[limb-svn] r7136 - in 3.x/trunk/limb/acl: src tests/cases

svn at limb-project.com svn at limb-project.com
Wed Jul 30 16:37:31 MSD 2008 

Author: conf
Date: 2008-07-30 16:37:30 +0400 (Wed, 30 Jul 2008)
New Revision: 7136
URL: http://fisheye.limb-project.com/changelog/limb/?cs=7136

Modified:
   3.x/trunk/limb/acl/src/lmbAcl.class.php
   3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php
Log:
-- added resource inherits functionality
-- in case role inherits and resource inherits conflict, role inherits has the priority
-- fixed some typos
-- added test cases

Modified: 3.x/trunk/limb/acl/src/lmbAcl.class.php
===================================================================
--- 3.x/trunk/limb/acl/src/lmbAcl.class.php	2008-07-30 10:24:47 UTC (rev 7135)
+++ 3.x/trunk/limb/acl/src/lmbAcl.class.php	2008-07-30 12:37:30 UTC (rev 7136)
@@ -37,7 +37,7 @@
     foreach($parents as $parent)
     {
       if(!$this->isRoleExist($parent))
-      throw new lmbAclException('Parent role not exist', array(
+      throw new lmbAclException('Parent role does not exist', array(
         'role' => $role,
         'parent' => $parent,
       ));
@@ -65,10 +65,12 @@
     if(!count($inherits))
       return array();
 
+      
+    $merged_inherits = $inherits;
     foreach($inherits as $inherit)
-      $inherits  = array_merge($inherits, $this->getRoleInherits($inherit));
+      $merged_inherits  = array_merge($merged_inherits, $this->getRoleInherits($inherit));
 
-    return $inherits;
+    return $merged_inherits;
   }
 
   function addResource($resource, $parents = array())
@@ -79,15 +81,15 @@
     foreach($parents as $parent)
     {
       if(!$this->isResourceExist($parent))
-      throw new lmbAclException('Parent role not exist', array(
-        'role' => $resource,
+      throw new lmbAclException('Parent resource does not exist', array(
+        'resource' => $resource,
         'parent' => $parent,
       ));
     }
 
     $this->_resources[$resource] = $parents;
 
-    return true;
+    return $this;
   }
 
   function getResources()
@@ -107,10 +109,12 @@
     if(!count($inherits))
       return array();
 
+    $merged_inherits = $inherits;
+    
     foreach($inherits as $inherit)
-      $inherits  = array_merge($inherits, $this->getResourceInherits($inherit));
+      $merged_inherits  = array_merge($merged_inherits, $this->getResourceInherits($inherit));
 
-    return $inherits;
+    return $merged_inherits;
   }
 
   protected function _isExistRoleRule($role, $privilege)
@@ -229,7 +233,6 @@
       $resource = $resource->getResource();
     
     $this->_checkResource($resource);
-      
     return array($role, $resource);
   }
 
@@ -257,10 +260,20 @@
 
     if($this->_isExistRoleRule($role, $privilege))
       return ($rule === $this->_getRoleRule($role, $privilege));
-
+      
+    $has_denials = false;
     foreach($this->getRoleInherits($role) as $inherit)
+    {
+      $has_denials = $this->hasDenials($inherit, $resource, $privilege) || $has_denials;
       if($rule === $this->isAllowed($inherit, $resource, $privilege))
         return true;
+    }
+    
+    // check resource inherits only if role inherits does NOT have any denials
+    if(!is_null($resource) && !$has_denials)
+      foreach($this->getResourceInherits($resource) as $inherit)
+        if($rule === $this->isAllowed($role, $inherit, $privilege))
+          return true;                 
       
     return false;
   }

Modified: 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php
===================================================================
--- 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php	2008-07-30 10:24:47 UTC (rev 7135)
+++ 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php	2008-07-30 12:37:30 UTC (rev 7136)
@@ -245,10 +245,7 @@
     $this->assertTrue($acl->hasAllows('user'));
   }  
 
-  /**
-   *@todo
-   */
-  function TODO_testResourceInherits_WithPrivelegies()
+  function testResourceInherits_WithPrivelegies()
   {
     $acl = new lmbAcl();
     $acl->addRole('user');
@@ -260,4 +257,23 @@
                 
     $this->assertTrue($acl->isAllowed('user', 'secret', 'view'));
   } 
+  
+  function testResourceInheritsAndRoleInheritsOverlap()
+  {    
+    $acl = new lmbAcl();
+    $acl->addRole('user');
+    $acl->addRole('fbi', 'user');
+       
+    $acl->addResource('news');
+    $acl->addResource('secret', 'news');
+    
+    $acl->allow('user', 'news', 'view');   
+    $acl->deny('user', 'secret', 'view');
+    
+    $this->assertTrue($acl->isAllowed('user', 'news', 'view'));
+    $this->assertFalse($acl->isAllowed('user', 'secret', 'view'));
+    $this->assertTrue($acl->isAllowed('fbi', 'news', 'view'));
+    // role inherits and resource inherits conflict, role inherits should have the priority
+    $this->assertFalse($acl->isAllowed('fbi', 'secret', 'view'));
+  }
 }

More information about the limb-svn mailing list