[limb-svn] r7023 - in 3.x/trunk/limb/acl: src tests/cases
svn at limb-project.com
svn at limb-project.com
Sat May 17 15:22:27 MSD 2008
Author: korchasa
Date: 2008-05-17 15:22:26 +0400 (Sat, 17 May 2008)
New Revision: 7023
URL: http://fisheye.limb-project.com/changelog/limb/?cs=7023
Added:
3.x/trunk/limb/acl/tests/cases/lmbAclAllowsAcceptanceTest.class.php
3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php
Modified:
3.x/trunk/limb/acl/src/lmbAcl.class.php
3.x/trunk/limb/acl/tests/cases/lmbAclTest.class.php
Log:
-- split test files
-- fix error in rule combinations between inherits and self role rules
-- add default policy for not founded rule
Modified: 3.x/trunk/limb/acl/src/lmbAcl.class.php
===================================================================
--- 3.x/trunk/limb/acl/src/lmbAcl.class.php 2008-05-16 14:47:42 UTC (rev 7022)
+++ 3.x/trunk/limb/acl/src/lmbAcl.class.php 2008-05-17 11:22:26 UTC (rev 7023)
@@ -14,13 +14,18 @@
class lmbAcl
{
+ protected $_default_policy;
+
protected $_roles = array();
protected $_resources = array();
public $_roles_rules = array();
public $_resources_rules = array();
- public $_privileges_rules = array();
+ public $_privileges_rules = array();
- function __construct() {}
+ function __construct($default_policy = false)
+ {
+ $this->_default_policy = $default_policy;
+ }
function addRole($role, $parents = array())
{
@@ -111,7 +116,7 @@
if(!array_key_exists($role, $this->_roles_rules))
return false;
if(is_array($this->_roles_rules[$role]))
- return in_array($privilege, $this->_roles_rules[$role]);
+ return array_key_exists($privilege, $this->_roles_rules[$role]);
return true;
}
@@ -216,12 +221,8 @@
$role = $role->getRole();
if(!$this->isRoleExist($role))
- throw new lmbAclException('Role not exist', array('role' => $role));
+ throw new lmbAclException('Role not exist', array('role' => $role));
- foreach($this->getRoleInherits($role) as $inherit)
- if($this->isAllowed($inherit, $resource, $privilege))
- return true;
-
if($this->_isExistPrivilegeRule($role, $resource, $privilege))
return $this->_getPrivilegeRule($role, $resource, $privilege);
@@ -231,7 +232,11 @@
if($this->_isExistRoleRule($role, $privilege))
return $this->_getRoleRule($role, $privilege);
- return false;
+ foreach($this->getRoleInherits($role) as $inherit)
+ if($this->isAllowed($inherit, $resource, $privilege))
+ return true;
+
+ return $this->_default_policy;
}
function setRule($role, $resource = null, $privileges = array(), $rule)
Added: 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsAcceptanceTest.class.php
===================================================================
--- 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsAcceptanceTest.class.php (rev 0)
+++ 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsAcceptanceTest.class.php 2008-05-17 11:22:26 UTC (rev 7023)
@@ -0,0 +1,147 @@
+<?php
+/*
+* Limb PHP Framework
+*
+* @link http://limb-project.com
+* @copyright Copyright © 2004-2007 BIT(http://bit-creative.com)
+* @license LGPL http://www.gnu.org/copyleft/lesser.html
+*/
+lmb_require('limb/acl/src/lmbAcl.class.php');
+
+class lmbAclAllowsAcceptanceTest extends UnitTestCase
+{
+ function testAcceptance()
+ {
+ $acl = new lmbAcl();
+
+ $acl->addResource('content');
+
+ $acl->addRole('guest');
+ $acl->addRole('staff', 'guest');
+ $acl->addRole('editor', 'staff');
+ $acl->addRole('administrator');
+
+ // Guest may only view content
+ $acl->allow('guest', null, 'view');
+
+ // Staff inherits view privilege from guest, but also needs additional privileges
+ $acl->allow('staff', null, array('edit', 'submit', 'revise'));
+
+ // Editor inherits view, edit, submit, and revise privileges, but also needs additional privileges
+ $acl->allow('editor', null, array('publish', 'archive', 'delete'));
+
+ // Administrator inherits nothing but is allowed all privileges
+ $acl->allow('administrator');
+
+ // Access control checks based on above permission sets
+
+ $this->assertTrue($acl->isAllowed('guest', 'content', 'view'));
+ $this->assertFalse($acl->isAllowed('guest', 'content', 'edit'));
+ $this->assertFalse($acl->isAllowed('guest', 'content', 'submit'));
+ $this->assertFalse($acl->isAllowed('guest', 'content', 'revise'));
+ $this->assertFalse($acl->isAllowed('guest', 'content', 'publish'));
+ $this->assertFalse($acl->isAllowed('guest', 'content', 'archive'));
+ $this->assertFalse($acl->isAllowed('guest', 'content', 'delete'));
+ $this->assertFalse($acl->isAllowed('guest', 'content', 'unknown'));
+ $this->assertFalse($acl->isAllowed('guest'));
+
+ $this->assertTrue($acl->isAllowed('staff', 'content', 'view'));
+ $this->assertTrue($acl->isAllowed('staff', 'content', 'edit'));
+ $this->assertTrue($acl->isAllowed('staff', 'content', 'submit'));
+ $this->assertTrue($acl->isAllowed('staff', 'content', 'revise'));
+ $this->assertFalse($acl->isAllowed('staff', 'content', 'publish'));
+ $this->assertFalse($acl->isAllowed('staff', 'content', 'archive'));
+ $this->assertFalse($acl->isAllowed('staff', 'content', 'delete'));
+ $this->assertFalse($acl->isAllowed('staff', 'content', 'unknown'));
+ $this->assertFalse($acl->isAllowed('staff'));
+
+ $this->assertTrue($acl->isAllowed('editor', 'content', 'view'));
+ $this->assertTrue($acl->isAllowed('editor', 'content', 'edit'));
+ $this->assertTrue($acl->isAllowed('editor', 'content', 'submit'));
+ $this->assertTrue($acl->isAllowed('editor', 'content', 'revise'));
+ $this->assertTrue($acl->isAllowed('editor', 'content', 'publish'));
+ $this->assertTrue($acl->isAllowed('editor', 'content', 'archive'));
+ $this->assertTrue($acl->isAllowed('editor', 'content', 'delete'));
+ $this->assertFalse($acl->isAllowed('editor', 'content', 'unknown'));
+ $this->assertFalse($acl->isAllowed('editor'));
+
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'view'));
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'edit'));
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'submit'));
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'revise'));
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'publish'));
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'archive'));
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'delete'));
+ $this->assertTrue($acl->isAllowed('administrator', 'content', 'unknown'));
+ $this->assertTrue($acl->isAllowed('administrator'));
+
+ // Some checks on specific areas, which inherit access controls from the root ACL node
+ $acl->addResource('newsletter');
+ $acl->addResource('pending', 'newsletter');
+ $acl->addResource('gallery');
+ $acl->addResource('profiles', 'gallery');
+ $acl->addResource('config');
+ $acl->addResource('hosts', 'config');
+
+ $this->assertTrue($acl->isAllowed('guest', 'pending', 'view'));
+ $this->assertTrue($acl->isAllowed('staff', 'profiles', 'revise'));
+ $this->assertTrue($acl->isAllowed('staff', 'pending', 'view'));
+ $this->assertTrue($acl->isAllowed('staff', 'pending', 'edit'));
+ $this->assertFalse($acl->isAllowed('staff', 'pending', 'publish'));
+ $this->assertFalse($acl->isAllowed('staff', 'pending'));
+ $this->assertFalse($acl->isAllowed('editor', 'hosts', 'unknown'));
+ $this->assertTrue($acl->isAllowed('administrator', 'pending'));
+
+ // Add a new group, marketing, which bases its permissions on staff
+ $acl->addRole('marketing', 'staff');
+
+ // Refine the privilege sets for more specific needs
+
+ // Allow marketing to publish and archive newsletters
+ $acl->allow('marketing', 'newsletter', array('publish', 'archive'));
+
+ // Allow marketing to publish and archive latest news
+ $acl->addResource('news');
+ $acl->addResource('latest', 'news');
+ $acl->allow('marketing', 'latest', array('publish', 'archive'));
+
+ // Deny staff (and marketing, by inheritance) rights to revise latest news
+ $acl->deny('staff', 'latest', 'revise');
+
+ $acl->addResource('announcement', 'news');
+
+ $this->assertTrue($acl->isAllowed('marketing', 'content', 'view'));
+ $this->assertTrue($acl->isAllowed('marketing', 'content', 'edit'));
+ $this->assertTrue($acl->isAllowed('marketing', 'content', 'submit'));
+ $this->assertTrue($acl->isAllowed('marketing', 'content', 'revise'));
+ $this->assertFalse($acl->isAllowed('marketing', 'content', 'publish'));
+ $this->assertFalse($acl->isAllowed('marketing', 'content', 'archive'));
+ $this->assertFalse($acl->isAllowed('marketing', 'content', 'delete'));
+ $this->assertFalse($acl->isAllowed('marketing', 'content', 'unknown'));
+ $this->assertFalse($acl->isAllowed('marketing'));
+
+ $this->assertTrue($acl->isAllowed('marketing', 'newsletter', 'publish'));
+ $this->assertFalse($acl->isAllowed('staff', 'pending', 'publish'));
+ $this->assertTrue($acl->isAllowed('marketing', 'newsletter', 'archive'));
+ $this->assertFalse($acl->isAllowed('marketing', 'newsletter', 'delete'));
+ $this->assertFalse($acl->isAllowed('marketing', 'newsletter'));
+
+ $this->assertTrue($acl->isAllowed('marketing', 'latest', 'publish'));
+ $this->assertTrue($acl->isAllowed('marketing', 'latest', 'archive'));
+ $this->assertFalse($acl->isAllowed('marketing', 'latest', 'delete'));
+ $this->assertFalse($acl->isAllowed('marketing', 'latest', 'revise'));
+ $this->assertFalse($acl->isAllowed('marketing', 'latest'));
+
+ $this->assertFalse($acl->isAllowed('marketing', 'announcement', 'archive'));
+ $this->assertFalse($acl->isAllowed('staff', 'announcement', 'archive'));
+
+ $this->assertFalse($acl->isAllowed('staff', 'latest', 'publish'));
+
+ $acl->allow('marketing', 'latest');
+
+ $this->assertTrue($acl->isAllowed('marketing', 'latest', 'archive'));
+ $this->assertTrue($acl->isAllowed('marketing', 'latest', 'publish'));
+ $this->assertTrue($acl->isAllowed('marketing', 'latest', 'edit'));
+ $this->assertTrue($acl->isAllowed('marketing', 'latest'));
+ }
+}
\ No newline at end of file
Added: 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php
===================================================================
--- 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php (rev 0)
+++ 3.x/trunk/limb/acl/tests/cases/lmbAclAllowsTest.class.php 2008-05-17 11:22:26 UTC (rev 7023)
@@ -0,0 +1,204 @@
+<?php
+/*
+* Limb PHP Framework
+*
+* @link http://limb-project.com
+* @copyright Copyright © 2004-2007 BIT(http://bit-creative.com)
+* @license LGPL http://www.gnu.org/copyleft/lesser.html
+*/
+lmb_require('limb/acl/src/lmbAcl.class.php');
+
+class lmbAclAllowsTest extends UnitTestCase
+{
+ /**
+ * @var lmbAcl
+ */
+ public $acl;
+
+ function setUp()
+ {
+ $this->acl = new lmbAcl();
+ }
+
+ function _createUserSpyAndSecret()
+ {
+ $acl = new lmbAcl();
+ $acl->addRole('user');
+ $acl->addRole('spy', 'user');
+
+ $acl->addResource('secret');
+
+ return $acl;
+ }
+
+ function testIsAllowedNonExistent()
+ {
+ $this->acl->addRole('guest');
+ $this->acl->addResource('news');
+
+ try {
+ $this->acl->isAllowed('guest', 'not exist', 'view');
+ $this->fail();
+ } catch (lmbAclException $e) {
+ $this->pass();
+ }
+
+ try {
+ $this->acl->isAllowed('not exist', 'news', 'view');
+ $this->fail();
+ } catch (lmbAclException $e) {
+ $this->pass();
+ }
+
+ try {
+ $this->acl->isAllowed('guest', 'news', 'view');
+ $this->pass();
+ } catch (lmbAclException $e) {
+ $this->fail();
+ }
+ }
+
+ function testDefaultDeny()
+ {
+ $this->acl->addRole('guest');
+ $this->acl->addResource('news');
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
+ }
+
+ function testDefaultPolicy()
+ {
+ $acl = new lmbAcl($default_policy = true);
+ $acl->addRole('guest');
+ $acl->addResource('news');
+ $this->assertTrue($acl->isAllowed('guest', 'news', 'view'));
+ }
+
+ function testAllowAndDenyOnPrivelege()
+ {
+ $this->acl->addRole('guest');
+ $this->acl->addResource('news');
+ $this->acl->allow('guest', 'news', 'view');
+ $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
+ $this->acl->deny('guest', 'news', 'view');
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
+ }
+
+ function testAllowAndDenyOnResource()
+ {
+ $this->acl->addRole('guest');
+ $this->acl->addResource('news');
+ $this->acl->allow('guest', 'news');
+ $this->assertTrue($this->acl->isAllowed('guest', 'news'));
+ $this->acl->deny('guest', 'news');
+ $this->assertFalse($this->acl->isAllowed('guest', 'news'));
+ }
+
+ function testAllowAndDenyOnRole()
+ {
+ $this->acl->addRole('admin');
+ $this->acl->allow('admin');
+ $this->assertTrue($this->acl->isAllowed('admin'));
+ $this->acl->deny('admin');
+ $this->assertFalse($this->acl->isAllowed('admin'));
+ }
+
+ function testAllowAndDenyOnRoleForAllResource()
+ {
+ $this->acl->addRole('guest');
+ $this->acl->addResource('news');
+ $this->acl->allow('guest', null, 'view');
+ $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
+ $this->acl->deny('guest', null, 'view');
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
+ }
+
+ function testAllowAndDenyLevelsCombinations()
+ {
+ $this->acl->addRole('guest');
+ $this->acl->addResource('news');
+ $this->acl->addResource('articles');
+
+ $this->acl->allow('guest');
+ $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
+ $this->assertTrue($this->acl->isAllowed('guest', 'news', 'add'));
+
+ $this->acl->deny('guest', 'news');
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
+
+ $this->acl->allow('guest', 'news', 'view');
+ $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
+
+ $this->acl->deny('guest', 'news');
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
+ $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
+
+ $this->acl->allow('guest');
+ $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
+ $this->assertTrue($this->acl->isAllowed('guest', 'news', 'add'));
+
+ }
+
+ function testAllowAndDenyWithInherits_RoleLevelRules()
+ {
+ $acl = $this->_createUserSpyAndSecret();
+
+ $acl->allow('user');
+ $acl->deny('spy');
+
+ $this->assertTrue($acl->isAllowed('user'));
+ $this->assertFalse($acl->isAllowed('spy'));
+ }
+
+ function testAllowAndDenyWithInherits_ResourceLevelRules()
+ {
+ $acl = $this->_createUserSpyAndSecret();
+
+ $acl->allow('user', 'secret');
+ $acl->deny('spy', 'secret');
+
+ $this->assertTrue($acl->isAllowed('user', 'secret'));
+ $this->assertFalse($acl->isAllowed('spy', 'secret'));
+ }
+
+ function testAllowAndDenyWithInherits_PrivelegesLevelRules()
+ {
+ $acl = $this->_createUserSpyAndSecret();
+
+ $acl->allow('user', 'secret', 'view');
+ $acl->deny('spy', 'secret', 'view');
+
+ $this->assertTrue($acl->isAllowed('user', 'secret', 'view'));
+ $this->assertFalse($acl->isAllowed('spy', 'secret', 'view'));
+ }
+
+ function testAllowAndDenyWithInherits_PrivelegesWithoutResource()
+ {
+ $acl = $this->_createUserSpyAndSecret();
+
+ $acl->allow('user', null, 'view');
+ $acl->deny('spy', null, 'view');
+
+ $this->assertTrue($acl->isAllowed('user', 'secret', 'view'));
+ $this->assertFalse($acl->isAllowed('spy', 'secret', 'view'));
+ }
+
+ function testAllowAndDenyWithInherits_AllowingIndependedFromInheritsDefinition()
+ {
+ $acl = new lmbAcl();
+
+ $acl->addRole('user');
+ $acl->addRole('intruder');
+
+ $acl->addRole('firstly user', array('user', 'intruder'));
+ $acl->addRole('firstly intruder', array('intruder', 'user'));
+
+ $acl->allow('user');
+ $acl->deny('intruder');
+
+ $this->assertTrue($acl->isAllowed('firstly user'));
+ $this->assertTrue($acl->isAllowed('firstly intruder'));
+ }
+}
Modified: 3.x/trunk/limb/acl/tests/cases/lmbAclTest.class.php
===================================================================
--- 3.x/trunk/limb/acl/tests/cases/lmbAclTest.class.php 2008-05-16 14:47:42 UTC (rev 7022)
+++ 3.x/trunk/limb/acl/tests/cases/lmbAclTest.class.php 2008-05-17 11:22:26 UTC (rev 7023)
@@ -19,7 +19,7 @@
{
$this->acl = new lmbAcl();
}
-
+
function testAddAndGetRoles()
{
$this->assertIdentical(count($this->acl->getRoles()), 0);
@@ -57,7 +57,7 @@
function testRoleInheritsMultiple()
{
- $acl = $this->acl;
+ $acl = new lmbAcl();
$acl->addRole('guest');
$acl->addRole('member');
@@ -79,7 +79,7 @@
function testResourceInherits()
{
- $acl = $this->acl;
+ $acl = new lmbAcl();
$acl->addResource('content');
$this->assertIdentical($acl->getResourceInherits('content'), array());
@@ -105,7 +105,7 @@
function testResourceInheritsMultiple()
{
- $acl = $this->acl;
+ $acl = new lmbAcl();
$acl->addResource('content');
$acl->addResource('articles');
@@ -114,260 +114,5 @@
$inherits = $acl->getResourceInherits('news');
$this->assertTrue(in_array('articles', $inherits));
$this->assertTrue(in_array('content', $inherits));
- }
-
- function testIsAllowedNonExistent()
- {
- $this->acl->addRole('guest');
- $this->acl->addResource('news');
-
- try {
- $this->acl->isAllowed('guest', 'not exist', 'view');
- $this->fail();
- } catch (lmbAclException $e) {
- $this->pass();
- }
-
- try {
- $this->acl->isAllowed('not exist', 'news', 'view');
- $this->fail();
- } catch (lmbAclException $e) {
- $this->pass();
- }
-
- try {
- $this->acl->isAllowed('guest', 'news', 'view');
- $this->pass();
- } catch (lmbAclException $e) {
- $this->fail();
- }
- }
-
- function testDefaultDeny()
- {
- $this->acl->addRole('guest');
- $this->acl->addResource('news');
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
- }
-
- function testAllowAndDenyOnPrivelege()
- {
- $this->acl->addRole('guest');
- $this->acl->addResource('news');
- $this->acl->allow('guest', 'news', 'view');
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
- $this->acl->deny('guest', 'news', 'view');
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
- }
-
- function testAllowAndDenyOnResource()
- {
- $this->acl->addRole('guest');
- $this->acl->addResource('news');
- $this->acl->allow('guest', 'news');
- $this->assertTrue($this->acl->isAllowed('guest', 'news'));
- $this->acl->deny('guest', 'news');
- $this->assertFalse($this->acl->isAllowed('guest', 'news'));
- }
-
- function testAllowAndDenyOnRole()
- {
- $this->acl->addRole('admin');
- $this->acl->allow('admin');
- $this->assertTrue($this->acl->isAllowed('admin'));
- $this->acl->deny('admin');
- $this->assertFalse($this->acl->isAllowed('admin'));
- }
-
- function testAllowAndDenyOnRoleForAllResource()
- {
- $this->acl->addRole('guest');
- $this->acl->addResource('news');
- $this->acl->allow('guest', null, 'view');
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
- $this->acl->deny('guest', null, 'view');
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
- }
-
- function testAllowAndDenyLevelsCombinations()
- {
- $this->acl->addRole('guest');
- $this->acl->addResource('news');
- $this->acl->addResource('articles');
-
- $this->acl->allow('guest');
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'add'));
-
- $this->acl->deny('guest', 'news');
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
-
- $this->acl->allow('guest', 'news', 'view');
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
-
- $this->acl->deny('guest', 'news');
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'view'));
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'add'));
-
- $this->acl->allow('guest');
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'add'));
-
- }
-
- function testAllowAndDenyWithInherits()
- {
- $this->acl->addRole('guest');
- $this->acl->addRole('member', 'guest');
-
- $this->acl->addResource('news');
-
- $this->acl->allow('guest', 'news', 'view');
- $this->acl->allow('member', 'news', 'vote');
-
- $this->assertTrue($this->acl->isAllowed('guest', 'news', 'view'));
- $this->assertFalse($this->acl->isAllowed('guest', 'news', 'vote'));
-
- $this->assertTrue($this->acl->isAllowed('member', 'news', 'view'));
- $this->assertTrue($this->acl->isAllowed('member', 'news', 'vote'));
- }
-
- function testBlackBoxTest()
- {
- $acl = $this->acl;
-
- $acl->addResource('content');
-
- $acl->addRole('guest');
- $acl->addRole('staff', 'guest');
- $acl->addRole('editor', 'staff');
- $acl->addRole('administrator');
-
- // Guest may only view content
- $acl->allow('guest', null, 'view');
-
- // Staff inherits view privilege from guest, but also needs additional privileges
- $acl->allow('staff', null, array('edit', 'submit', 'revise'));
-
- // Editor inherits view, edit, submit, and revise privileges, but also needs additional privileges
- $acl->allow('editor', null, array('publish', 'archive', 'delete'));
-
- // Administrator inherits nothing but is allowed all privileges
- $acl->allow('administrator');
-
- // Access control checks based on above permission sets
-
- $this->assertTrue($acl->isAllowed('guest', 'content', 'view'));
- $this->assertFalse($acl->isAllowed('guest', 'content', 'edit'));
- $this->assertFalse($acl->isAllowed('guest', 'content', 'submit'));
- $this->assertFalse($acl->isAllowed('guest', 'content', 'revise'));
- $this->assertFalse($acl->isAllowed('guest', 'content', 'publish'));
- $this->assertFalse($acl->isAllowed('guest', 'content', 'archive'));
- $this->assertFalse($acl->isAllowed('guest', 'content', 'delete'));
- $this->assertFalse($acl->isAllowed('guest', 'content', 'unknown'));
- $this->assertFalse($acl->isAllowed('guest'));
-
- $this->assertTrue($acl->isAllowed('staff', 'content', 'view'));
- $this->assertTrue($acl->isAllowed('staff', 'content', 'edit'));
- $this->assertTrue($acl->isAllowed('staff', 'content', 'submit'));
- $this->assertTrue($acl->isAllowed('staff', 'content', 'revise'));
- $this->assertFalse($acl->isAllowed('staff', 'content', 'publish'));
- $this->assertFalse($acl->isAllowed('staff', 'content', 'archive'));
- $this->assertFalse($acl->isAllowed('staff', 'content', 'delete'));
- $this->assertFalse($acl->isAllowed('staff', 'content', 'unknown'));
- $this->assertFalse($acl->isAllowed('staff'));
-
- $this->assertTrue($acl->isAllowed('editor', 'content', 'view'));
- $this->assertTrue($acl->isAllowed('editor', 'content', 'edit'));
- $this->assertTrue($acl->isAllowed('editor', 'content', 'submit'));
- $this->assertTrue($acl->isAllowed('editor', 'content', 'revise'));
- $this->assertTrue($acl->isAllowed('editor', 'content', 'publish'));
- $this->assertTrue($acl->isAllowed('editor', 'content', 'archive'));
- $this->assertTrue($acl->isAllowed('editor', 'content', 'delete'));
- $this->assertFalse($acl->isAllowed('editor', 'content', 'unknown'));
- $this->assertFalse($acl->isAllowed('editor'));
-
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'view'));
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'edit'));
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'submit'));
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'revise'));
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'publish'));
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'archive'));
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'delete'));
- $this->assertTrue($acl->isAllowed('administrator', 'content', 'unknown'));
- $this->assertTrue($acl->isAllowed('administrator'));
-
- // Some checks on specific areas, which inherit access controls from the root ACL node
- $acl->addResource('newsletter');
- $acl->addResource('pending', 'newsletter');
- $acl->addResource('gallery');
- $acl->addResource('profiles', 'gallery');
- $acl->addResource('config');
- $acl->addResource('hosts', 'config');
-
- $this->assertTrue($acl->isAllowed('guest', 'pending', 'view'));
- $this->assertTrue($acl->isAllowed('staff', 'profiles', 'revise'));
- $this->assertTrue($acl->isAllowed('staff', 'pending', 'view'));
- $this->assertTrue($acl->isAllowed('staff', 'pending', 'edit'));
- $this->assertFalse($acl->isAllowed('staff', 'pending', 'publish'));
- $this->assertFalse($acl->isAllowed('staff', 'pending'));
- $this->assertFalse($acl->isAllowed('editor', 'hosts', 'unknown'));
- $this->assertTrue($acl->isAllowed('administrator', 'pending'));
-
- // Add a new group, marketing, which bases its permissions on staff
- $acl->addRole('marketing', 'staff');
-
- // Refine the privilege sets for more specific needs
-
- // Allow marketing to publish and archive newsletters
- $acl->allow('marketing', 'newsletter', array('publish', 'archive'));
-
- // Allow marketing to publish and archive latest news
- $acl->addResource('news');
- $acl->addResource('latest', 'news');
- $acl->allow('marketing', 'latest', array('publish', 'archive'));
-
- // Deny staff (and marketing, by inheritance) rights to revise latest news
- $acl->deny('staff', 'latest', 'revise');
-
- $acl->addResource('announcement', 'news');
-
- $this->assertTrue($acl->isAllowed('marketing', 'content', 'view'));
- $this->assertTrue($acl->isAllowed('marketing', 'content', 'edit'));
- $this->assertTrue($acl->isAllowed('marketing', 'content', 'submit'));
- $this->assertTrue($acl->isAllowed('marketing', 'content', 'revise'));
- $this->assertFalse($acl->isAllowed('marketing', 'content', 'publish'));
- $this->assertFalse($acl->isAllowed('marketing', 'content', 'archive'));
- $this->assertFalse($acl->isAllowed('marketing', 'content', 'delete'));
- $this->assertFalse($acl->isAllowed('marketing', 'content', 'unknown'));
- $this->assertFalse($acl->isAllowed('marketing'));
-
- $this->assertTrue($acl->isAllowed('marketing', 'newsletter', 'publish'));
- $this->assertFalse($acl->isAllowed('staff', 'pending', 'publish'));
- $this->assertTrue($acl->isAllowed('marketing', 'newsletter', 'archive'));
- $this->assertFalse($acl->isAllowed('marketing', 'newsletter', 'delete'));
- $this->assertFalse($acl->isAllowed('marketing', 'newsletter'));
-
- $this->assertTrue($acl->isAllowed('marketing', 'latest', 'publish'));
- $this->assertTrue($acl->isAllowed('marketing', 'latest', 'archive'));
- $this->assertFalse($acl->isAllowed('marketing', 'latest', 'delete'));
- $this->assertFalse($acl->isAllowed('marketing', 'latest', 'revise'));
- $this->assertFalse($acl->isAllowed('marketing', 'latest'));
-
- $this->assertFalse($acl->isAllowed('marketing', 'announcement', 'archive'));
- $this->assertFalse($acl->isAllowed('staff', 'announcement', 'archive'));
-
- $this->assertFalse($acl->isAllowed('staff', 'latest', 'publish'));
-
- $acl->allow('marketing', 'latest');
-
- $this->assertTrue($acl->isAllowed('marketing', 'latest', 'archive'));
- $this->assertTrue($acl->isAllowed('marketing', 'latest', 'publish'));
- $this->assertTrue($acl->isAllowed('marketing', 'latest', 'edit'));
- $this->assertTrue($acl->isAllowed('marketing', 'latest'));
- }
-
+ }
}
More information about the limb-svn
mailing list