Commit df93b0882a23eac4e8954558c7a91fa527128359
1 parent
19a31f8f
Exists in
master
and in
3 other branches
More tests on easyACL and more bugfixes !!!
Showing
3 changed files
with
110 additions
and
30 deletions
Show diff stats
src/Controller/AppController.php
@@ -70,18 +70,22 @@ class AppController extends Controller { | @@ -70,18 +70,22 @@ class AppController extends Controller { | ||
70 | 'DEFAULT' => array ( | 70 | 'DEFAULT' => array ( |
71 | // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), | 71 | // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), |
72 | // with <condition> like "'field name' == 'value'" | 72 | // with <condition> like "'field name' == 'value'" |
73 | + // !!! Used for test, DO NOT REMOVE : !!! | ||
74 | + 'action_CAS4_Y' => 'Y', | ||
75 | + 'action_CAS4_N' => 'N', | ||
76 | + // YOUR RULES : | ||
73 | // CRUD actions : | 77 | // CRUD actions : |
74 | //'edit' => 'N', // update | 78 | //'edit' => 'N', // update |
75 | //'delete' => 'N', | 79 | //'delete' => 'N', |
76 | - 'autre1' => 'Y', | ||
77 | - 'autre2' => 'N', | ||
78 | - 'autre3' => 'Y', | ||
79 | - 'autre4' => 'N', | ||
80 | ), | 80 | ), |
81 | 81 | ||
82 | // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint | 82 | // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint |
83 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') | 83 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') |
84 | 'USER' => array ( | 84 | 'USER' => array ( |
85 | + // !!! Used for test, DO NOT REMOVE : !!! | ||
86 | + 'action_CAS3_Y' => 'Y', | ||
87 | + 'action_CAS3_N' => 'N', | ||
88 | + // YOUR RULES : | ||
85 | // CRUD actions | 89 | // CRUD actions |
86 | 'add' => 'Y', // C | 90 | 'add' => 'Y', // C |
87 | 'index' => 'Y', // R all | 91 | 'index' => 'Y', // R all |
@@ -182,28 +186,30 @@ class AppController extends Controller { | @@ -182,28 +186,30 @@ class AppController extends Controller { | ||
182 | case 'Administration Plus': $role='ADMINPLUS'; break; | 186 | case 'Administration Plus': $role='ADMINPLUS'; break; |
183 | case 'Super Administrateur': $role='SUPERADMIN'; break; | 187 | case 'Super Administrateur': $role='SUPERADMIN'; break; |
184 | } | 188 | } |
185 | - // 1) controller specific (role) rule for action | 189 | + if ($doDEBUG) debug("role is $role"); |
190 | + | ||
191 | + // 1) SPECIFIC controller SPECIFIC (role) rule for action | ||
186 | //if (isset($controller->easyACL[$role][$action])) { | 192 | //if (isset($controller->easyACL[$role][$action])) { |
187 | if (self::hasACLRule($controller::easyACL, $role, $action)) { | 193 | if (self::hasACLRule($controller::easyACL, $role, $action)) { |
188 | if ($doDEBUG) debug("CAS1"); | 194 | if ($doDEBUG) debug("CAS1"); |
189 | return $this->evalSpecificRule($controller::easyACL[$role][$action], $controller, $user, $role, $action); | 195 | return $this->evalSpecificRule($controller::easyACL[$role][$action], $controller, $user, $role, $action); |
190 | } | 196 | } |
191 | 197 | ||
192 | - // 2) AppController ($this) specific (role) rule for action | ||
193 | - //if (isset($this->easyACL[$role][$action])) { | ||
194 | - if (self::hasACLRule(self::easyACL, $role, $action)) { | 198 | + // 2) SPECIFIC controller DEFAULT rule for action |
199 | + //if (null !== $controller::easyACL['DEFAULT'][$action]) { | ||
200 | + if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) { | ||
195 | if ($doDEBUG) debug("CAS2"); | 201 | if ($doDEBUG) debug("CAS2"); |
196 | - return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action); | 202 | + return $this->evalACL($controller::easyACL['DEFAULT'][$action]); |
197 | } | 203 | } |
198 | 204 | ||
199 | - // 3) controller general (DEFAULT) rule for action | ||
200 | - //if (null !== $controller::easyACL['DEFAULT'][$action]) { | ||
201 | - if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) { | 205 | + // 3) ALL controllers (AppController) SPECIFIC (role) rule for action |
206 | + //if (isset($this->easyACL[$role][$action])) { | ||
207 | + if (self::hasACLRule(self::easyACL, $role, $action)) { | ||
202 | if ($doDEBUG) debug("CAS3"); | 208 | if ($doDEBUG) debug("CAS3"); |
203 | - return $this->evalACL($controller::easyACL['DEFAULT'][$action]); | 209 | + return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action); |
204 | } | 210 | } |
205 | 211 | ||
206 | - // 4) AppController general (DEFAULT) rule for action | 212 | + // 4) ALL controllers (AppController) DEFAULT rule for action |
207 | //if (isset($this->easyACL['DEFAULT'][$action])) { | 213 | //if (isset($this->easyACL['DEFAULT'][$action])) { |
208 | //if (self::hasACLRule('DEFAULT',$action)) { | 214 | //if (self::hasACLRule('DEFAULT',$action)) { |
209 | if (self::hasACLRule(self::easyACL, 'DEFAULT',$action)) { | 215 | if (self::hasACLRule(self::easyACL, 'DEFAULT',$action)) { |
@@ -214,12 +220,12 @@ class AppController extends Controller { | @@ -214,12 +220,12 @@ class AppController extends Controller { | ||
214 | 220 | ||
215 | /* | 221 | /* |
216 | * (RECURSIVE CALL) | 222 | * (RECURSIVE CALL) |
217 | - * 5) controller previous specific (role) rule for action | 223 | + * 5) SPECIFIC controller PREVIOUS SPECIFIC (role) rule for action |
218 | * ex: if role is 'SUPER', use 'ADMIN' rule | 224 | * ex: if role is 'SUPER', use 'ADMIN' rule |
219 | * ex: if role is 'ADMIN', use 'RESP' rule | 225 | * ex: if role is 'ADMIN', use 'RESP' rule |
220 | * ex: if role is 'RESP', use 'USER' rule | 226 | * ex: if role is 'RESP', use 'USER' rule |
221 | * ex: if role is 'USER', stop recursive call | 227 | * ex: if role is 'USER', stop recursive call |
222 | - * Stop recursive call if role is 'USER' => no rule found, so default is authorize (Y) | 228 | + * Stop recursive call if role is 'USER' => no rule found, so DEFAULT IS AUTHORIZE (Y) !!! => permissive ACL |
223 | */ | 229 | */ |
224 | //if ($role == 'USER') return true; | 230 | //if ($role == 'USER') return true; |
225 | if ($role == 'USER') { | 231 | if ($role == 'USER') { |
src/Controller/MaterielsController.php
@@ -53,6 +53,10 @@ class MaterielsController extends AppController { | @@ -53,6 +53,10 @@ class MaterielsController extends AppController { | ||
53 | 'DEFAULT' => array ( | 53 | 'DEFAULT' => array ( |
54 | // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), | 54 | // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), |
55 | // with <condition> like "'field name' == 'value'" | 55 | // with <condition> like "'field name' == 'value'" |
56 | + // !!! Used for test, DO NOT REMOVE : !!! | ||
57 | + 'action_CAS2_Y' => 'Y', | ||
58 | + 'action_CAS2_N' => 'N', | ||
59 | + // YOUR RULES : | ||
56 | // CRUD actions : | 60 | // CRUD actions : |
57 | //'index' => 'Y', // read all | 61 | //'index' => 'Y', // read all |
58 | //'view' => 'Y', // read one | 62 | //'view' => 'Y', // read one |
@@ -60,15 +64,17 @@ class MaterielsController extends AppController { | @@ -60,15 +64,17 @@ class MaterielsController extends AppController { | ||
60 | //'find' => 'Y', // create | 64 | //'find' => 'Y', // create |
61 | 'edit' => '(status == CREATED || status == VALIDATED)', // update | 65 | 'edit' => '(status == CREATED || status == VALIDATED)', // update |
62 | 'delete' => '(status == CREATED)', | 66 | 'delete' => '(status == CREATED)', |
63 | - 'autre1' => 'N', | ||
64 | - 'autre2' => 'Y', | ||
65 | - //'autre3' => 'N', | ||
66 | - //'autre4' => 'NN', | ||
67 | ), | 67 | ), |
68 | 68 | ||
69 | // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint | 69 | // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint |
70 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') | 70 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') |
71 | 'USER' => array ( | 71 | 'USER' => array ( |
72 | + // !!! Used for test, DO NOT REMOVE : !!! | ||
73 | + 'action_CAS1_Y' => 'Y', | ||
74 | + 'action_CAS1_N' => 'N', | ||
75 | + 'action_CAS6_resp_Y' => 'Y', | ||
76 | + 'action_CAS6_resp_N' => 'N', | ||
77 | + // YOUR RULES : | ||
72 | 'edit' => '&& (is_creator || is_user)', // is_owner = (nom_createur == CURRENT_USER_NAME) | 78 | 'edit' => '&& (is_creator || is_user)', // is_owner = (nom_createur == CURRENT_USER_NAME) |
73 | // except fields status, owner, etiquette, and admin data, VALIDATED (only some fields, cf $modifiableFields in View/Materiels/scaffold.form.ctp) | 79 | // except fields status, owner, etiquette, and admin data, VALIDATED (only some fields, cf $modifiableFields in View/Materiels/scaffold.form.ctp) |
74 | 'delete' => '&& is_owner', | 80 | 'delete' => '&& is_owner', |
@@ -87,6 +93,10 @@ class MaterielsController extends AppController { | @@ -87,6 +93,10 @@ class MaterielsController extends AppController { | ||
87 | // Surcharge des ACL par défaut (ci-dessus) pour le profil RESPONSABLE qui est plus restreint | 93 | // Surcharge des ACL par défaut (ci-dessus) pour le profil RESPONSABLE qui est plus restreint |
88 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') | 94 | // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') |
89 | 'RESPONSABLE' => array ( | 95 | 'RESPONSABLE' => array ( |
96 | + // !!! Used for test, DO NOT REMOVE : !!! | ||
97 | + 'action_CAS6_admin_Y' => 'Y', | ||
98 | + 'action_CAS6_admin_N' => 'N', | ||
99 | + // YOUR RULES : | ||
90 | 'edit' => '&& is_resp', // is_owner = (nom_createur == CURRENT_USER_NAME) | 100 | 'edit' => '&& is_resp', // is_owner = (nom_createur == CURRENT_USER_NAME) |
91 | //'delete' => 'is_resp && (status == CREATED)', | 101 | //'delete' => 'is_resp && (status == CREATED)', |
92 | // Valider les matos dont il est responsable : | 102 | // Valider les matos dont il est responsable : |
tests/TestCase/Controller/MaterielsControllerTest.php
@@ -135,24 +135,88 @@ class MaterielsControllerTest extends General { | @@ -135,24 +135,88 @@ class MaterielsControllerTest extends General { | ||
135 | * ***************************************************************************** | 135 | * ***************************************************************************** |
136 | */ | 136 | */ |
137 | public function testEasyACL() { | 137 | public function testEasyACL() { |
138 | + $matCont = new MaterielsController(); | ||
139 | + $appCont = new AppController(); | ||
140 | + /* | ||
138 | $role = 'USER_from_ldap'; | 141 | $role = 'USER_from_ldap'; |
139 | $this->authAs($role); | 142 | $this->authAs($role); |
140 | - $roleLong = (new AppController())->getUserRole(); | ||
141 | - $matCont = new MaterielsController(); | ||
142 | - $this->_testEasyACL('N', $matCont, $roleLong, 'autre1'); | ||
143 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre2'); | ||
144 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre3'); | ||
145 | - $this->_testEasyACL('N', $matCont, $roleLong, 'autre4'); | ||
146 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'unknown'); | ||
147 | - $this->_testEasyACL('Y', $matCont, $roleLong, 'add'); | ||
148 | - $this->_testEasyACL('(status == CREATED || status == VALIDATED) && (is_creator || is_user)', $matCont, $roleLong, 'edit'); | 143 | + $roleLong = $appCont->getUserRole(); |
144 | + */ | ||
145 | + | ||
146 | + /* | ||
147 | + * SCHOOL CASES | ||
148 | + */ | ||
149 | + | ||
150 | + $roleLong = 'Utilisateur'; | ||
151 | + // CAS1 | ||
152 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_Y', 'Y'); | ||
153 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_N', 'N'); | ||
154 | + // CAS2 | ||
155 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_Y', 'Y'); | ||
156 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_N', 'N'); | ||
157 | + // CAS3 | ||
158 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_Y', 'Y'); | ||
159 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_N', 'N'); | ||
160 | + // CAS4 | ||
161 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_Y', 'Y'); | ||
162 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_N', 'N'); | ||
163 | + // CAS5 | ||
164 | + $this->_testEasyACL($matCont, $roleLong, 'action_unknown_CAS5_Y', 'Y'); | ||
165 | + | ||
166 | + // CAS6 | ||
167 | + /* | ||
168 | + $role = 'RESP'; | ||
169 | + $this->authAs($role); | ||
170 | + $roleLong = $appCont->getUserRole(); | ||
171 | + */ | ||
172 | + $roleLong = 'Responsable'; | ||
173 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_Y', 'Y'); | ||
174 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_N', 'N'); | ||
175 | + /* | ||
176 | + $role = 'ADMIN'; | ||
177 | + $this->authAs($role); | ||
178 | + $roleLong = $appCont->getUserRole(); | ||
179 | + */ | ||
180 | + $roleLong = 'Administration'; | ||
181 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_Y', 'Y'); | ||
182 | + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_N', 'N'); | ||
183 | + | ||
184 | + /* | ||
185 | + * REAL CASES | ||
186 | + */ | ||
187 | + | ||
188 | + $roleLong = 'Utilisateur'; | ||
189 | + // add as USER | ||
190 | + $this->_testEasyACL($matCont, $roleLong, 'add', 'Y'); | ||
191 | + | ||
192 | + // edit | ||
193 | + $this->_testEasyACL($matCont, 'Utilisateur', 'edit', '(status == CREATED || status == VALIDATED) && (is_creator || is_user)'); | ||
194 | + $this->_testEasyACL($matCont, 'Responsable', 'edit', '(status == CREATED || status == VALIDATED) && is_resp'); | ||
195 | + $this->_testEasyACL($matCont, 'Administration', 'edit', '(status == CREATED || status == VALIDATED)'); | ||
196 | + $this->_testEasyACL($matCont, 'Administration Plus', 'edit', '(status == CREATED || status == VALIDATED)'); | ||
197 | + $this->_testEasyACL($matCont, 'Super Administrateur', 'edit', '(status == CREATED || status == VALIDATED)'); | ||
198 | + | ||
199 | + // delete | ||
200 | + $this->_testEasyACL($matCont, 'Utilisateur', 'delete', '(status == CREATED) && is_owner'); | ||
201 | + $this->_testEasyACL($matCont, 'Responsable', 'delete', '(status == CREATED)'); | ||
202 | + $this->_testEasyACL($matCont, 'Administration', 'delete', '(status == CREATED)'); | ||
203 | + $this->_testEasyACL($matCont, 'Administration Plus', 'delete', '(status == CREATED)'); | ||
204 | + $this->_testEasyACL($matCont, 'Super Administrateur', 'delete', '(status == CREATED)'); | ||
205 | + | ||
206 | + // statusCreated | ||
207 | + $this->_testEasyACL($matCont, 'Utilisateur', 'statusCreated', 'N'); | ||
208 | + $this->_testEasyACL($matCont, 'Responsable', 'statusCreated', 'N'); | ||
209 | + $this->_testEasyACL($matCont, 'Administration', 'statusCreated', 'Y'); | ||
210 | + $this->_testEasyACL($matCont, 'Administration Plus', 'statusCreated', 'Y'); | ||
211 | + $this->_testEasyACL($matCont, 'Super Administrateur', 'statusCreated', 'Y'); | ||
212 | + | ||
149 | /* | 213 | /* |
150 | $action='autre4'; | 214 | $action='autre4'; |
151 | $rule = $matCont->isAuthorizedAction($matCont, $roleLong, $action); | 215 | $rule = $matCont->isAuthorizedAction($matCont, $roleLong, $action); |
152 | $this->assertEquals('N', $rule, $roleLong.' do '.$action); | 216 | $this->assertEquals('N', $rule, $roleLong.' do '.$action); |
153 | */ | 217 | */ |
154 | } | 218 | } |
155 | - private function _testEasyACL($expectedRule, AppController $controller, $roleLong, $action) { | 219 | + private function _testEasyACL(AppController $controller, $roleLong, $action, $expectedRule) { |
156 | $rule = $controller->isAuthorizedAction($controller, $roleLong, $action); | 220 | $rule = $controller->isAuthorizedAction($controller, $roleLong, $action); |
157 | $this->assertEquals($expectedRule, $rule, $roleLong.' do '.$action); | 221 | $this->assertEquals($expectedRule, $rule, $roleLong.' do '.$action); |
158 | } | 222 | } |