[limb-svn] r7137 - in 3.x/trunk/limb/acl: src tests/cases

svn at limb-project.com svn at limb-project.com
Thu Jul 31 17:17:21 MSD 2008 

Author: conf
Date: 2008-07-31 17:17:21 +0400 (Thu, 31 Jul 2008)
New Revision: 7137
URL: http://fisheye.limb-project.com/changelog/limb/?cs=7137

Modified:
   3.x/trunk/limb/acl/src/lmbAcl.class.php
   3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php
Log:
-- fixed bug with simultaneous rule and resource inheritance
-- added logging in debug mode
-- added tests

Modified: 3.x/trunk/limb/acl/src/lmbAcl.class.php
===================================================================
--- 3.x/trunk/limb/acl/src/lmbAcl.class.php	2008-07-30 12:37:30 UTC (rev 7136)
+++ 3.x/trunk/limb/acl/src/lmbAcl.class.php	2008-07-31 13:17:21 UTC (rev 7137)
@@ -16,6 +16,7 @@
 {
   protected $_not_found_policy_allow;
   protected $_inherits_policy_allow;
+  protected $_debug = false;
   
   protected $_roles = array();
   protected $_resources = array();
@@ -259,21 +260,18 @@
       return ($rule === $this->_getResourceRule($role, $resource));
 
     if($this->_isExistRoleRule($role, $privilege))
-      return ($rule === $this->_getRoleRule($role, $privilege));
-      
-    $has_denials = false;
+      return ($rule === $this->_getRoleRule($role, $privilege));      
+        
     foreach($this->getRoleInherits($role) as $inherit)
-    {
-      $has_denials = $this->hasDenials($inherit, $resource, $privilege) || $has_denials;
-      if($rule === $this->isAllowed($inherit, $resource, $privilege))
+      if($this->_hasRule($rule, $inherit, $resource, $privilege))
         return true;
-    }
-    
-    // check resource inherits only if role inherits does NOT have any denials
-    if(!is_null($resource) && !$has_denials)
+        
+    if(!is_null($resource))
       foreach($this->getResourceInherits($resource) as $inherit)
-        if($rule === $this->isAllowed($role, $inherit, $privilege))
-          return true;                 
+        if($this->_hasRule($rule, $role, $inherit, $privilege))
+        // if no conficts with this rule, apply resource inheritance
+          if (!$this->_hasRule(!$rule, $role, $resource, $privilege))
+            return true;
       
     return false;
   }
@@ -317,5 +315,16 @@
   {
     $this->setRule($role, $resource, $privileges, false);
   }
-
+  
+  function log($message)
+  {
+    if ($this->_debug) {
+      echo $message . "\n";
+    }
+  }
+  
+  function setDebugMode($mode)
+  {
+    $this->_debug = $mode;
+  }
 }

Modified: 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php
===================================================================
--- 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php	2008-07-30 12:37:30 UTC (rev 7136)
+++ 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php	2008-07-31 13:17:21 UTC (rev 7137)
@@ -276,4 +276,41 @@
     // role inherits and resource inherits conflict, role inherits should have the priority
     $this->assertFalse($acl->isAllowed('fbi', 'secret', 'view'));
   }
+  
+  function testHasAllowsAndHasDenialsWithResourceAndRoleInherits()
+  {    
+    $acl = $this->acl;
+    
+    $acl->addRole('caveman');
+    $acl->addRole('russian', 'caveman');
+    
+    $acl->addResource('food');
+    $acl->addResource('meat', 'food');
+    
+    $acl->addResource('water');
+    $acl->addResource('vodka', 'water');
+    
+    $acl->allow('caveman', 'food');
+    $acl->allow('russian', 'water');
+
+    $this->assertFalse($acl->hasDenials('caveman', 'food'));
+    $this->assertFalse($acl->hasDenials('caveman', 'meat'));
+    $this->assertFalse($acl->hasDenials('caveman', 'water'));  
+    $this->assertFalse($acl->hasDenials('caveman', 'vodka')); // fixed here
+    
+    $this->assertFalse($acl->hasDenials('russian', 'food'));
+    $this->assertFalse($acl->hasDenials('russian', 'meat'));
+    $this->assertFalse($acl->hasDenials('russian', 'water'));
+    $this->assertFalse($acl->hasDenials('russian', 'vodka')); // here
+
+    $this->assertTrue($acl->hasAllows('caveman', 'food'));
+    $this->assertTrue($acl->hasAllows('caveman', 'meat'));
+    $this->assertFalse($acl->hasAllows('caveman', 'water'));
+    $this->assertFalse($acl->hasAllows('caveman', 'vodka'));
+    
+    $this->assertTrue($acl->hasAllows('russian', 'food'));
+    $this->assertTrue($acl->hasAllows('russian', 'meat'));
+    $this->assertTrue($acl->hasAllows('russian', 'water'));
+    $this->assertTrue($acl->hasAllows('russian', 'vodka')); // and here
+  }
 }

More information about the limb-svn mailing list