/**
* Give an authorization from a role to a resource.
*
* This method should only be called in roles.
*
* @param Role $role
* @param Actions $actions
* @param ResourceInterface $resource
* @param bool $cascade Should the authorization cascade to sub-resources?
*/
public function allow(Role $role, Actions $actions, ResourceInterface $resource, $cascade = true)
{
$authorization = Authorization::create($role, $actions, $resource, $cascade);
if ($cascade) {
$cascadedAuthorizations = $this->cascadeStrategy->cascadeAuthorization($authorization, $resource);
$authorizations = array_merge([$authorization], $cascadedAuthorizations);
} else {
$authorizations = [$authorization];
}
/** @var AuthorizationRepository $repository */
$repository = $this->entityManager->getRepository('MyCLabs\\ACL\\Model\\Authorization');
$repository->insertBulk($authorizations);
}
public function testCreateChildAuthorization()
{
$user = $this->getMockForAbstractClass('MyCLabs\\ACL\\Model\\SecurityIdentityInterface');
$role = $this->getMock('MyCLabs\\ACL\\Model\\Role', [], [], '', false);
$role->expects($this->any())->method('getSecurityIdentity')->will($this->returnValue($user));
$resource = new ClassResource(get_class());
$subResource = new ClassResource(get_class());
$authorization = Authorization::create($role, Actions::all(), $resource);
$childAuthorization = $authorization->createChildAuthorization($subResource);
$this->assertInstanceOf('MyCLabs\\ACL\\Model\\Authorization', $childAuthorization);
$this->assertSame($authorization->getRole(), $childAuthorization->getRole());
$this->assertSame($authorization->getSecurityIdentity(), $childAuthorization->getSecurityIdentity());
$this->assertEquals($authorization->getActions(), $childAuthorization->getActions());
$this->assertEquals(get_class(), $childAuthorization->getEntityClass());
$this->assertNull($childAuthorization->getEntityId());
$this->assertSame($authorization, $childAuthorization->getParentAuthorization());
$this->assertTrue($childAuthorization->isCascadable());
$this->assertFalse($childAuthorization->isRoot());
}
public function testFindRolesDirectlyLinkedToResource()
{
$user = new User();
$this->em->persist($user);
$resource = new File();
$this->em->persist($resource);
$directRole = new FileOwnerRole($user, $resource);
$this->em->persist($directRole);
$parentRole = new FileOwnerRole($user, $resource);
$this->em->persist($parentRole);
$this->em->flush();
$classResource = new ClassResource('\\Tests\\MyCLabs\\ACL\\Unit\\Repository\\Model\\File');
$parentView = Authorization::create($parentRole, new Actions([Actions::VIEW]), $classResource, true);
$authorizations = [Authorization::create($directRole, new Actions([Actions::EDIT]), $resource, true), Authorization::create($directRole, new Actions([Actions::DELETE]), $resource, true), $parentView, $parentView->createChildAuthorization($resource)];
/** @var AuthorizationRepository $authorizationRepository */
$authorizationRepository = $this->em->getRepository('MyCLabs\\ACL\\Model\\Authorization');
$authorizationRepository->insertBulk($authorizations);
// Check user can VIEW and EDIT the Resource
$this->assertTrue($authorizationRepository->isAllowedOnEntity($user, Actions::VIEW, $resource));
$this->assertTrue($authorizationRepository->isAllowedOnEntity($user, Actions::EDIT, $resource));
$this->assertTrue($authorizationRepository->isAllowedOnEntity($user, Actions::DELETE, $resource));
// Check user can only VIEW the ClassResource
$this->assertTrue($authorizationRepository->isAllowedOnEntityClass($user, Actions::VIEW, $classResource->getClass()));
$this->assertFalse($authorizationRepository->isAllowedOnEntityClass($user, Actions::EDIT, $classResource->getClass()));
$this->assertFalse($authorizationRepository->isAllowedOnEntityClass($user, Actions::DELETE, $classResource->getClass()));
/** @var RoleRepository $roleRepository */
$roleRepository = $this->em->getRepository('MyCLabs\\ACL\\Model\\Role');
// Test for entity resource
$result = $roleRepository->findRolesDirectlyLinkedToResource($resource);
$this->assertCount(1, $result);
$this->assertSame($directRole, $result[0]);
// Test for class resource
$result = $roleRepository->findRolesDirectlyLinkedToResource($classResource);
$this->assertCount(1, $result);
$this->assertSame($parentRole, $result[0]);
}
/**
* @depends testInsertBulk
*/
public function testRemoveForResource()
{
$user = new User();
$this->em->persist($user);
$resource1 = new File();
$this->em->persist($resource1);
$role1 = new FileOwnerRole($user, $resource1);
$this->em->persist($role1);
$this->em->flush();
$resource2 = new File();
$this->em->persist($resource2);
$role2 = new FileOwnerRole($user, $resource2);
$this->em->persist($role2);
$this->em->flush();
$authorizations = [Authorization::create($role1, new Actions([Actions::VIEW]), $resource1), Authorization::create($role2, new Actions([Actions::VIEW]), $resource2)];
/** @var AuthorizationRepository $repository */
$repository = $this->em->getRepository('MyCLabs\\ACL\\Model\\Authorization');
$repository->insertBulk($authorizations);
// We remove the authorizations for the resource 1
$repository->removeAuthorizationsForResource($resource1);
// We check that they were removed
$this->assertFalse($repository->isAllowedOnEntity($user, Actions::VIEW, $resource1));
// and that authorizations for the resource 2 weren't removed
$this->assertTrue($repository->isAllowedOnEntity($user, Actions::VIEW, $resource2));
}