContactsModule::getCreateRight());
$this->assertTrue($jim->save());
$jim->forgetAll();
$jim = User::getByUsername('jim');
// create jane's user
$this->resetGetArray();
$this->setPostArray(array('UserPasswordForm' => array('firstName' => 'Some', 'lastName' => 'Body', 'username' => 'jane', 'newPassword' => 'myPassword123', 'newPassword_repeat' => 'myPassword123', 'officePhone' => '456765421', 'userStatus' => 'Active', 'role' => array('id' => $parentRoleId))));
$this->runControllerWithRedirectExceptionAndGetContent('/users/default/create');
$jane = User::getByUsername('jane');
$this->assertNotNull($jane);
$parentRole->forgetAll();
$parentRole = Role::getById($parentRoleId);
$this->assertEquals($parentRole->id, $jane->role->id);
// give jane rights to contact's module, we need to do this because once the link between parent and child
// role is broken jane won't be able to access the listview of contacts
$jane->setRight('ContactsModule', ContactsModule::getAccessRight());
$this->assertTrue($jane->save());
$jane->forgetAll();
$jane = User::getByUsername('jane');
// create a contact from jim's account
// create ContactStates
ContactsModule::loadStartingData();
// ensure contact states have been created
$this->assertEquals(6, count(ContactState::GetAll()));
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jim');
// go ahead and create contact with parent role given readwrite.
$startingState = ContactsUtil::getStartingState();
$this->resetGetArray();
$this->setPostArray(array('Contact' => array('firstName' => 'Jim', 'lastName' => 'Doe', 'officePhone' => '456765421', 'state' => array('id' => $startingState->id))));
$url = $this->runControllerWithRedirectExceptionAndGetUrl('/contacts/default/create');
$jimDoeContactId = intval(substr($url, strpos($url, 'id=') + 3));
$jimDoeContact = Contact::getById($jimDoeContactId);
$this->assertNotNull($jimDoeContact);
$this->resetPostArray();
$this->setGetArray(array('id' => $jimDoeContactId));
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->assertContains('Who can read and write Owner', $content);
// create a contact using jane which she would see at all times
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jane');
$this->resetGetArray();
$this->setPostArray(array('Contact' => array('firstName' => 'Jane', 'lastName' => 'Doe', 'officePhone' => '456765421', 'state' => array('id' => $startingState->id))));
$url = $this->runControllerWithRedirectExceptionAndGetUrl('/contacts/default/create');
$janeDoeContactId = intval(substr($url, strpos($url, 'id=') + 3));
$janeDoeContact = Contact::getById($jimDoeContactId);
$this->assertNotNull($janeDoeContact);
$this->resetPostArray();
$this->setGetArray(array('id' => $janeDoeContactId));
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->assertContains('Who can read and write Owner', $content);
// ensure jim can see that contact everywhere
// jim should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jim');
$this->resetGetArray();
// get the page, ensure the name of contact does show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertContains('Jim Doe</a></td><td>', $content);
$this->assertNotContains('Jane Doe</a></td><td>', $content);
// jim should have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jim should have access to jimDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jim should not have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->fail('Accessing details action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// jim should have access to janeDoeContact's edit view
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
$this->fail('Accessing edit action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// ensure jane can see that contact everywhere
// jane should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jane');
$this->resetGetArray();
// get the page, ensure the name of contact does show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertContains('Jim Doe</a></td><td>', $content);
$this->assertContains('Jane Doe</a></td><td>', $content);
// jane should have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jane should have access to jimDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jane should have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jane should have access to janeDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// unlink Parent role from child
$this->logoutCurrentUserLoginNewUserAndGetByUsername('super');
$this->setGetArray(array('id' => $childRoleId));
$this->setPostArray(array('Role' => array('name' => 'Child', 'role' => array('id' => ''))));
$this->runControllerWithRedirectExceptionAndGetUrl('/zurmo/role/edit');
$childRole = Role::getByName('Child');
$this->assertNotNull($childRole);
$this->assertEquals('Child', strval($childRole));
$parentRole->forgetAll();
$parentRole = Role::getById($parentRoleId);
$this->assertNotNull($parentRole);
$this->assertCount(0, $parentRole->roles);
// ensure jim can still see that contact everywhere
// jim should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jim');
$this->resetGetArray();
// get the page, ensure the name of contact does show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertContains('Jim Doe</a></td><td>', $content);
$this->assertNotContains('Jane Doe</a></td><td>', $content);
// jim should have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jim should have access to jimDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jim should not have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->fail('Accessing details action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// jim should have access to janeDoeContact's edit view
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
$this->fail('Accessing edit action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// ensure jane can not see that contact anywhere
// jane should have access to see contact on list view
$this->logoutCurrentUserLoginNewUserAndGetByUsername('jane');
$this->resetGetArray();
// get the page, ensure the name of contact does not show up there.
$content = $this->runControllerWithNoExceptionsAndGetContent('/contacts/default');
$this->assertNotContains('Jim Doe</a></td><td>', $content);
$this->assertContains('Jane Doe</a></td><td>', $content);
// jane should have access to janeDoeContact's detail view
$this->setGetArray(array('id' => $janeDoeContactId));
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
// jane should have access to janeDoeContact's edit view
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
// jane should not have access to jimDoeContact's detail view
$this->setGetArray(array('id' => $jimDoeContactId));
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/details');
$this->fail('Accessing details action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
// jane should not have access to jimDoeContact's edit view
try {
$this->runControllerWithNoExceptionsAndGetContent('/contacts/default/edit');
$this->fail('Accessing edit action should have thrown ExitException');
} catch (ExitException $e) {
// just cleanup buffer
$this->endAndGetOutputBuffer();
}
}
public function testRightsPropagationViaRoles()
{
$parentRole = Role::getByName('Sales Manager');
$childRole = Role::getByName('Sales Person');
$childChildRole = Role::getByName('Junior Sales Person');
$userInParentRole = $parentRole->users[0];
$userInChildRole = $childRole->users[0];
$userInChildChildRole = $childChildRole->users[0];
$this->assertEquals(Right::DENY, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInChildRole->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$this->assertTrue($userInChildRole->save());
$this->assertEquals(Right::ALLOW, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::ALLOW, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInParentRole->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API, Right::DENY);
$this->assertTrue($userInParentRole->save());
$this->assertEquals(Right::ALLOW, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInParentRole->removeRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$this->assertTrue($userInParentRole->save());
$this->assertEquals(Right::ALLOW, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::ALLOW, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInChildRole->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API, Right::DENY);
$this->assertTrue($userInChildRole->save());
$this->assertEquals(Right::DENY, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInParentRole->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$this->assertTrue($userInParentRole->save());
$this->assertEquals(Right::DENY, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::ALLOW, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInParentRole->removeRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$this->assertTrue($userInParentRole->save());
$this->assertEquals(Right::DENY, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInChildRole->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$this->assertTrue($userInChildRole->save());
$this->assertEquals(Right::ALLOW, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::ALLOW, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInChildRole->removeRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$this->assertTrue($userInChildRole->save());
$this->assertEquals(Right::DENY, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$userInChildChildRole->setRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API);
$this->assertTrue($userInChildChildRole->save());
$this->assertEquals(Right::ALLOW, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::ALLOW, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::ALLOW, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
Right::deleteAll();
//Clear the cache since the method above removeAll calls directly to the database.
RightsCache::forgetAll();
$userInParentRoleId = $userInParentRole->id;
$userInChildRoleId = $userInChildRole->id;
$userInChildChildRoleId = $userInChildChildRole->id;
RedBeanModel::forgetAll();
unset($userInParentRole);
unset($userInChildRole);
unset($userInChildChildRole);
$userInParentRole = User::getById($userInParentRoleId);
$userInChildRole = User::getById($userInChildRoleId);
$userInChildChildRole = User::getById($userInChildChildRoleId);
$this->assertEquals(Right::DENY, $userInParentRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
$this->assertEquals(Right::DENY, $userInChildChildRole->getEffectiveRight('UsersModule', UsersModule::RIGHT_LOGIN_VIA_WEB_API));
}
public static function createRoles()
{
foreach (self::$parentToChildRoleNames as $parentRoleName => $childRoleName) {
if ($childRoleName !== null) {
$childRole = new Role();
$childRole->name = $childRoleName;
$childRole->validate();
$saved = $childRole->save();
assert('$saved');
}
try {
$parentRole = Role::getByName($parentRoleName);
} catch (NotFoundException $e) {
$parentRole = new Role();
}
$parentRole->name = $parentRoleName;
if ($childRoleName !== null) {
$parentRole->roles->add($childRole);
}
$saved = $parentRole->save();
assert('$saved');
$parentRole->forget();
if ($childRoleName !== null) {
$childRole->forget();
}
}
foreach (self::$usernamesToUserInfo as $username => $userInfo) {
$roleName = $userInfo[2];
if ($roleName !== null) {
assert('is_string($roleName)');
$role = Role::getByName($roleName);
$user = User::getByUsername($username);
$role->users->add($user);
$saved = $role->save();
assert('$saved');
$user->forget();
//do this so that if you retrieve the $user, $user->role will be known.
}
}
}
protected function addOrRemoveRoleFromParent($roleName, $parentName = null, $add = true)
{
if (!isset($parentName)) {
$parentName = $roleName . 'Parent';
}
$role = Role::getByName($roleName);
try {
$parentRole = Role::getByName($parentName);
} catch (NotFoundException $e) {
$parentRole = $this->createRole($parentName);
}
if ($add) {
$parentRole->roles->add($role);
} else {
if ($parentRole->roles->contains($role)) {
$parentRole->roles->remove($role);
} else {
throw new NotFoundException('Child role not found in parent');
}
}
$saved = $parentRole->save();
$this->assertTrue($saved);
}
public function testUsersAddedToRoleRolesParentAndGrandParent_Slide23()
{
$u99 = User::getByUsername('u99.');
Yii::app()->user->userModel = $u99;
$u1 = User::getByUsername('u1.');
$u2 = User::getByUsername('u2.');
$u3 = User::getByUsername('u3.');
// set role to null
$u1->role = null;
$this->assertTrue($u1->save());
$u1->forget();
$u2->role = null;
$this->assertTrue($u2->save());
$u2->forget();
$u3->role = null;
$this->assertTrue($u3->save());
$u3->forget();
// get roles
$r1 = Role::getByName('R1.');
$r2 = Role::getByName('R2.');
$r3 = Role::getByName('R3.');
// set roles-parent-grandparent relationship
// r2 is parent of r1
$r1->role = $r2;
$this->assertTrue($r1->save());
$r1->forget();
// r3 is parent of r2
$r2->role = $r3;
$this->assertTrue($r2->save());
$r2->forget();
$r3->forget();
// set user-role mappings
$u1 = User::getByUsername('u1.');
$u2 = User::getByUsername('u2.');
$u3 = User::getByUsername('u3.');
$r1 = Role::getByName('R1.');
$r2 = Role::getByName('R2.');
$r3 = Role::getByName('R3.');
$u1->role = $r1;
$this->assertTrue($u1->save());
//Called in $u1->afterSave();
//ReadPermissionsOptimizationUtil::userAddedToRole($u1);
$u1->forget();
$r1->forget();
$u2->role = $r2;
$this->assertTrue($u2->save());
//Called in $u2->afterSave();
//ReadPermissionsOptimizationUtil::userAddedToRole($u2);
$u2->forget();
$r2->forget();
$u3->role = $r3;
$this->assertTrue($u3->save());
//Called in $u3->afterSave();
//ReadPermissionsOptimizationUtil::userAddedToRole($u3);
$u3->forget();
$r3->forget();
/*
* Hierarchy:
* R3 ---------------------------- U3
* #
* #
* R2 ---------------------------- U2
* #
* #
* R1 ---------------------------- U1
*/
$u1 = User::getByUsername('u1.');
$u2 = User::getByUsername('u2.');
$u3 = User::getByUsername('u3.');
// create an account using U1
Yii::app()->user->userModel = $u1;
$a1 = new Account();
$a1->name = 'A1.';
$this->assertTrue($a1->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a1);
// create an account using U2
Yii::app()->user->userModel = $u2;
$a2 = new Account();
$a2->name = 'A2.';
$this->assertTrue($a2->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a2);
// create an account using U3
Yii::app()->user->userModel = $u3;
$a3 = new Account();
$a3->name = 'A3.';
$this->assertTrue($a3->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a3);
Yii::app()->user->userModel = $u99;
$this->assertEquals(array(array('A1', 'R2', '1'), array('A1', 'R3', '1'), array('A2', 'R3', '1')), self::getAccountMungeRows());
$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt());
// break the link between R1 and R2
$r1->role = null;
$this->assertTrue($r1->save());
// Called in $r1->beforeSave();
//ReadPermissionsSubscriptionUtil::roleParentBeingRemoved();
// A1's munge ids for R2 and R3 will be gone
$this->assertEquals(array(array('A2', 'R3', '1')), self::getAccountMungeRows());
$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt());
// break the link between R2 and R3
$r2->role = null;
$this->assertTrue($r2->save());
// Called in $r2->beforeSave();
//ReadPermissionsSubscriptionUtil::roleParentBeingRemoved();
// A2's munge id R3 will be gone
$this->assertEmpty(self::getAccountMungeRows());
$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt());
// doing for the sake for tearDown
$r1 = Role::getByName('R1.');
$r2 = Role::getByName('R2.');
$r1->role = $r2;
$this->assertTrue($r1->save());
$r2->role = $r3;
$this->assertTrue($r2->save());
$u2 = User::getByUsername('u2.');
$u2->role = Role::getByName('R4.');
$this->assertTrue($u2->save());
}
/**
* @depends testUserAddedToRoleWhereUserIsMemberOfGroupWithChildrenGroups_Slide19
*/
public function testUserAddedToRoleWhereUserIsMemberOfGroupWithChildrenGroups_Slide20()
{
$u1 = User::getByUsername('u1.');
$u99 = User::getByUsername('u99.');
Yii::app()->user->userModel = $u99;
$u1->role = null;
$this->assertTrue($u1->save());
$g1 = Group::getByName('G1.');
$g2 = Group::getByName('G2.');
$g3 = Group::getByName('G3.');
$g1->groups->add($g2);
$this->assertTrue($g1->save());
$g2->groups->add($g3);
$this->assertTrue($g2->save());
$g3->users->add($u1);
$this->assertTrue($g3->save());
$u1->forget();
//Forget the user, so the user knows what groups it is part of.
$u1 = User::getByUsername('u1.');
$r1 = Role::getByName('R1.');
$r2 = Role::getByName('R2.');
$r3 = Role::getByName('R3.');
$a1 = new Account();
$a1->name = 'A1.';
$a1->addPermissions($g1, Permission::READ);
$this->assertTrue($a1->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a1);
$a2 = new Account();
$a2->name = 'A2.';
$a2->addPermissions($g2, Permission::READ);
$this->assertTrue($a2->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a2);
$a3 = new Account();
$a3->name = 'A3.';
$a3->addPermissions($g3, Permission::READ);
$this->assertTrue($a3->save());
//Called in OwnedSecurableItem::afterSave();
//ReadPermissionsOptimizationUtil::ownedSecurableItemCreated($a3);
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($a1, $g1);
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($a2, $g2);
ReadPermissionsOptimizationUtil::securableItemGivenPermissionsForGroup($a3, $g3);
$u1->role = $r1;
$this->assertTrue($u1->save());
//Called in $u1->afterSave();
//ReadPermissionsOptimizationUtil::userAddedToRole($u1);
$r1->forget();
//Forget R1 so when it is utilized below, it will know that u1 is a member.
$this->assertEquals(array(array('A1', 'G1', 1), array('A1', 'G2', 1), array('A1', 'G3', 1), array('A1', 'R2', 1), array('A1', 'R3', 1), array('A2', 'G2', 1), array('A2', 'G3', 1), array('A2', 'R2', 1), array('A2', 'R3', 1), array('A3', 'G3', 1), array('A3', 'R2', 1), array('A3', 'R3', 1)), self::getAccountMungeRows());
$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt());
$u1->forget();
//Forget the user, so the user knows what groups it is part of.
$u1 = User::getByUsername('u1.');
$u1->role = null;
$this->assertTrue($u1->save());
RedBeanModelsCache::forgetAll();
RedBeansCache::forgetAll();
$this->assertEquals(array(array('A1', 'G1', 1), array('A1', 'G2', 1), array('A1', 'G3', 1), array('A2', 'G2', 1), array('A2', 'G3', 1), array('A3', 'G3', 1)), self::getAccountMungeRows());
$this->assertTrue(self::accountMungeDoesntChangeWhenRebuilt());
$a1->delete();
$a2->delete();
$a3->delete();
$g1->group = null;
$this->assertTrue($g1->save());
$g2->group = null;
$this->assertTrue($g2->save());
$g3->forget();
$g3 = Group::getByName('G3.');
$g3->group = null;
$g3->users->removeAll();
$this->assertTrue($g3->save());
$r1 = Role::getByName('R1.');
$u1->role = $r1;
$this->assertTrue($u1->save());
}
public function testPermissionsPropagationViaRolesWhenChildRoleHaveNoUsers()
{
$childRole = Role::getByName('Sales Person');
foreach ($childRole->users as $user) {
$childRole->users->remove($user);
$this->assertTrue($childRole->save());
}
$parentRole = Role::getByName('Sales Manager');
$childChildRole = Role::getByName('Junior Sales Person');
$userInParentRole = $parentRole->users[0];
$userInChildChildRole = $childChildRole->users[0];
$this->assertEquals(0, count($childRole->users));
Permission::removeAll();
$accounts = Account::getAll();
$account = $accounts[0];
$this->assertEquals(Permission::ALL, $account->getEffectivePermissions($account->owner));
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions($userInParentRole));
$this->assertEquals(Permission::NONE, $account->getEffectivePermissions($userInChildChildRole));
$account->addPermissions($userInChildChildRole, Permission::READ);
$this->assertTrue($account->save());
$this->assertEquals(Permission::READ, $account->getEffectivePermissions($userInParentRole));
$this->assertEquals(Permission::READ, $account->getEffectivePermissions($userInChildChildRole));
}
/**
* Test when user change role, from one to another to null
* @depends testRoleChangeOrDeleteScenario2
*/
public function testRoleChangeOrDeleteScenario4()
{
$super = User::getByUsername('super');
Yii::app()->user->userModel = $super;
$job = new ReadPermissionSubscriptionUpdateForAccountJob();
$jobBasedOnBuildTable = new ReadPermissionSubscriptionUpdateForAccountFromBuildTableJob();
Yii::app()->jobQueue->deleteAll();
$this->deleteAllModelsAndRecordsFromReadPermissionTable('Account');
Yii::app()->jobQueue->deleteAll();
sleep(1);
$user1 = self::$johnny;
$user2 = self::$billy;
$user3 = self::$david;
$account = AccountTestHelper::createAccountByNameForOwner('Forth Account For Roles', $user1);
Yii::app()->jobQueue->deleteAll();
// Set user role
$role1 = Role::getByName('Role1');
$role2 = Role::getByName('Role2');
$role3 = Role::getByName('Role3');
$role4 = Role::getByName('Role4');
// Just to trigger role changes
Yii::app()->jobQueue->deleteAll();
$user1->role = null;
$this->assertTrue($user1->save());
RedBeanModel::forgetAll();
ReadPermissionsOptimizationUtil::rebuild();
$queuedJobs = Yii::app()->jobQueue->getAll();
$this->assertEquals(1, count($queuedJobs[5]));
$this->assertEquals('ReadPermissionSubscriptionUpdateForAccount', $queuedJobs[5][0]['jobType']);
Yii::app()->jobQueue->deleteAll();
$this->assertTrue($job->run());
$sql = "SELECT * FROM account_read_subscription order by userid";
$rows = ZurmoRedBean::getAll($sql);
$this->assertEquals(2, count($rows));
$this->assertEquals($super->id, $rows[0]['userid']);
$this->assertEquals($account->id, $rows[0]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[0]['subscriptiontype']);
$this->assertEquals($user1->id, $rows[1]['userid']);
$this->assertEquals($account->id, $rows[1]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[1]['subscriptiontype']);
// Now set $role1 for $user1
Yii::app()->jobQueue->deleteAll();
$user1->role = $role1;
$this->assertTrue($user1->save());
RedBeanModel::forgetAll();
ReadPermissionsOptimizationUtil::rebuild();
$queuedJobs = Yii::app()->jobQueue->getAll();
$this->assertEquals(1, count($queuedJobs[5]));
$this->assertEquals('ReadPermissionSubscriptionUpdateForAccount', $queuedJobs[5][0]['jobType']);
Yii::app()->jobQueue->deleteAll();
$this->assertTrue($job->run());
$sql = "SELECT * FROM account_read_subscription order by userid";
$rows = ZurmoRedBean::getAll($sql);
$this->assertEquals(3, count($rows));
$this->assertEquals($super->id, $rows[0]['userid']);
$this->assertEquals($account->id, $rows[0]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[0]['subscriptiontype']);
$this->assertEquals($user1->id, $rows[1]['userid']);
$this->assertEquals($account->id, $rows[1]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[1]['subscriptiontype']);
$this->assertEquals($user2->id, $rows[2]['userid']);
$this->assertEquals($account->id, $rows[2]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[2]['subscriptiontype']);
// Now set $role4 for $user1
Yii::app()->jobQueue->deleteAll();
$user1->role = $role4;
$this->assertTrue($user1->save());
RedBeanModel::forgetAll();
ReadPermissionsOptimizationUtil::rebuild();
$queuedJobs = Yii::app()->jobQueue->getAll();
$this->assertEquals(1, count($queuedJobs[5]));
$this->assertEquals('ReadPermissionSubscriptionUpdateForAccount', $queuedJobs[5][0]['jobType']);
Yii::app()->jobQueue->deleteAll();
$this->assertTrue($job->run());
$sql = "SELECT * FROM account_read_subscription order by userid";
$rows = ZurmoRedBean::getAll($sql);
$this->assertEquals(4, count($rows));
$this->assertEquals($super->id, $rows[0]['userid']);
$this->assertEquals($account->id, $rows[0]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[0]['subscriptiontype']);
$this->assertEquals($user1->id, $rows[1]['userid']);
$this->assertEquals($account->id, $rows[1]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[1]['subscriptiontype']);
$this->assertEquals($user2->id, $rows[2]['userid']);
$this->assertEquals($account->id, $rows[2]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_DELETE, $rows[2]['subscriptiontype']);
$this->assertEquals($user3->id, $rows[3]['userid']);
$this->assertEquals($account->id, $rows[3]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[3]['subscriptiontype']);
// Now set $role1 for $user1
Yii::app()->jobQueue->deleteAll();
$user1->role = null;
$this->assertTrue($user1->save());
RedBeanModel::forgetAll();
ReadPermissionsOptimizationUtil::rebuild();
$queuedJobs = Yii::app()->jobQueue->getAll();
$this->assertEquals(1, count($queuedJobs[5]));
$this->assertEquals('ReadPermissionSubscriptionUpdateForAccount', $queuedJobs[5][0]['jobType']);
Yii::app()->jobQueue->deleteAll();
$this->assertTrue($job->run());
$sql = "SELECT * FROM account_read_subscription order by userid";
$rows = ZurmoRedBean::getAll($sql);
$this->assertEquals(4, count($rows));
$this->assertEquals($super->id, $rows[0]['userid']);
$this->assertEquals($account->id, $rows[0]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[0]['subscriptiontype']);
$this->assertEquals($user1->id, $rows[1]['userid']);
$this->assertEquals($account->id, $rows[1]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_ADD, $rows[1]['subscriptiontype']);
$this->assertEquals($user2->id, $rows[2]['userid']);
$this->assertEquals($account->id, $rows[2]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_DELETE, $rows[2]['subscriptiontype']);
$this->assertEquals($user3->id, $rows[3]['userid']);
$this->assertEquals($account->id, $rows[3]['modelid']);
$this->assertEquals(ReadPermissionsSubscriptionUtil::TYPE_DELETE, $rows[3]['subscriptiontype']);
}
