Allow for non-object resources in authorize

cakephp · Oct 31, 2018 · 578c100 · 578c100
1 parent 2c852bd
commit 578c100
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 1 deletion.
diff --git a/src/Controller/Component/AuthorizationComponent.php b/src/Controller/Component/AuthorizationComponent.php
@@ -69,7 +69,7 @@ public function authorize($resource, $action = null)
             return;
         }
 
-        throw new ForbiddenException([$action, get_class($resource)]);
+        throw new ForbiddenException([$action, is_object($resource) ? get_class($resource) : (is_string($resource) ? $resource : gettype($resource))]);
     }
 
     /**

diff --git a/tests/TestCase/Controller/Component/AuthorizationComponentTest.php b/tests/TestCase/Controller/Component/AuthorizationComponentTest.php
@@ -33,6 +33,7 @@
 use TestApp\Model\Table\ArticlesTable;
 use TestApp\Policy\ArticlePolicy;
 use TestApp\Policy\ArticlesTablePolicy;
+use TestApp\Policy\StringResolver;
 use UnexpectedValueException;
 
 /**
@@ -117,6 +118,28 @@ public function testAuthorizeFailedCheck()
         $this->Auth->authorize($article);
     }
 
+    public function testAuthorizeFailedCheckStringResolver()
+    {
+        // Reset the system to use the string resolver
+        $service = new AuthorizationService(new StringResolver());
+        $identity = new IdentityDecorator($service, ['can_index' => false]);
+        $request = new ServerRequest([
+            'params' => ['controller' => 'Articles', 'action' => 'index'],
+        ]);
+
+        $request = $request
+            ->withAttribute('authorization', $service)
+            ->withAttribute('identity', $identity);
+
+        $this->Controller = new Controller($request);
+        $this->ComponentRegistry = new ComponentRegistry($this->Controller);
+        $this->Auth = new AuthorizationComponent($this->ComponentRegistry);
+
+        $this->expectException(ForbiddenException::class);
+
+        $this->Auth->authorize('ArticlesTable');
+    }
+
     public function testAuthorizeSuccessCheckImplicitAction()
     {
         $article = new Article(['user_id' => 1]);
@@ -147,6 +170,26 @@ public function testAuthorizeSuccessCheckMappedAction()
         $this->assertNull($this->Auth->authorize($article));
     }
 
+    public function testAuthorizeSuccessCheckStringResolver()
+    {
+        // Reset the system to use the string resolver
+        $service = new AuthorizationService(new StringResolver());
+        $identity = new IdentityDecorator($service, ['can_index' => true]);
+        $request = new ServerRequest([
+            'params' => ['controller' => 'Articles', 'action' => 'index'],
+        ]);
+
+        $request = $request
+            ->withAttribute('authorization', $service)
+            ->withAttribute('identity', $identity);
+
+        $this->Controller = new Controller($request);
+        $this->ComponentRegistry = new ComponentRegistry($this->Controller);
+        $this->Auth = new AuthorizationComponent($this->ComponentRegistry);
+
+        $this->assertNull($this->Auth->authorize('ArticlesTable'));
+    }
+
     public function testApplyScopeImplicitAction()
     {
         $articles = new ArticlesTable();

diff --git a/tests/test_app/TestApp/Policy/ArticlesTablePolicy.php b/tests/test_app/TestApp/Policy/ArticlesTablePolicy.php
@@ -6,6 +6,11 @@
 
 class ArticlesTablePolicy
 {
+    public function canIndex(IdentityInterface $identity)
+    {
+        return $identity['can_index'];
+    }
+
     public function canEdit(IdentityInterface $identity)
     {
         return $identity['can_edit'];

diff --git a/tests/test_app/TestApp/Policy/StringResolver.php b/tests/test_app/TestApp/Policy/StringResolver.php
@@ -0,0 +1,47 @@
+<?php
+/**
+ * CakePHP(tm) : Rapid Development Framework (https://cakephp.org)
+ * Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * For full copyright and license information, please see the LICENSE.txt
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
+ * @link          https://cakephp.org CakePHP(tm) Project
+ * @since         1.0.0
+ * @license       https://opensource.org/licenses/mit-license.php MIT License
+ */
+namespace TestApp\Policy;
+
+use Authorization\Policy\Exception\MissingPolicyException;
+use Authorization\Policy\ResolverInterface;
+use Cake\Core\App;
+use Cake\Datasource\EntityInterface;
+use Cake\Datasource\QueryInterface;
+use Cake\Datasource\RepositoryInterface;
+
+/**
+ * Very simple policy resolver that accepts string policy names.
+ */
+class StringResolver implements ResolverInterface
+{
+    /**
+     * Get a policy for a string.
+     *
+     * @param string $resource The resource.
+     * @return object
+     * @throws \Authorization\Policy\Exception\MissingPolicyException When a policy for the
+     *   resource has not been defined or cannot be resolved.
+     */
+    public function getPolicy($resource)
+    {
+        $policyClass = App::className('TestApp.' . $resource, 'Policy', 'Policy');
+
+        if ($policyClass === false) {
+            throw new MissingPolicyException([$resource]);
+        }
+
+        return new $policyClass();
+    }
+}