Commit df93b0882a23eac4e8954558c7a91fa527128359

Authored by Etienne Pallier
1 parent 19a31f8f

More tests on easyACL and more bugfixes !!!

src/Controller/AppController.php
@@ -70,18 +70,22 @@ class AppController extends Controller { @@ -70,18 +70,22 @@ class AppController extends Controller {
70 'DEFAULT' => array ( 70 'DEFAULT' => array (
71 // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), 71 // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'),
72 // with <condition> like "'field name' == 'value'" 72 // with <condition> like "'field name' == 'value'"
  73 + // !!! Used for test, DO NOT REMOVE : !!!
  74 + 'action_CAS4_Y' => 'Y',
  75 + 'action_CAS4_N' => 'N',
  76 + // YOUR RULES :
73 // CRUD actions : 77 // CRUD actions :
74 //'edit' => 'N', // update 78 //'edit' => 'N', // update
75 //'delete' => 'N', 79 //'delete' => 'N',
76 - 'autre1' => 'Y',  
77 - 'autre2' => 'N',  
78 - 'autre3' => 'Y',  
79 - 'autre4' => 'N',  
80 ), 80 ),
81 81
82 // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint 82 // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint
83 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') 83 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL')
84 'USER' => array ( 84 'USER' => array (
  85 + // !!! Used for test, DO NOT REMOVE : !!!
  86 + 'action_CAS3_Y' => 'Y',
  87 + 'action_CAS3_N' => 'N',
  88 + // YOUR RULES :
85 // CRUD actions 89 // CRUD actions
86 'add' => 'Y', // C 90 'add' => 'Y', // C
87 'index' => 'Y', // R all 91 'index' => 'Y', // R all
@@ -182,28 +186,30 @@ class AppController extends Controller { @@ -182,28 +186,30 @@ class AppController extends Controller {
182 case 'Administration Plus': $role='ADMINPLUS'; break; 186 case 'Administration Plus': $role='ADMINPLUS'; break;
183 case 'Super Administrateur': $role='SUPERADMIN'; break; 187 case 'Super Administrateur': $role='SUPERADMIN'; break;
184 } 188 }
185 - // 1) controller specific (role) rule for action 189 + if ($doDEBUG) debug("role is $role");
  190 +
  191 + // 1) SPECIFIC controller SPECIFIC (role) rule for action
186 //if (isset($controller->easyACL[$role][$action])) { 192 //if (isset($controller->easyACL[$role][$action])) {
187 if (self::hasACLRule($controller::easyACL, $role, $action)) { 193 if (self::hasACLRule($controller::easyACL, $role, $action)) {
188 if ($doDEBUG) debug("CAS1"); 194 if ($doDEBUG) debug("CAS1");
189 return $this->evalSpecificRule($controller::easyACL[$role][$action], $controller, $user, $role, $action); 195 return $this->evalSpecificRule($controller::easyACL[$role][$action], $controller, $user, $role, $action);
190 } 196 }
191 197
192 - // 2) AppController ($this) specific (role) rule for action  
193 - //if (isset($this->easyACL[$role][$action])) {  
194 - if (self::hasACLRule(self::easyACL, $role, $action)) { 198 + // 2) SPECIFIC controller DEFAULT rule for action
  199 + //if (null !== $controller::easyACL['DEFAULT'][$action]) {
  200 + if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) {
195 if ($doDEBUG) debug("CAS2"); 201 if ($doDEBUG) debug("CAS2");
196 - return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action); 202 + return $this->evalACL($controller::easyACL['DEFAULT'][$action]);
197 } 203 }
198 204
199 - // 3) controller general (DEFAULT) rule for action  
200 - //if (null !== $controller::easyACL['DEFAULT'][$action]) {  
201 - if (self::hasACLRule($controller::easyACL, 'DEFAULT', $action)) { 205 + // 3) ALL controllers (AppController) SPECIFIC (role) rule for action
  206 + //if (isset($this->easyACL[$role][$action])) {
  207 + if (self::hasACLRule(self::easyACL, $role, $action)) {
202 if ($doDEBUG) debug("CAS3"); 208 if ($doDEBUG) debug("CAS3");
203 - return $this->evalACL($controller::easyACL['DEFAULT'][$action]); 209 + return $this->evalSpecificRule(self::easyACL[$role][$action], $this, $user, $role, $action);
204 } 210 }
205 211
206 - // 4) AppController general (DEFAULT) rule for action 212 + // 4) ALL controllers (AppController) DEFAULT rule for action
207 //if (isset($this->easyACL['DEFAULT'][$action])) { 213 //if (isset($this->easyACL['DEFAULT'][$action])) {
208 //if (self::hasACLRule('DEFAULT',$action)) { 214 //if (self::hasACLRule('DEFAULT',$action)) {
209 if (self::hasACLRule(self::easyACL, 'DEFAULT',$action)) { 215 if (self::hasACLRule(self::easyACL, 'DEFAULT',$action)) {
@@ -214,12 +220,12 @@ class AppController extends Controller { @@ -214,12 +220,12 @@ class AppController extends Controller {
214 220
215 /* 221 /*
216 * (RECURSIVE CALL) 222 * (RECURSIVE CALL)
217 - * 5) controller previous specific (role) rule for action 223 + * 5) SPECIFIC controller PREVIOUS SPECIFIC (role) rule for action
218 * ex: if role is 'SUPER', use 'ADMIN' rule 224 * ex: if role is 'SUPER', use 'ADMIN' rule
219 * ex: if role is 'ADMIN', use 'RESP' rule 225 * ex: if role is 'ADMIN', use 'RESP' rule
220 * ex: if role is 'RESP', use 'USER' rule 226 * ex: if role is 'RESP', use 'USER' rule
221 * ex: if role is 'USER', stop recursive call 227 * ex: if role is 'USER', stop recursive call
222 - * Stop recursive call if role is 'USER' => no rule found, so default is authorize (Y) 228 + * Stop recursive call if role is 'USER' => no rule found, so DEFAULT IS AUTHORIZE (Y) !!! => permissive ACL
223 */ 229 */
224 //if ($role == 'USER') return true; 230 //if ($role == 'USER') return true;
225 if ($role == 'USER') { 231 if ($role == 'USER') {
src/Controller/MaterielsController.php
@@ -53,6 +53,10 @@ class MaterielsController extends AppController { @@ -53,6 +53,10 @@ class MaterielsController extends AppController {
53 'DEFAULT' => array ( 53 'DEFAULT' => array (
54 // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'), 54 // 'action' => 'condition for execution' (= 'Y', 'N', or '<condition>'),
55 // with <condition> like "'field name' == 'value'" 55 // with <condition> like "'field name' == 'value'"
  56 + // !!! Used for test, DO NOT REMOVE : !!!
  57 + 'action_CAS2_Y' => 'Y',
  58 + 'action_CAS2_N' => 'N',
  59 + // YOUR RULES :
56 // CRUD actions : 60 // CRUD actions :
57 //'index' => 'Y', // read all 61 //'index' => 'Y', // read all
58 //'view' => 'Y', // read one 62 //'view' => 'Y', // read one
@@ -60,15 +64,17 @@ class MaterielsController extends AppController { @@ -60,15 +64,17 @@ class MaterielsController extends AppController {
60 //'find' => 'Y', // create 64 //'find' => 'Y', // create
61 'edit' => '(status == CREATED || status == VALIDATED)', // update 65 'edit' => '(status == CREATED || status == VALIDATED)', // update
62 'delete' => '(status == CREATED)', 66 'delete' => '(status == CREATED)',
63 - 'autre1' => 'N',  
64 - 'autre2' => 'Y',  
65 - //'autre3' => 'N',  
66 - //'autre4' => 'NN',  
67 ), 67 ),
68 68
69 // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint 69 // Ajoute des ACL plus spécifiques (ci-dessus) pour le profil USER qui est plus restreint
70 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') 70 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL')
71 'USER' => array ( 71 'USER' => array (
  72 + // !!! Used for test, DO NOT REMOVE : !!!
  73 + 'action_CAS1_Y' => 'Y',
  74 + 'action_CAS1_N' => 'N',
  75 + 'action_CAS6_resp_Y' => 'Y',
  76 + 'action_CAS6_resp_N' => 'N',
  77 + // YOUR RULES :
72 'edit' => '&& (is_creator || is_user)', // is_owner = (nom_createur == CURRENT_USER_NAME) 78 'edit' => '&& (is_creator || is_user)', // is_owner = (nom_createur == CURRENT_USER_NAME)
73 // except fields status, owner, etiquette, and admin data, VALIDATED (only some fields, cf $modifiableFields in View/Materiels/scaffold.form.ctp) 79 // except fields status, owner, etiquette, and admin data, VALIDATED (only some fields, cf $modifiableFields in View/Materiels/scaffold.form.ctp)
74 'delete' => '&& is_owner', 80 'delete' => '&& is_owner',
@@ -87,6 +93,10 @@ class MaterielsController extends AppController { @@ -87,6 +93,10 @@ class MaterielsController extends AppController {
87 // Surcharge des ACL par défaut (ci-dessus) pour le profil RESPONSABLE qui est plus restreint 93 // Surcharge des ACL par défaut (ci-dessus) pour le profil RESPONSABLE qui est plus restreint
88 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL') 94 // Les actions absentes ne sont pas surchargées (elles sont exécutées selon les conditions définies pour 'ALL')
89 'RESPONSABLE' => array ( 95 'RESPONSABLE' => array (
  96 + // !!! Used for test, DO NOT REMOVE : !!!
  97 + 'action_CAS6_admin_Y' => 'Y',
  98 + 'action_CAS6_admin_N' => 'N',
  99 + // YOUR RULES :
90 'edit' => '&& is_resp', // is_owner = (nom_createur == CURRENT_USER_NAME) 100 'edit' => '&& is_resp', // is_owner = (nom_createur == CURRENT_USER_NAME)
91 //'delete' => 'is_resp && (status == CREATED)', 101 //'delete' => 'is_resp && (status == CREATED)',
92 // Valider les matos dont il est responsable : 102 // Valider les matos dont il est responsable :
tests/TestCase/Controller/MaterielsControllerTest.php
@@ -135,24 +135,88 @@ class MaterielsControllerTest extends General { @@ -135,24 +135,88 @@ class MaterielsControllerTest extends General {
135 * ***************************************************************************** 135 * *****************************************************************************
136 */ 136 */
137 public function testEasyACL() { 137 public function testEasyACL() {
  138 + $matCont = new MaterielsController();
  139 + $appCont = new AppController();
  140 + /*
138 $role = 'USER_from_ldap'; 141 $role = 'USER_from_ldap';
139 $this->authAs($role); 142 $this->authAs($role);
140 - $roleLong = (new AppController())->getUserRole();  
141 - $matCont = new MaterielsController();  
142 - $this->_testEasyACL('N', $matCont, $roleLong, 'autre1');  
143 - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre2');  
144 - $this->_testEasyACL('Y', $matCont, $roleLong, 'autre3');  
145 - $this->_testEasyACL('N', $matCont, $roleLong, 'autre4');  
146 - $this->_testEasyACL('Y', $matCont, $roleLong, 'unknown');  
147 - $this->_testEasyACL('Y', $matCont, $roleLong, 'add');  
148 - $this->_testEasyACL('(status == CREATED || status == VALIDATED) && (is_creator || is_user)', $matCont, $roleLong, 'edit'); 143 + $roleLong = $appCont->getUserRole();
  144 + */
  145 +
  146 + /*
  147 + * SCHOOL CASES
  148 + */
  149 +
  150 + $roleLong = 'Utilisateur';
  151 + // CAS1
  152 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_Y', 'Y');
  153 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS1_N', 'N');
  154 + // CAS2
  155 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_Y', 'Y');
  156 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS2_N', 'N');
  157 + // CAS3
  158 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_Y', 'Y');
  159 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS3_N', 'N');
  160 + // CAS4
  161 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_Y', 'Y');
  162 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS4_N', 'N');
  163 + // CAS5
  164 + $this->_testEasyACL($matCont, $roleLong, 'action_unknown_CAS5_Y', 'Y');
  165 +
  166 + // CAS6
  167 + /*
  168 + $role = 'RESP';
  169 + $this->authAs($role);
  170 + $roleLong = $appCont->getUserRole();
  171 + */
  172 + $roleLong = 'Responsable';
  173 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_Y', 'Y');
  174 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_resp_N', 'N');
  175 + /*
  176 + $role = 'ADMIN';
  177 + $this->authAs($role);
  178 + $roleLong = $appCont->getUserRole();
  179 + */
  180 + $roleLong = 'Administration';
  181 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_Y', 'Y');
  182 + $this->_testEasyACL($matCont, $roleLong, 'action_CAS6_admin_N', 'N');
  183 +
  184 + /*
  185 + * REAL CASES
  186 + */
  187 +
  188 + $roleLong = 'Utilisateur';
  189 + // add as USER
  190 + $this->_testEasyACL($matCont, $roleLong, 'add', 'Y');
  191 +
  192 + // edit
  193 + $this->_testEasyACL($matCont, 'Utilisateur', 'edit', '(status == CREATED || status == VALIDATED) && (is_creator || is_user)');
  194 + $this->_testEasyACL($matCont, 'Responsable', 'edit', '(status == CREATED || status == VALIDATED) && is_resp');
  195 + $this->_testEasyACL($matCont, 'Administration', 'edit', '(status == CREATED || status == VALIDATED)');
  196 + $this->_testEasyACL($matCont, 'Administration Plus', 'edit', '(status == CREATED || status == VALIDATED)');
  197 + $this->_testEasyACL($matCont, 'Super Administrateur', 'edit', '(status == CREATED || status == VALIDATED)');
  198 +
  199 + // delete
  200 + $this->_testEasyACL($matCont, 'Utilisateur', 'delete', '(status == CREATED) && is_owner');
  201 + $this->_testEasyACL($matCont, 'Responsable', 'delete', '(status == CREATED)');
  202 + $this->_testEasyACL($matCont, 'Administration', 'delete', '(status == CREATED)');
  203 + $this->_testEasyACL($matCont, 'Administration Plus', 'delete', '(status == CREATED)');
  204 + $this->_testEasyACL($matCont, 'Super Administrateur', 'delete', '(status == CREATED)');
  205 +
  206 + // statusCreated
  207 + $this->_testEasyACL($matCont, 'Utilisateur', 'statusCreated', 'N');
  208 + $this->_testEasyACL($matCont, 'Responsable', 'statusCreated', 'N');
  209 + $this->_testEasyACL($matCont, 'Administration', 'statusCreated', 'Y');
  210 + $this->_testEasyACL($matCont, 'Administration Plus', 'statusCreated', 'Y');
  211 + $this->_testEasyACL($matCont, 'Super Administrateur', 'statusCreated', 'Y');
  212 +
149 /* 213 /*
150 $action='autre4'; 214 $action='autre4';
151 $rule = $matCont->isAuthorizedAction($matCont, $roleLong, $action); 215 $rule = $matCont->isAuthorizedAction($matCont, $roleLong, $action);
152 $this->assertEquals('N', $rule, $roleLong.' do '.$action); 216 $this->assertEquals('N', $rule, $roleLong.' do '.$action);
153 */ 217 */
154 } 218 }
155 - private function _testEasyACL($expectedRule, AppController $controller, $roleLong, $action) { 219 + private function _testEasyACL(AppController $controller, $roleLong, $action, $expectedRule) {
156 $rule = $controller->isAuthorizedAction($controller, $roleLong, $action); 220 $rule = $controller->isAuthorizedAction($controller, $roleLong, $action);
157 $this->assertEquals($expectedRule, $rule, $roleLong.' do '.$action); 221 $this->assertEquals($expectedRule, $rule, $roleLong.' do '.$action);
158 } 222 }