Commit df93b0882a23eac4e8954558c7a91fa527128359

Authored by Etienne Pallier
1 parent 19a31f8f

More tests on easyACL and more bugfixes !!!

src/Controller/AppController.php
... ... @@ -70,18 +70,22 @@ class AppController extends Controller {
70 70 'DEFAULT' => array (
71 71 // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'),
72 72 // with <condition> like "'field name' == 'value'"
  73 + // !!! Used for test, DO NOT REMOVE : !!!
  74 + 'action_CAS4_Y' => 'Y',
  75 + 'action_CAS4_N' => 'N',
  76 + // YOUR RULES :
73 77 // CRUD actions :
74 78 //'edit' => 'N', // update
75 79 //'delete' => 'N',
76   - 'autre1' => 'Y',
77   - 'autre2' => 'N',
78   - 'autre3' => 'Y',
79   - 'autre4' => 'N',
80 80 ),
81 81  
82 82 // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint
83 83 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL')
84 84 'USER' => array (
  85 + // !!! Used for test, DO NOT REMOVE : !!!
  86 + 'action_CAS3_Y' => 'Y',
  87 + 'action_CAS3_N' => 'N',
  88 + // YOUR RULES :
85 89 // CRUD actions
86 90 'add' => 'Y', // C
87 91 'index' => 'Y', // R all
... ... @@ -182,28 +186,30 @@ class AppController extends Controller {
182 186 case 'Administration Plus': $role='ADMINPLUS'; break;
183 187 case 'Super Administrateur': $role='SUPERADMIN'; break;
184 188 }
185   - // 1) controller specific (role) rule for action
  189 + if ($doDEBUG) debug("role is $role");
  190 +
  191 + // 1) SPECIFIC controller SPECIFIC (role) rule for action
186 192 //if (isset($controller->easyACL[$role][$action])) {
187 193 if (self::hasACLRule($controller::easyACL, $role, $action)) {
188 194 if ($doDEBUG) debug("CAS1");
189 195 return $this->evalSpecificRule($controller::easyACL[$role][$action], $controller, $user, $role, $action);
190 196 }
191 197  
192   - // 2) AppController ($this) specific (role) rule for action
193   - //if (isset($this->easyACL[$role][$action])) {
194   - if (self::hasACLRule(self::easyACL, $role, $action)) {
  198 + // 2) SPECIFIC controller DEFAULT rule for action
  199 + //if (null !== $controller::easyACL['DEFAULT'][$action]) {
  200 + if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) {
195 201 if ($doDEBUG) debug("CAS2");
196   - return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action);
  202 + return $this->evalACL($controller::easyACL['DEFAULT'][$action]);
197 203 }
198 204  
199   - // 3) controller general (DEFAULT) rule for action
200   - //if (null !== $controller::easyACL['DEFAULT'][$action]) {
201   - if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) {
  205 + // 3) ALL controllers (AppController) SPECIFIC (role) rule for action
  206 + //if (isset($this->easyACL[$role][$action])) {
  207 + if (self::hasACLRule(self::easyACL, $role, $action)) {
202 208 if ($doDEBUG) debug("CAS3");
203   - return $this->evalACL($controller::easyACL['DEFAULT'][$action]);
  209 + return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action);
204 210 }
205 211  
206   - // 4) AppController general (DEFAULT) rule for action
  212 + // 4) ALL controllers (AppController) DEFAULT rule for action
207 213 //if (isset($this->easyACL['DEFAULT'][$action])) {
208 214 //if (self::hasACLRule('DEFAULT',$action)) {
209 215 if (self::hasACLRule(self::easyACL, 'DEFAULT',$action)) {
... ... @@ -214,12 +220,12 @@ class AppController extends Controller {
214 220  
215 221 /*
216 222 * (RECURSIVE CALL)
217   - * 5) controller previous specific (role) rule for action
  223 + * 5) SPECIFIC controller PREVIOUS SPECIFIC (role) rule for action
218 224 * ex: if role is 'SUPER', use 'ADMIN' rule
219 225 * ex: if role is 'ADMIN', use 'RESP' rule
220 226 * ex: if role is 'RESP', use 'USER' rule
221 227 * ex: if role is 'USER', stop recursive call
222   - * Stop recursive call if role is 'USER' => no rule found, so default is authorize (Y)
  228 + * Stop recursive call if role is 'USER' => no rule found, so DEFAULT IS AUTHORIZE (Y) !!! => permissive ACL
223 229 */
224 230 //if ($role == 'USER') return true;
225 231 if ($role == 'USER') {
... ...
src/Controller/MaterielsController.php
... ... @@ -53,6 +53,10 @@ class MaterielsController extends AppController {
53 53 'DEFAULT' => array (
54 54 // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'),
55 55 // with <condition> like "'field name' == 'value'"
  56 + // !!! Used for test, DO NOT REMOVE : !!!
  57 + 'action_CAS2_Y' => 'Y',
  58 + 'action_CAS2_N' => 'N',
  59 + // YOUR RULES :
56 60 // CRUD actions :
57 61 //'index' => 'Y', // read all
58 62 //'view' => 'Y', // read one
... ... @@ -60,15 +64,17 @@ class MaterielsController extends AppController {
60 64 //'find' => 'Y', // create
61 65 'edit' => '(status == CREATED || status == VALIDATED)', // update
62 66 'delete' => '(status == CREATED)',
63   - 'autre1' => 'N',
64   - 'autre2' => 'Y',
65   - //'autre3' => 'N',
66   - //'autre4' => 'NN',
67 67 ),
68 68  
69 69 // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint
70 70 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL')
71 71 'USER' => array (
  72 + // !!! Used for test, DO NOT REMOVE : !!!
  73 + 'action_CAS1_Y' => 'Y',
  74 + 'action_CAS1_N' => 'N',
  75 + 'action_CAS6_resp_Y' => 'Y',
  76 + 'action_CAS6_resp_N' => 'N',
  77 + // YOUR RULES :
72 78 'edit' => '&& (is_creator || is_user)', // is_owner = (nom_createur == CURRENT_USER_NAME)
73 79 // except fields status, owner, etiquette, and admin data, VALIDATED (only some fields, cf $modifiableFields in View/Materiels/scaffold.form.ctp)
74 80 'delete' => '&& is_owner',
... ... @@ -87,6 +93,10 @@ class MaterielsController extends AppController {
87 93 // Surcharge des ACL par défaut (ci-dessus) pour le profil RESPONSABLE qui est plus restreint
88 94 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL')
89 95 'RESPONSABLE' => array (
  96 + // !!! Used for test, DO NOT REMOVE : !!!
  97 + 'action_CAS6_admin_Y' => 'Y',
  98 + 'action_CAS6_admin_N' => 'N',
  99 + // YOUR RULES :
90 100 'edit' => '&& is_resp', // is_owner = (nom_createur == CURRENT_USER_NAME)
91 101 //'delete' => 'is_resp && (status == CREATED)',
92 102 // Valider les matos dont il est responsable :
... ...
tests/TestCase/Controller/MaterielsControllerTest.php
... ... @@ -135,24 +135,88 @@ class MaterielsControllerTest extends General {
135 135 * *****************************************************************************
136 136 */
137 137 public function testEasyACL() {
  138 + $matCont = new MaterielsController();
  139 + $appCont = new AppController();
  140 + /*
138 141 $role = 'USER_from_ldap';
139 142 $this->authAs($role);
140   - $roleLong = (new AppController())->getUserRole();
141   - $matCont = new MaterielsController();
142   - $this->_testEasyACL('N', $matCont, $roleLong, 'autre1');
143   - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre2');
144   - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre3');
145   - $this->_testEasyACL('N', $matCont, $roleLong, 'autre4');
146   - $this->_testEasyACL('Y', $matCont, $roleLong, 'unknown');
147   - $this->_testEasyACL('Y', $matCont, $roleLong, 'add');
148   - $this->_testEasyACL('(status == CREATED || status == VALIDATED) && (is_creator || is_user)', $matCont, $roleLong, 'edit');
  143 + $roleLong = $appCont->getUserRole();
  144 + */
  145 +
  146 + /*
  147 + * SCHOOL CASES
  148 + */
  149 +
  150 + $roleLong = 'Utilisateur';
  151 + // CAS1
  152 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_Y', 'Y');
  153 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_N', 'N');
  154 + // CAS2
  155 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_Y', 'Y');
  156 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_N', 'N');
  157 + // CAS3
  158 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_Y', 'Y');
  159 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_N', 'N');
  160 + // CAS4
  161 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_Y', 'Y');
  162 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_N', 'N');
  163 + // CAS5
  164 + $this->_testEasyACL($matCont, $roleLong, 'action_unknown_CAS5_Y', 'Y');
  165 +
  166 + // CAS6
  167 + /*
  168 + $role = 'RESP';
  169 + $this->authAs($role);
  170 + $roleLong = $appCont->getUserRole();
  171 + */
  172 + $roleLong = 'Responsable';
  173 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_Y', 'Y');
  174 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_N', 'N');
  175 + /*
  176 + $role = 'ADMIN';
  177 + $this->authAs($role);
  178 + $roleLong = $appCont->getUserRole();
  179 + */
  180 + $roleLong = 'Administration';
  181 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_Y', 'Y');
  182 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_N', 'N');
  183 +
  184 + /*
  185 + * REAL CASES
  186 + */
  187 +
  188 + $roleLong = 'Utilisateur';
  189 + // add as USER
  190 + $this->_testEasyACL($matCont, $roleLong, 'add', 'Y');
  191 +
  192 + // edit
  193 + $this->_testEasyACL($matCont, 'Utilisateur', 'edit', '(status == CREATED || status == VALIDATED) && (is_creator || is_user)');
  194 + $this->_testEasyACL($matCont, 'Responsable', 'edit', '(status == CREATED || status == VALIDATED) && is_resp');
  195 + $this->_testEasyACL($matCont, 'Administration', 'edit', '(status == CREATED || status == VALIDATED)');
  196 + $this->_testEasyACL($matCont, 'Administration Plus', 'edit', '(status == CREATED || status == VALIDATED)');
  197 + $this->_testEasyACL($matCont, 'Super Administrateur', 'edit', '(status == CREATED || status == VALIDATED)');
  198 +
  199 + // delete
  200 + $this->_testEasyACL($matCont, 'Utilisateur', 'delete', '(status == CREATED) && is_owner');
  201 + $this->_testEasyACL($matCont, 'Responsable', 'delete', '(status == CREATED)');
  202 + $this->_testEasyACL($matCont, 'Administration', 'delete', '(status == CREATED)');
  203 + $this->_testEasyACL($matCont, 'Administration Plus', 'delete', '(status == CREATED)');
  204 + $this->_testEasyACL($matCont, 'Super Administrateur', 'delete', '(status == CREATED)');
  205 +
  206 + // statusCreated
  207 + $this->_testEasyACL($matCont, 'Utilisateur', 'statusCreated', 'N');
  208 + $this->_testEasyACL($matCont, 'Responsable', 'statusCreated', 'N');
  209 + $this->_testEasyACL($matCont, 'Administration', 'statusCreated', 'Y');
  210 + $this->_testEasyACL($matCont, 'Administration Plus', 'statusCreated', 'Y');
  211 + $this->_testEasyACL($matCont, 'Super Administrateur', 'statusCreated', 'Y');
  212 +
149 213 /*
150 214 $action='autre4';
151 215 $rule = $matCont->isAuthorizedAction($matCont, $roleLong, $action);
152 216 $this->assertEquals('N', $rule, $roleLong.' do '.$action);
153 217 */
154 218 }
155   - private function _testEasyACL($expectedRule, AppController $controller, $roleLong, $action) {
  219 + private function _testEasyACL(AppController $controller, $roleLong, $action, $expectedRule) {
156 220 $rule = $controller->isAuthorizedAction($controller, $roleLong, $action);
157 221 $this->assertEquals($expectedRule, $rule, $roleLong.' do '.$action);
158 222 }
... ...