Merge pull request #245 from robertpustulka/component-apply-scope

Add support for applyScope with missing identity in AuthorizationComponent

src/Controller/Component/AuthorizationComponent.php

@@ -18,7 +18,6 @@
 
 use Authorization\AuthorizationServiceInterface;
 use Authorization\Exception\ForbiddenException;
-use Authorization\Exception\MissingIdentityException;
 use Authorization\IdentityInterface;
 use Authorization\Policy\ResultInterface;
 use Cake\Controller\Component;
@@ -133,7 +132,7 @@ protected function performCheck($resource, ?string $action = null, string $metho
         }
 
         $identity = $this->getIdentity($request);
-        if (empty($identity)) {
+        if ($identity === null) {
             return $this->getService($request)->{$method}(null, $action, $resource);
         }
 
@@ -158,7 +157,7 @@ public function applyScope($resource, ?string $action = null)
         }
         $identity = $this->getIdentity($request);
         if ($identity === null) {
-            throw new MissingIdentityException('Identity must exist for applyScope() call.');
+            return $this->getService($request)->applyScope(null, $action, $resource);
         }
 
         return $identity->applyScope($action, $resource);

tests/TestCase/Controller/Component/AuthorizationComponentTest.php

@@ -253,6 +253,33 @@ public function testApplyScopeImplicitAction()
         $this->assertSame($query, $result);
     }
 
+    public function testApplyScopeNoUser()
+    {
+        $this->request = $this->request
+            ->withoutAttribute('identity');
+
+        $controller = new Controller($this->request);
+        $componentRegistry = new ComponentRegistry($controller);
+        $auth = new AuthorizationComponent($componentRegistry);
+
+        $articles = new ArticlesTable();
+        $query = $this->createMock(QueryInterface::class);
+        $query->method('getRepository')
+            ->willReturn($articles);
+
+        $query->expects($this->once())
+            ->method('where')
+            ->with([
+                'visibility' => 'public',
+            ])
+            ->willReturn($query);
+
+        $result = $auth->applyScope($query);
+
+        $this->assertInstanceOf(QueryInterface::class, $result);
+        $this->assertSame($query, $result);
+    }
+
     public function testApplyScopeMappedAction()
     {
         $articles = new ArticlesTable();
@@ -470,6 +497,20 @@ public function testCan()
         $this->assertFalse($this->Auth->can($article, 'delete'));
     }
 
+    public function testCanWithoutUser()
+    {
+        $this->request = $this->request
+            ->withoutAttribute('identity');
+
+        $controller = new Controller($this->request);
+        $componentRegistry = new ComponentRegistry($controller);
+        $auth = new AuthorizationComponent($componentRegistry);
+
+        $article = new Article(['user_id' => 1, 'visibility' => 'public']);
+        $this->assertFalse($auth->can($article, 'edit'));
+        $this->assertTrue($auth->can($article, 'view'));
+    }
+
     public function testCanWithResult()
     {
         $article = new Article(['user_id' => 1]);

tests/test_app/TestApp/Policy/ArticlePolicy.php

@@ -28,6 +28,10 @@ public function canAdd($user)
      */
     public function canEdit($user, Article $article)
     {
+        if ($user === null) {
+            return false;
+        }
+
         if (in_array($user['role'], ['admin', 'author'])) {
             return true;
         }

tests/test_app/TestApp/Policy/ArticlesTablePolicy.php

@@ -23,8 +23,14 @@ public function canModify(IdentityInterface $identity)
         return $identity['can_edit'];
     }
 
-    public function scopeEdit(IdentityInterface $user, QueryInterface $query)
+    public function scopeEdit(?IdentityInterface $user, QueryInterface $query)
     {
+        if ($user === null) {
+            return $query->where([
+                'visibility' => 'public',
+            ]);
+        }
+
         return $query->where([
             'user_id' => $user['id'],
         ]);