EZP-29316: Add UrlAliasService policy checks (ezsystems#2358)

* EZP-29316: Add UrlAliasService policy checks

* EZP-29316: Add UrlAliasService policy checks - missing tests

* EZP-29316: Add UrlAliasService policy checks - CS

eZ/Publish/API/Repository/Tests/URLAliasServiceAuthorizationTest.php

@@ -0,0 +1,103 @@
+<?php
+
+/**
+ * File containing the URLAliasServiceTest class.
+ *
+ * @copyright Copyright (C) eZ Systems AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+namespace eZ\Publish\API\Repository\Tests;
+
+class URLAliasServiceAuthorizationTest extends BaseTest
+{
+    /**
+     * Test for the createUrlAlias() method.
+     *
+     * @covers \eZ\Publish\API\Repository\URLAliasService::createUrlAlias()
+     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
+     * @depends \eZ\Publish\API\Repository\Tests\URLAliasServiceTest::testCreateUrlAlias
+     */
+    public function testCreateUrlAliasThrowsUnauthorizedException()
+    {
+        $repository = $this->getRepository();
+
+        $anonymousUserId = $this->generateId('user', 10);
+        $parentLocationId = $this->generateId('location', 2);
+        /* BEGIN: Use Case */
+        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
+        // Publish demo installation.
+        // $locationId is the ID of an existing location
+        $userService = $repository->getUserService();
+        $urlAliasService = $repository->getURLAliasService();
+        $locationService = $repository->getLocationService();
+
+        $location = $locationService->newLocationCreateStruct($parentLocationId);
+
+        $anonymousUser = $userService->loadUser($anonymousUserId);
+        $repository->getPermissionResolver()->setCurrentUserReference($anonymousUser);
+
+        // This call will fail with an UnauthorizedException
+        $urlAliasService->createUrlAlias($location, '/Home/My-New-Site', 'eng-US');
+        /* END: Use Case */
+    }
+
+    /**
+     * Test for the createGlobalUrlAlias() method.
+     *
+     * @covers \eZ\Publish\API\Repository\URLAliasService::createGlobalUrlAlias()
+     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
+     * @depends \eZ\Publish\API\Repository\Tests\URLAliasServiceTest::testCreateGlobalUrlAlias
+     */
+    public function testCreateGlobalUrlAliasThrowsUnauthorizedException()
+    {
+        $repository = $this->getRepository();
+
+        $anonymousUserId = $this->generateId('user', 10);
+        /* BEGIN: Use Case */
+        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
+        // Publish demo installation.
+        $userService = $repository->getUserService();
+        $urlAliasService = $repository->getURLAliasService();
+
+        $anonymousUser = $userService->loadUser($anonymousUserId);
+        $repository->getPermissionResolver()->setCurrentUserReference($anonymousUser);
+
+        // This call will fail with an UnauthorizedException
+        $urlAliasService->createGlobalUrlAlias('module:content/search?SearchText=eZ', '/Home/My-New-Site', 'eng-US');
+        /* END: Use Case */
+    }
+
+    /**
+     * Test for the removeAliases() method.
+     *
+     * @covers \eZ\Publish\API\Repository\URLAliasService::removeAliases()
+     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
+     * @depends \eZ\Publish\API\Repository\Tests\URLAliasServiceTest::testRemoveAliases
+     */
+    public function testRemoveAliasesThrowsUnauthorizedException()
+    {
+        $repository = $this->getRepository();
+        $anonymousUserId = $this->generateId('user', 10);
+
+        $locationService = $repository->getLocationService();
+        $someLocation = $locationService->loadLocation(
+            $this->generateId('location', 12)
+        );
+
+        /* BEGIN: Use Case */
+        // $someLocation contains a location with automatically generated
+        // aliases assigned
+        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
+        $urlAliasService = $repository->getURLAliasService();
+        $userService = $repository->getUserService();
+
+        $anonymousUser = $userService->loadUser($anonymousUserId);
+        $repository->getPermissionResolver()->setCurrentUserReference($anonymousUser);
+
+        $initialAliases = $urlAliasService->listLocationAliases($someLocation);
+
+        // This call will fail with an UnauthorizedException
+        $urlAliasService->removeAliases($initialAliases);
+        /* END: Use Case */
+    }
+}

eZ/Publish/API/Repository/URLAliasService.php

@@ -30,6 +30,7 @@ interface URLAliasService
      * @param bool $forwarding if true a redirect is performed
      * @param bool $alwaysAvailable
      *
+     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the user is not allowed to create url alias
      * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException if the path already exists for the given language
      *
      * @return \eZ\Publish\API\Repository\Values\Content\URLAlias
@@ -46,6 +47,8 @@ public function createUrlAlias(Location $location, $path, $languageCode, $forwar
      *
      * $alwaysAvailable makes the alias available in all languages.
      *
+     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the user is not allowed to create global
+     *          url alias
      * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException if the path already exists for the given
      *         language or if resource is not valid
      *
@@ -86,6 +89,7 @@ public function listGlobalAliases($languageCode = null, $offset = 0, $limit = -1
      *
      * This method does not remove autogenerated aliases for locations.
      *
+     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException if the user is not allowed to remove url alias
      * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException if alias list contains
      *         autogenerated alias
      *