Commit df93b0882a23eac4e8954558c7a91fa527128359
1 parent
19a31f8f
Exists in
master
and in
3 other branches
More tests on easyACL and more bugfixes !!!
Showing
3 changed files
with
110 additions
and
30 deletions
Show diff stats
src/Controller/AppController.php
... | ... | @@ -70,18 +70,22 @@ class AppController extends Controller { |
70 | 70 | 'DEFAULT' => array ( |
71 | 71 | // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), |
72 | 72 | // with <condition> like "'field name' == 'value'" |
73 | + // !!! Used for test, DO NOT REMOVE : !!! | |
74 | + 'action_CAS4_Y' => 'Y', | |
75 | + 'action_CAS4_N' => 'N', | |
76 | + // YOUR RULES : | |
73 | 77 | // CRUD actions : |
74 | 78 | //'edit' => 'N', // update |
75 | 79 | //'delete' => 'N', |
76 | - 'autre1' => 'Y', | |
77 | - 'autre2' => 'N', | |
78 | - 'autre3' => 'Y', | |
79 | - 'autre4' => 'N', | |
80 | 80 | ), |
81 | 81 | |
82 | 82 | // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint |
83 | 83 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') |
84 | 84 | 'USER' => array ( |
85 | + // !!! Used for test, DO NOT REMOVE : !!! | |
86 | + 'action_CAS3_Y' => 'Y', | |
87 | + 'action_CAS3_N' => 'N', | |
88 | + // YOUR RULES : | |
85 | 89 | // CRUD actions |
86 | 90 | 'add' => 'Y', // C |
87 | 91 | 'index' => 'Y', // R all |
... | ... | @@ -182,28 +186,30 @@ class AppController extends Controller { |
182 | 186 | case 'Administration Plus': $role='ADMINPLUS'; break; |
183 | 187 | case 'Super Administrateur': $role='SUPERADMIN'; break; |
184 | 188 | } |
185 | - // 1) controller specific (role) rule for action | |
189 | + if ($doDEBUG) debug("role is $role"); | |
190 | + | |
191 | + // 1) SPECIFIC controller SPECIFIC (role) rule for action | |
186 | 192 | //if (isset($controller->easyACL[$role][$action])) { |
187 | 193 | if (self::hasACLRule($controller::easyACL, $role, $action)) { |
188 | 194 | if ($doDEBUG) debug("CAS1"); |
189 | 195 | return $this->evalSpecificRule($controller::easyACL[$role][$action], $controller, $user, $role, $action); |
190 | 196 | } |
191 | 197 | |
192 | - // 2) AppController ($this) specific (role) rule for action | |
193 | - //if (isset($this->easyACL[$role][$action])) { | |
194 | - if (self::hasACLRule(self::easyACL, $role, $action)) { | |
198 | + // 2) SPECIFIC controller DEFAULT rule for action | |
199 | + //if (null !== $controller::easyACL['DEFAULT'][$action]) { | |
200 | + if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) { | |
195 | 201 | if ($doDEBUG) debug("CAS2"); |
196 | - return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action); | |
202 | + return $this->evalACL($controller::easyACL['DEFAULT'][$action]); | |
197 | 203 | } |
198 | 204 | |
199 | - // 3) controller general (DEFAULT) rule for action | |
200 | - //if (null !== $controller::easyACL['DEFAULT'][$action]) { | |
201 | - if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) { | |
205 | + // 3) ALL controllers (AppController) SPECIFIC (role) rule for action | |
206 | + //if (isset($this->easyACL[$role][$action])) { | |
207 | + if (self::hasACLRule(self::easyACL, $role, $action)) { | |
202 | 208 | if ($doDEBUG) debug("CAS3"); |
203 | - return $this->evalACL($controller::easyACL['DEFAULT'][$action]); | |
209 | + return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action); | |
204 | 210 | } |
205 | 211 | |
206 | - // 4) AppController general (DEFAULT) rule for action | |
212 | + // 4) ALL controllers (AppController) DEFAULT rule for action | |
207 | 213 | //if (isset($this->easyACL['DEFAULT'][$action])) { |
208 | 214 | //if (self::hasACLRule('DEFAULT',$action)) { |
209 | 215 | if (self::hasACLRule(self::easyACL, 'DEFAULT',$action)) { |
... | ... | @@ -214,12 +220,12 @@ class AppController extends Controller { |
214 | 220 | |
215 | 221 | /* |
216 | 222 | * (RECURSIVE CALL) |
217 | - * 5) controller previous specific (role) rule for action | |
223 | + * 5) SPECIFIC controller PREVIOUS SPECIFIC (role) rule for action | |
218 | 224 | * ex: if role is 'SUPER', use 'ADMIN' rule |
219 | 225 | * ex: if role is 'ADMIN', use 'RESP' rule |
220 | 226 | * ex: if role is 'RESP', use 'USER' rule |
221 | 227 | * ex: if role is 'USER', stop recursive call |
222 | - * Stop recursive call if role is 'USER' => no rule found, so default is authorize (Y) | |
228 | + * Stop recursive call if role is 'USER' => no rule found, so DEFAULT IS AUTHORIZE (Y) !!! => permissive ACL | |
223 | 229 | */ |
224 | 230 | //if ($role == 'USER') return true; |
225 | 231 | if ($role == 'USER') { | ... | ... |
src/Controller/MaterielsController.php
... | ... | @@ -53,6 +53,10 @@ class MaterielsController extends AppController { |
53 | 53 | 'DEFAULT' => array ( |
54 | 54 | // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), |
55 | 55 | // with <condition> like "'field name' == 'value'" |
56 | + // !!! Used for test, DO NOT REMOVE : !!! | |
57 | + 'action_CAS2_Y' => 'Y', | |
58 | + 'action_CAS2_N' => 'N', | |
59 | + // YOUR RULES : | |
56 | 60 | // CRUD actions : |
57 | 61 | //'index' => 'Y', // read all |
58 | 62 | //'view' => 'Y', // read one |
... | ... | @@ -60,15 +64,17 @@ class MaterielsController extends AppController { |
60 | 64 | //'find' => 'Y', // create |
61 | 65 | 'edit' => '(status == CREATED || status == VALIDATED)', // update |
62 | 66 | 'delete' => '(status == CREATED)', |
63 | - 'autre1' => 'N', | |
64 | - 'autre2' => 'Y', | |
65 | - //'autre3' => 'N', | |
66 | - //'autre4' => 'NN', | |
67 | 67 | ), |
68 | 68 | |
69 | 69 | // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint |
70 | 70 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') |
71 | 71 | 'USER' => array ( |
72 | + // !!! Used for test, DO NOT REMOVE : !!! | |
73 | + 'action_CAS1_Y' => 'Y', | |
74 | + 'action_CAS1_N' => 'N', | |
75 | + 'action_CAS6_resp_Y' => 'Y', | |
76 | + 'action_CAS6_resp_N' => 'N', | |
77 | + // YOUR RULES : | |
72 | 78 | 'edit' => '&& (is_creator || is_user)', // is_owner = (nom_createur == CURRENT_USER_NAME) |
73 | 79 | // except fields status, owner, etiquette, and admin data, VALIDATED (only some fields, cf $modifiableFields in View/Materiels/scaffold.form.ctp) |
74 | 80 | 'delete' => '&& is_owner', |
... | ... | @@ -87,6 +93,10 @@ class MaterielsController extends AppController { |
87 | 93 | // Surcharge des ACL par défaut (ci-dessus) pour le profil RESPONSABLE qui est plus restreint |
88 | 94 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') |
89 | 95 | 'RESPONSABLE' => array ( |
96 | + // !!! Used for test, DO NOT REMOVE : !!! | |
97 | + 'action_CAS6_admin_Y' => 'Y', | |
98 | + 'action_CAS6_admin_N' => 'N', | |
99 | + // YOUR RULES : | |
90 | 100 | 'edit' => '&& is_resp', // is_owner = (nom_createur == CURRENT_USER_NAME) |
91 | 101 | //'delete' => 'is_resp && (status == CREATED)', |
92 | 102 | // Valider les matos dont il est responsable : | ... | ... |
tests/TestCase/Controller/MaterielsControllerTest.php
... | ... | @@ -135,24 +135,88 @@ class MaterielsControllerTest extends General { |
135 | 135 | * ***************************************************************************** |
136 | 136 | */ |
137 | 137 | public function testEasyACL() { |
138 | + $matCont = new MaterielsController(); | |
139 | + $appCont = new AppController(); | |
140 | + /* | |
138 | 141 | $role = 'USER_from_ldap'; |
139 | 142 | $this->authAs($role); |
140 | - $roleLong = (new AppController())->getUserRole(); | |
141 | - $matCont = new MaterielsController(); | |
142 | - $this->_testEasyACL('N', $matCont, $roleLong, 'autre1'); | |
143 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre2'); | |
144 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre3'); | |
145 | - $this->_testEasyACL('N', $matCont, $roleLong, 'autre4'); | |
146 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'unknown'); | |
147 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'add'); | |
148 | - $this->_testEasyACL('(status == CREATED || status == VALIDATED) && (is_creator || is_user)', $matCont, $roleLong, 'edit'); | |
143 | + $roleLong = $appCont->getUserRole(); | |
144 | + */ | |
145 | + | |
146 | + /* | |
147 | + * SCHOOL CASES | |
148 | + */ | |
149 | + | |
150 | + $roleLong = 'Utilisateur'; | |
151 | + // CAS1 | |
152 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_Y', 'Y'); | |
153 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_N', 'N'); | |
154 | + // CAS2 | |
155 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_Y', 'Y'); | |
156 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_N', 'N'); | |
157 | + // CAS3 | |
158 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_Y', 'Y'); | |
159 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_N', 'N'); | |
160 | + // CAS4 | |
161 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_Y', 'Y'); | |
162 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_N', 'N'); | |
163 | + // CAS5 | |
164 | + $this->_testEasyACL($matCont, $roleLong, 'action_unknown_CAS5_Y', 'Y'); | |
165 | + | |
166 | + // CAS6 | |
167 | + /* | |
168 | + $role = 'RESP'; | |
169 | + $this->authAs($role); | |
170 | + $roleLong = $appCont->getUserRole(); | |
171 | + */ | |
172 | + $roleLong = 'Responsable'; | |
173 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_Y', 'Y'); | |
174 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_N', 'N'); | |
175 | + /* | |
176 | + $role = 'ADMIN'; | |
177 | + $this->authAs($role); | |
178 | + $roleLong = $appCont->getUserRole(); | |
179 | + */ | |
180 | + $roleLong = 'Administration'; | |
181 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_Y', 'Y'); | |
182 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_N', 'N'); | |
183 | + | |
184 | + /* | |
185 | + * REAL CASES | |
186 | + */ | |
187 | + | |
188 | + $roleLong = 'Utilisateur'; | |
189 | + // add as USER | |
190 | + $this->_testEasyACL($matCont, $roleLong, 'add', 'Y'); | |
191 | + | |
192 | + // edit | |
193 | + $this->_testEasyACL($matCont, 'Utilisateur', 'edit', '(status == CREATED || status == VALIDATED) && (is_creator || is_user)'); | |
194 | + $this->_testEasyACL($matCont, 'Responsable', 'edit', '(status == CREATED || status == VALIDATED) && is_resp'); | |
195 | + $this->_testEasyACL($matCont, 'Administration', 'edit', '(status == CREATED || status == VALIDATED)'); | |
196 | + $this->_testEasyACL($matCont, 'Administration Plus', 'edit', '(status == CREATED || status == VALIDATED)'); | |
197 | + $this->_testEasyACL($matCont, 'Super Administrateur', 'edit', '(status == CREATED || status == VALIDATED)'); | |
198 | + | |
199 | + // delete | |
200 | + $this->_testEasyACL($matCont, 'Utilisateur', 'delete', '(status == CREATED) && is_owner'); | |
201 | + $this->_testEasyACL($matCont, 'Responsable', 'delete', '(status == CREATED)'); | |
202 | + $this->_testEasyACL($matCont, 'Administration', 'delete', '(status == CREATED)'); | |
203 | + $this->_testEasyACL($matCont, 'Administration Plus', 'delete', '(status == CREATED)'); | |
204 | + $this->_testEasyACL($matCont, 'Super Administrateur', 'delete', '(status == CREATED)'); | |
205 | + | |
206 | + // statusCreated | |
207 | + $this->_testEasyACL($matCont, 'Utilisateur', 'statusCreated', 'N'); | |
208 | + $this->_testEasyACL($matCont, 'Responsable', 'statusCreated', 'N'); | |
209 | + $this->_testEasyACL($matCont, 'Administration', 'statusCreated', 'Y'); | |
210 | + $this->_testEasyACL($matCont, 'Administration Plus', 'statusCreated', 'Y'); | |
211 | + $this->_testEasyACL($matCont, 'Super Administrateur', 'statusCreated', 'Y'); | |
212 | + | |
149 | 213 | /* |
150 | 214 | $action='autre4'; |
151 | 215 | $rule = $matCont->isAuthorizedAction($matCont, $roleLong, $action); |
152 | 216 | $this->assertEquals('N', $rule, $roleLong.' do '.$action); |
153 | 217 | */ |
154 | 218 | } |
155 | - private function _testEasyACL($expectedRule, AppController $controller, $roleLong, $action) { | |
219 | + private function _testEasyACL(AppController $controller, $roleLong, $action, $expectedRule) { | |
156 | 220 | $rule = $controller->isAuthorizedAction($controller, $roleLong, $action); |
157 | 221 | $this->assertEquals($expectedRule, $rule, $roleLong.' do '.$action); |
158 | 222 | } | ... | ... |