public function isValid()
{
$account = $this->authenticationService->getAccountEntity();
if (!$account) {
return false;
}
$permission = $this->resource . '.' . $this->permission;
return $this->authorizationService->isGranted('account-' . $account->getId()->toString(), $permission);
}
public function testCanMatchIdentityRoles()
{
$adminRole = new Role('admin');
$adminRole->addPermission('delete');
$rbac = new Rbac();
$rbac->addRole($adminRole);
$authorizationService = new RbacService($rbac, array('admin'));
$this->assertTrue($authorizationService->matchIdentityRoles(array('admin')));
}
public function __invoke($permission, $assert = null, AccountInterface $account = null)
{
if ($account === null) {
$account = $this->authenticationService->getAccountEntity();
}
//$groups = $account->getGroups();
//var_dump($groups->count());
//exit;
return $this->authorizationService->isGranted('account-' . $account->getId()->toString(), $permission, $assert);
}
public function createService(ServiceLocatorInterface $serviceLocator)
{
/** @var AuthenticationService $authenticationService */
$authenticationService = $serviceLocator->get('Zend\\Authentication\\AuthenticationService');
/** @var AccountInterface $account */
$account = $authenticationService->getAccountEntity();
$rbac = new Rbac();
if ($account) {
$role = $this->createAccountRole($account);
$rbac->addRole($role);
}
return $rbac;
}
/**
* Recupera as permissoes do banco de dados e as distribui no objeto \Zend\Permissions\Rbac\Rbac.
*
* Role Based Access Controll
* Metodo de controle de acesso que permite heranca de permissoes.
*
* @param type $userRole
*/
public function setupPermissions($userRole, $module)
{
// Primeiro role, referente diretamente ao cargo do usuario.
$mainRole = new Role($userRole);
// Permissoes para o cargo principal
$permissionBoClass = Config::getZf2libConfig('permissionBusinessClass', $module);
$permissionBO = new $permissionBoClass();
$permissions = $permissionBO->getListByRole($userRole);
foreach ($permissions as $allow) {
$mainRole->addPermission($allow->module->getPkModule() . '.' . $allow->controller->getName() . '.' . $allow->permission->getFkAction());
}
$this->control = new Rbac();
$this->control->addRole($mainRole);
}
/**
*
* @param mixed $permission
* @return boolean
*/
public function isGranted($permission)
{
if (!$this->identityRoles) {
return false;
}
$isGranted = false;
foreach ($this->identityRoles as $role) {
if ($this->rbac->isGranted($role, $permission)) {
$isGranted = true;
break;
}
}
return $isGranted;
}
/**
* Recursive function to add roles according to their parent role.
*
* @param Rbac $rbac
* @param $roles
* @param int $parentName
* @return void
*/
protected function recursiveRoles(Rbac $rbac, $roles, $parentName = 0)
{
if (!isset($roles[$parentName])) {
return;
}
foreach ((array) $roles[$parentName] as $role) {
if ($parentName) {
$rbac->getRole($parentName)->addChild($role);
} else {
$rbac->addRole($role);
}
if (!empty($roles[$role])) {
$this->recursiveroles($rbac, $roles, $role);
}
}
}
public function assert(Rbac $rbac)
{
$return = false;
$role = $rbac->getRole('PermissionXML');
$accessResult = $role->doc->query($this->accessQuery);
if ($accessResult->length > 0) {
$limitationQuery = trim($accessResult->item(0)->nodeValue);
if ($limitationQuery) {
if ($this->contextDoc instanceof \BaseXMS\Stdlib\DOMDocument) {
$return = $this->contextDoc->query($limitationQuery)->length > 0;
}
} else {
$return = true;
}
}
return $return;
}
/**
* @tesdox Test adding custom child roles works
*/
public function testAddCustomChildRole()
{
$role = $this->getMockForAbstractClass('Zend\\Permissions\\Rbac\\RoleInterface');
$this->rbac->setCreateMissingRoles(true)->addRole($role, array('parent'));
$role->expects($this->any())->method('getName')->will($this->returnValue('customchild'));
$role->expects($this->once())->method('hasPermission')->with('test')->will($this->returnValue(true));
$this->assertTrue($this->rbac->isGranted('parent', 'test'));
}
public function testAddRoleWithAutomaticParentsUsingRbac()
{
$foo = new Rbac\Role('foo');
$bar = new Rbac\Role('bar');
$this->rbac->setCreateMissingRoles(true);
$this->rbac->addRole($bar, $foo);
$this->assertEquals($bar->getParent(), $foo);
$this->assertEquals(1, count($foo->getChildren()));
}
/**
*
* @param ServiceLocatorInterface $serviceLocator
* @return Rbac
*/
public function createService(ServiceLocatorInterface $serviceLocator)
{
/* @var $moduleOptions ModuleOptions */
$moduleOptions = $serviceLocator->get('UghAuthorization\\Options\\ModuleOptions');
/* @var $pluginManager RoleProviderPluginManager */
$pluginManager = $serviceLocator->get('UghAuthorization\\Permissions\\Rbac\\RoleProviderPluginManager');
$roleProviderConfig = $moduleOptions->getRoleProvider();
/* @var $roleProvider RoleProvider */
$roleProvider = $pluginManager->get(key($roleProviderConfig), current($roleProviderConfig));
/* @var $identityProvider IdentityProvider */
$identityProvider = $serviceLocator->get($moduleOptions->getIdentityProvider());
$identity = $identityProvider->getIdentity();
$roles = $roleProvider->getRoles($identity->getRoles());
$rbac = new Rbac();
foreach ($roles as $role) {
$rbac->addRole($role);
}
return $rbac;
}
/**
* Load the requested resources into RBAC.
*
* @param Rbac $rbac
* @param string $role
* @param string|null $permission
* @return \Doctrine\DBAL\Query\QueryBuilder
*/
protected function load($rbac, $role, $permission = null)
{
$options = $this->options;
$builder = new QueryBuilder($this->connection);
// Role always present
$builder->select('node.name')->from($options->getRoleTable(), 'node')->from($options->getRoleTable(), 'parent')->where('node.lft BETWEEN parent.lft AND parent.rgt')->andWhere('parent.name = :role')->orderBy('node.lft');
$builder->setParameter('role', $role);
// Permission optional
if ($permission) {
$builder->addSelect('permission.name AS permission')->leftJoin('node', 'role_permission', 'rp', 'node.id = rp.role_id')->leftJoin('node', 'permission', 'permission', 'rp.permission_id = permission.id')->andWhere('(permission.name = :permission OR permission.name IS NULL)');
$builder->setParameter('permission', $permission);
}
$parent = null;
foreach ($builder->execute() as $row) {
if ($parent) {
if (!$rbac->hasRole($row['name'])) {
$rbac->getRole($parent)->addChild($row['name']);
}
} elseif (!$rbac->hasRole($row['name'])) {
$rbac->addRole($row['name']);
}
if ($permission) {
if ($row['permission']) {
$rbac->getRole($row['name'])->addPermission($row['permission']);
}
}
$parent = $row['name'];
}
return $builder;
}
<?php
require __DIR__ . '/../vendor/autoload.php';
use FUnit as fu;
use Zend\Permissions\Rbac\Rbac;
use Knlv\Zf2\Permissions\Rbac\Assertion\Callback as RbacCallback;
fu::setup(function () {
$rbac = new Rbac();
$rbac->addRole('member');
$rbac->addRole('guest', 'member');
$rbac->getRole('guest')->addPermission('read');
$rbac->getRole('member')->addPermission('write');
fu::fixture('rbac', $rbac);
});
fu::test('Test rbac callback assertion', function () {
$rbac = fu::fixture('rbac');
$test = $rbac->isGranted('guest', 'read') && $rbac->isGranted('member', 'read') && !$rbac->isGranted('guest', 'write') && $rbac->isGranted('member', 'write');
fu::ok($test, 'Test rbac without assertions');
$assertTrue = new RbacCallback(function () {
return true;
});
$assertFalse = new RbacCallback(function () {
return false;
});
fu::not_ok($rbac->isGranted('member', 'read', $assertFalse), 'Assert permission not granted when callback returns false');
fu::ok($rbac->isGranted('member', 'write', $assertTrue), 'Assert permission granted when callback returns true');
});
