From 892a7e7666d85fa94a53f1bdcbc4087614510553 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Fri, 13 Feb 2015 13:16:47 +0000 Subject: [PATCH 01/27] Cake3 Authorization --- src/Auth/TinyAuthorize.php | 190 ++++++++++++++++++++++++++----------- 1 file changed, 136 insertions(+), 54 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 8a165cc9..16b7ac95 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -41,18 +41,18 @@ class TinyAuthorize extends BaseAuthorize { protected $_acl = null; - protected $_defaultConfig = array( - 'superadminRole' => null, // quick way to allow access to every action + protected $_defaultConfig = [ + 'adminRole' => null, // needed together with adminPrefix if allowAdmin is enabled + 'superAdminRole' => null, // quick way to allow access to every action 'allowUser' => false, // quick way to allow user access to non prefixed urls 'allowAdmin' => false, // quick way to allow admin access to admin prefixed urls - 'adminPrefix' => 'admin_', - 'adminRole' => null, // needed together with adminPrefix if allowAdmin is enabled + 'adminPrefix' => 'admin', 'cache' => AUTH_CACHE, 'cacheKey' => 'tiny_auth_acl', 'autoClearCache' => false, // usually done by Cache automatically in debug mode, 'aclTable' => 'Roles', // only for multiple roles per user (HABTM) 'aclKey' => 'role_id', // only for single roles per user (BT) - ); + ]; /** * TinyAuthorize::__construct() @@ -60,7 +60,8 @@ class TinyAuthorize extends BaseAuthorize { * @param ComponentRegistry $registry * @param array $config */ - public function __construct(ComponentRegistry $registry, array $config = array()) { + public function __construct(ComponentRegistry $registry, array $config = array()) + { $config += $this->_defaultConfig; parent::__construct($registry, $config); @@ -81,7 +82,8 @@ public function __construct(ComponentRegistry $registry, array $config = array() * @param Cake\Network\Request $request The request needing authorization. * @return bool Success */ - public function authorize($user, Request $request) { + public function authorize($user, Request $request) + { if (isset($user[$this->_config['aclTable']])) { if (isset($user[$this->_config['aclTable']][0]['id'])) { $roles = Hash::extract($user[$this->_config['aclTable']], '{n}.id'); @@ -97,8 +99,7 @@ public function authorize($user, Request $request) { trigger_error(sprintf('Missing acl information (%s) in user session', $acl)); $roles = array(); } - - return $this->validate($roles, $request->params['plugin'], $request->params['controller'], $request->params['action']); + return $this->validate($roles, $request); } /** @@ -111,42 +112,51 @@ public function authorize($user, Request $request) { * @param string $action * @return bool Success */ - public function validate($roles, $plugin, $controller, $action) { - $action = Inflector::underscore($action); - $controller = Inflector::underscore($controller); - $plugin = Inflector::underscore($plugin); + //public function validate($roles, $plugin, $controller, $action) { + public function validate($roles, Request $request) + { + // construct the iniKey and iniMap for easy lookups + $iniKey = $this->constructIniKey($request); + $availableRoles = Configure::read($this->_config['aclTable']); + // allow logged in users access to all actions except prefixed + // @todo: this logic is based on the config description above, could + // possibly be changed to allow all prefixes as well except /admin if (!empty($this->_config['allowUser'])) { - // all user actions are accessable for logged in users - if (mb_strpos($action, $this->_config['adminPrefix']) !== 0) { + if (empty($request->params['prefix'])) { return true; } } + + // allow access to all /admin prefixed actions for users belonging to + // the specified adminRole. if (!empty($this->_config['allowAdmin']) && !empty($this->_config['adminRole'])) { - // all admin actions are accessable for logged in admins - if (mb_strpos($action, $this->_config['adminPrefix']) === 0) { - if (in_array((string)$this->_config['adminRole'], $roles)) { + if (!empty($request->params['prefix']) && $request->params['prefix'] === $this->_config['adminPrefix']) { + $adminRoleId = $availableRoles[$this->_config['adminRole']]; + if (in_array($adminRoleId, $roles)) { return true; } } } - if ($this->_acl === null) { - $this->_acl = $this->_getAcl(); - } - - // allow_all check - if (!empty($this->_config['superadminRole'])) { + // allow logged in super admins access to all resources + if (!empty($this->_config['superAdminRole'])) { + $superAdminRoleId = $availableRoles[$this->_config['superAdminRole']]; foreach ($roles as $role) { - if ($role == $this->_config['superadminRole']) { + if ($role == $superAdminRoleId) { return true; } } } - // controller wildcard - if (isset($this->_acl[$controller]['*'])) { - $matchArray = $this->_acl[$controller]['*']; + // generate ACL if not already set + if ($this->_acl === null) { + $this->_acl = $this->_getAcl(); + } + + // allow access if user has a role with wildcard access to the resource + if (isset($this->_acl[$iniKey]['actions']['*'])) { + $matchArray = $this->_acl[$iniKey]['actions']['*']; if (in_array('-1', $matchArray)) { return true; } @@ -157,21 +167,20 @@ public function validate($roles, $plugin, $controller, $action) { } } - // specific controller/action - if (!empty($controller) && !empty($action)) { - if (array_key_exists($controller, $this->_acl) && !empty($this->_acl[$controller][$action])) { - $matchArray = $this->_acl[$controller][$action]; + // allow access if user has been granted access to the specific resource + $action = Inflector::underscore($request->action); + if(array_key_exists($action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$action])) { + $matchArray = $this->_acl[$iniKey]['actions'][$action]; - // direct access? (even if he has no roles = GUEST) - if (in_array('-1', $matchArray)) { - return true; - } + // direct access? (even if he has no roles = GUEST) + if (in_array('-1', $matchArray)) { + return true; + } - // normal access (rolebased) - foreach ($roles as $role) { - if (in_array((string)$role, $matchArray)) { - return true; - } + // normal access (rolebased) + foreach ($roles as $role) { + if (in_array((string)$role, $matchArray)) { + return true; } } } @@ -181,7 +190,8 @@ public function validate($roles, $plugin, $controller, $action) { /** * @return Cake\ORM\Table The User table */ - public function getTable() { + public function getTable() + { return TableRegistry::get(CLASS_USER); } @@ -195,18 +205,19 @@ public function getTable() { * @param string $path * @return array Roles */ - protected function _getAcl($path = null) { + protected function _getAcl($path = null) + { if ($path === null) { $path = ROOT . DS . 'config' . DS; } - $res = array(); if ($this->_config['autoClearCache'] && Configure::read('debug') > 0) { Cache::delete($this->_config['cacheKey'], $this->_config['cache']); } if (($roles = Cache::read($this->_config['cacheKey'], $this->_config['cache'])) !== false) { return $roles; } + if (!file_exists($path . ACL_FILE)) { touch($path . ACL_FILE); } @@ -234,39 +245,44 @@ protected function _getAcl($path = null) { return array(); } + $res = []; foreach ($iniArray as $key => $array) { - list($plugin, $controllerName) = pluginSplit($key); - $controllerName = Inflector::underscore($controllerName); + $key = $this->normalizeIniKey($key); + $res[$key] = $this->deconstructIniKey($key); foreach ($array as $actions => $roles) { - $actions = explode(',', $actions); + // get all roles used in the current ini section $roles = explode(',', $roles); + $actions = explode(',', $actions); - foreach ($roles as $key => $role) { + foreach ($roles as $roleId => $role) { if (!($role = trim($role))) { continue; } + // prevent undefined roles appearing in the iniMap + if (!array_key_exists($role, $availableRoles) && $role != '*') { + unset($roles[$roleId]); + continue; + } if ($role === '*') { - unset($roles[$key]); + unset($roles[$roleId]); $roles = array_merge($roles, array_keys(Configure::read($this->_config['aclTable']))); } } + // process actions foreach ($actions as $action) { if (!($action = trim($action))) { continue; } $actionName = Inflector::underscore($action); - foreach ($roles as $role) { if (!($role = trim($role)) || $role === '*') { continue; } $newRole = Configure::read($this->_config['aclTable'] . '.' . strtolower($role)); - if (!empty($res[$controllerName][$actionName]) && in_array((string)$newRole, $res[$controllerName][$actionName])) { - continue; - } - $res[$controllerName][$actionName][] = $newRole; + $res[$key]['actions'][$actionName][] = $newRole; + } } } @@ -275,4 +291,70 @@ protected function _getAcl($path = null) { return $res; } + /** + * Conforms a user specified ACL ini section key to CakePHP conventions. + * This way internal $_acl has correct naming for controllers etc + this + * prevents possible casing problems. + * + * @todo: not changing prefix yet, is the casing user definable? + * + * @param string INI section key as found in acl.ini + * @return string String converted to use cake conventions + */ + protected function normalizeIniKey($key) + { + $iniMap = $this->deconstructIniKey($key); + $res = Inflector::camelize($iniMap['controller']); + if (!empty($iniMap['prefix'])) { + $res = strtolower($iniMap['prefix']) . "/$res"; + } + if (!empty($iniMap['plugin'])) { + $res = Inflector::camelize($iniMap['plugin']) . ".$res"; + } + return $res; + } + + /** + * Deconstructs an ACL ini section key into a named array with ACL parts + * + * @param string INI section key as found in acl.ini + * @return array Hash with named keys for controller, plugin and prefix + */ + protected function deconstructIniKey($key) + { + $res = [ + 'plugin' => null, + 'prefix' => null + ]; + + if (strpos($key, '.') !== false) { + list($plugin, $key) = explode('.', $key); + $res['plugin'] = Inflector::camelize($plugin); + } + if (strpos($key, '/') !== false) { + list($res['prefix'], $key) = explode('/', $key); + $res['prefix'] = strtolower($res['prefix']); + } + $res['controller'] = Inflector::camelize($key); + return $res; + } + + /** + * Constructs an ACL ini section key from a given CakeRequest + * + * @param Cake\Network\Request $request The request needing authorization. + * @return array Hash with named keys for controller, plugin and prefix + */ + protected function constructIniKey(Request $request) + { + $res = $request->params['controller']; + if (!empty($request->params['prefix'])) { + $res = $request->params['prefix'] . "/$res"; + } + if (!empty($request->params['plugin'])) { + $res = $request->params['plugin'] . ".$res"; + } + return $res; + } + } From dffafcff4cd0beeb2b1c34e197d59f3faac71065 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Fri, 13 Feb 2015 13:47:50 +0000 Subject: [PATCH 02/27] Fixes acl-identifier casing --- src/Auth/TinyAuthorize.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 16b7ac95..761b126f 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -169,6 +169,8 @@ public function validate($roles, Request $request) // allow access if user has been granted access to the specific resource $action = Inflector::underscore($request->action); + pr($iniKey); + if(array_key_exists($action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$action])) { $matchArray = $this->_acl[$iniKey]['actions'][$action]; @@ -287,6 +289,7 @@ protected function _getAcl($path = null) } } } + //pr($res); Cache::write($this->_config['cacheKey'], $res, $this->_config['cache']); return $res; } @@ -347,12 +350,12 @@ protected function deconstructIniKey($key) */ protected function constructIniKey(Request $request) { - $res = $request->params['controller']; + $res = Inflector::camelize($request->params['controller']); if (!empty($request->params['prefix'])) { - $res = $request->params['prefix'] . "/$res"; + $res = strtolower($request->params['prefix']) . "/$res"; } if (!empty($request->params['plugin'])) { - $res = $request->params['plugin'] . ".$res"; + $res = Inflector::camelize($request->params['plugin']) . ".$res"; } return $res; } From f0c20513a83c40a25835df27fe22ae0f447dd842 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Fri, 13 Feb 2015 13:49:36 +0000 Subject: [PATCH 03/27] Removes debugging --- src/Auth/TinyAuthorize.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 761b126f..aa4bf06b 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -169,8 +169,6 @@ public function validate($roles, Request $request) // allow access if user has been granted access to the specific resource $action = Inflector::underscore($request->action); - pr($iniKey); - if(array_key_exists($action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$action])) { $matchArray = $this->_acl[$iniKey]['actions'][$action]; From 7cdd9478096f7cc7adac95ebad2710628722252e Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Fri, 13 Feb 2015 14:52:21 +0000 Subject: [PATCH 04/27] Fixes broken tests --- src/Auth/TinyAuthorize.php | 6 +- tests/TestCase/Auth/TinyAuthorizeTest.php | 293 +++++++++++++--------- 2 files changed, 172 insertions(+), 127 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index aa4bf06b..8eacfc52 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -43,7 +43,7 @@ class TinyAuthorize extends BaseAuthorize { protected $_defaultConfig = [ 'adminRole' => null, // needed together with adminPrefix if allowAdmin is enabled - 'superAdminRole' => null, // quick way to allow access to every action + 'superAdminRole' => null, // id of the role to grant access to ALL resources 'allowUser' => false, // quick way to allow user access to non prefixed urls 'allowAdmin' => false, // quick way to allow admin access to admin prefixed urls 'adminPrefix' => 'admin', @@ -141,9 +141,8 @@ public function validate($roles, Request $request) // allow logged in super admins access to all resources if (!empty($this->_config['superAdminRole'])) { - $superAdminRoleId = $availableRoles[$this->_config['superAdminRole']]; foreach ($roles as $role) { - if ($role == $superAdminRoleId) { + if ($role == $this->_config['superAdminRole']) { return true; } } @@ -287,7 +286,6 @@ protected function _getAcl($path = null) } } } - //pr($res); Cache::write($this->_config['cacheKey'], $res, $this->_config['cache']); return $res; } diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 462c3469..245dc535 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -15,7 +15,7 @@ */ class TinyAuthorizeTest extends TestCase { - public $fixtures = array('core.users', 'core.auth_users', 'plugin.tiny_auth.roles'); + public $fixtures = ['core.users', 'core.auth_users', 'plugin.tiny_auth.roles']; public $Collection; @@ -39,8 +39,14 @@ public function setUp() { $aclData = <<assertTrue(file_exists(TMP . 'acl.ini')); - Configure::write('Roles', array('user' => 1, 'moderator' => 2, 'admin' => 3, 'public' => -1)); + Configure::write('Roles', [ + 'user' => 1, + 'moderator' => 2, + 'admin' => 3, + 'public' => -1 + ]); } public function tearDown() { @@ -68,11 +79,11 @@ public function tearDown() { * @return void */ public function testConstructor() { - $object = new TestTinyAuthorize($this->Collection, array( + $object = new TestTinyAuthorize($this->Collection, [ 'aclTable' => 'AuthRole', 'aclKey' => 'auth_role_id', 'autoClearCache' => true, - )); + ]); $this->assertEquals('AuthRole', $object->config('aclTable')); $this->assertEquals('auth_role_id', $object->config('aclKey')); } @@ -81,27 +92,51 @@ public function testConstructor() { * @return void */ public function testGetAcl() { - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); $res = $object->getAcl(); - $expected = array( - 'users' => array( - 'edit' => array(1), - 'admin_index' => array(3) - ), - 'comments' => array( - 'add' => array(1), - 'edit' => array(1), - 'delete' => array(1), - '*' => array(3), - ), - 'tags' => array( - 'add' => array(1, 2, 3, -1), - 'very_long_action_name_action' => array(1), - 'public_action' => array(-1) - ), - ); - //debug($res); + $expected = [ + 'Users' => [ + 'plugin' => null, + 'prefix' => null, + 'controller' => 'Users', + 'actions' => [ + 'index' => [1], + 'edit' => [1], + 'view' => [1], + '*' => [3] + ] + ], + 'admin/Users' => [ + 'plugin' => null, + 'prefix' => 'admin', + 'controller' => 'Users', + 'actions' => [ + '*' => [3] + ] + ], + 'Comments' => [ + 'plugin' => null, + 'prefix' => null, + 'controller' => 'Comments', + 'actions' => [ + 'add' => [1], + 'edit' => [1], + 'delete' => [1], + '*' => [3] + ] + ], + 'Tags' => [ + 'plugin' => null, + 'prefix' => null, + 'controller' => 'Tags', + 'actions' => [ + 'add' => [1, 2, 3, -1], + 'very_long_action_name_action' => [1], + 'public_action' => [-1] + ] + ] + ]; $this->assertEquals($expected, $res); } @@ -110,21 +145,21 @@ public function testGetAcl() { */ public function testBasicUserMethodDisallowed() { $this->request->params['controller'] = 'users'; - $this->request->params['action'] = 'edit'; + $this->request->params['action'] = 'add'; - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); $this->assertEquals('Roles', $object->config('aclTable')); $this->assertEquals('role_id', $object->config('aclKey')); - $user = array( - 'role_id' => 4, - ); + $user = [ + 'role_id' => 4 + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $user = array( - 'role_id' => 3, - ); + $user = [ + 'role_id' => 1 + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); } @@ -136,20 +171,20 @@ public function testBasicUserMethodAllowed() { $this->request->params['controller'] = 'users'; $this->request->params['action'] = 'edit'; - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // single role_id field in users table - $user = array( + $user = [ 'role_id' => 1, - ); + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); $this->request->params['action'] = 'admin_index'; - $user = array( + $user = [ 'role_id' => 3, - ); + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -161,18 +196,18 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $this->request->params['controller'] = 'tags'; $this->request->params['action'] = 'very_long_action_name_action'; - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // single role_id field in users table - $user = array( - 'role_id' => 1, - ); + $user = [ + 'role_id' => 1 + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - $user = array( - 'role_id' => 3, - ); + $user = [ + 'role_id' => 3 + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); } @@ -184,19 +219,30 @@ public function testBasicUserMethodAllowedMultiRole() { $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'admin_index'; - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // flat list of roles - $user = array( - 'Roles' => array(1, 3), - ); + $user = [ + 'Roles' => [1, 3] + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); // verbose role defition using the new 2.x contain param for Auth - $user = array( - 'Roles' => array(array('id' => 1, 'RoleUsers' => array()), array('id' => 3, 'RoleUsers' => array())), - ); + $user = [ + 'Roles' => [ + ['id' => 1, 'RoleUsers' => []], + ['id' => 3, 'RoleUsers' => []] + ], + ]; + + + $user = [ + 'Roles' => [ + ['id' => 1, 'RoleUsers' => []], + ['id' => 3, 'RoleUsers' => []] + ] + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -208,11 +254,11 @@ public function testBasicUserMethodAllowedWildcard() { $this->request->params['controller'] = 'Tags'; $this->request->params['action'] = 'public_action'; - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - $user = array( - 'role_id' => 6, - ); + $user = [ + 'role_id' => 6 + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -224,28 +270,29 @@ public function testUserMethodsAllowed() { $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'some_action'; - $object = new TestTinyAuthorize($this->Collection, array('allowUser' => true, 'autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['allowUser' => true, 'autoClearCache' => true]); - $user = array( - 'role_id' => 1, - ); + $user = [ + 'role_id' => 1 + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'admin_index'; + $this->request->params['prefix'] = 'admin'; + $this->request->params['action'] = 'index'; - $object = new TestTinyAuthorize($this->Collection, array('allowUser' => true, 'autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['allowUser' => true, 'autoClearCache' => true]); - $user = array( - 'role_id' => 1, - ); + $user = [ + 'role_id' => 1 + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $user = array( - 'role_id' => 3, - ); + $user = [ + 'role_id' => 3 + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -256,13 +303,13 @@ public function testUserMethodsAllowed() { public function testAdminMethodsAllowed() { $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'some_action'; - $config = array('allowAdmin' => true, 'adminRole' => 3, 'autoClearCache' => true); + $config = ['allowAdmin' => true, 'adminRole' => 3, 'autoClearCache' => true]; $object = new TestTinyAuthorize($this->Collection, $config); - $user = array( - 'role_id' => 1, - ); + $user = [ + 'role_id' => 1 + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -271,15 +318,15 @@ public function testAdminMethodsAllowed() { $object = new TestTinyAuthorize($this->Collection, $config); - $user = array( - 'role_id' => 1, - ); + $user = [ + 'role_id' => 1 + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $user = array( - 'role_id' => 3, - ); + $user = [ + 'role_id' => 3 + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -294,20 +341,20 @@ public function testBasicUserMethodAllowedPublically() { $this->request->params['controller'] = 'tags'; $this->request->params['action'] = 'add'; - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - $user = array( - 'role_id' => 2, - ); + $user = [ + 'role_id' => 2 + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); $this->request->params['controller'] = 'comments'; $this->request->params['action'] = 'foo'; - $user = array( - 'role_id' => 3, - ); + $user = [ + 'role_id' => 3 + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -327,25 +374,25 @@ public function testWithRoleTable() { $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'edit'; - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // User role is 4 here, though. Also contains left joined Role date here just to check that it works, too. - $user = array( - 'Roles' => array( + $user = [ + 'Roles' => [ 'id' => '4', - 'alias' => 'user', - ), + 'alias' => 'user' + ], 'role_id' => 4, - ); + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); Configure::delete('Roles'); - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - $user = array( - 'role_id' => 6, - ); + $user = [ + 'role_id' => 6 + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -353,53 +400,53 @@ public function testWithRoleTable() { // Multi-role test - failure Configure::delete('Roles'); - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); - - $user = array( - 'Roles' => array( - array('id' => 7, 'alias' => 'user'), - array('id' => 8, 'alias' => 'partner'), - ) - ); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + + $user = [ + 'Roles' => [ + ['id' => 7, 'alias' => 'user'], + ['id' => 8, 'alias' => 'partner'] + ] + ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); $this->assertTrue((bool)(Configure::read('Roles'))); Configure::delete('Roles'); - $object = new TestTinyAuthorize($this->Collection, array('autoClearCache' => true)); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // Multi-role test - $user = array( - 'Roles' => array( - array('id' => 4, 'alias' => 'user'), - array('id' => 6, 'alias' => 'partner'), - ) - ); + $user = [ + 'Roles' => [ + ['id' => 4, 'alias' => 'user'], + ['id' => 6, 'alias' => 'partner'], + ] + ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } /** - * Tests superadmin role, allowed to all actions + * Tests superAdmin role, allowed to all actions * * @return void */ - public function testSuperadminRole() { - $object = new TestTinyAuthorize($this->Collection, array( + public function testSuperAdminRole() { + $object = new TestTinyAuthorize($this->Collection, [ 'autoClearCache' => true, - 'superadminRole' => 9 - )); + 'superAdminRole' => 9 + ]); $res = $object->getAcl(); - $user = array( - 'role_id' => 9, - ); - - foreach ($object->getAcl() as $controller => $actions) { - foreach ($actions as $action => $allowed) { - $this->request->params['controller'] = $controller; + $user = [ + 'role_id' => 9 + ]; + + foreach ($object->getAcl() as $resource) { + foreach ($resource['actions'] as $action => $allowed) { + $this->request->params['controller'] = $resource['controller']; + $this->request->params['prefix'] = $resource['prefix']; $this->request->params['action'] = $action; - $res = $object->authorize($user, $this->request); $this->assertTrue($res); } From 77ec5fa2bb7ecd42a3a190d1a8697a24c53ff2b9 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Fri, 13 Feb 2015 15:06:15 +0000 Subject: [PATCH 05/27] Removes newline function brackets --- src/Auth/TinyAuthorize.php | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 8eacfc52..4f9240c0 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -60,8 +60,7 @@ class TinyAuthorize extends BaseAuthorize { * @param ComponentRegistry $registry * @param array $config */ - public function __construct(ComponentRegistry $registry, array $config = array()) - { + public function __construct(ComponentRegistry $registry, array $config = array()) { $config += $this->_defaultConfig; parent::__construct($registry, $config); @@ -82,8 +81,7 @@ public function __construct(ComponentRegistry $registry, array $config = array() * @param Cake\Network\Request $request The request needing authorization. * @return bool Success */ - public function authorize($user, Request $request) - { + public function authorize($user, Request $request) { if (isset($user[$this->_config['aclTable']])) { if (isset($user[$this->_config['aclTable']][0]['id'])) { $roles = Hash::extract($user[$this->_config['aclTable']], '{n}.id'); @@ -113,8 +111,7 @@ public function authorize($user, Request $request) * @return bool Success */ //public function validate($roles, $plugin, $controller, $action) { - public function validate($roles, Request $request) - { + public function validate($roles, Request $request) { // construct the iniKey and iniMap for easy lookups $iniKey = $this->constructIniKey($request); $availableRoles = Configure::read($this->_config['aclTable']); @@ -189,8 +186,7 @@ public function validate($roles, Request $request) /** * @return Cake\ORM\Table The User table */ - public function getTable() - { + public function getTable() { return TableRegistry::get(CLASS_USER); } @@ -204,8 +200,7 @@ public function getTable() * @param string $path * @return array Roles */ - protected function _getAcl($path = null) - { + protected function _getAcl($path = null) { if ($path === null) { $path = ROOT . DS . 'config' . DS; } @@ -300,8 +295,7 @@ protected function _getAcl($path = null) * @param string INI section key as found in acl.ini * @return string String converted to use cake conventions */ - protected function normalizeIniKey($key) - { + protected function normalizeIniKey($key) { $iniMap = $this->deconstructIniKey($key); $res = Inflector::camelize($iniMap['controller']); if (!empty($iniMap['prefix'])) { @@ -319,8 +313,7 @@ protected function normalizeIniKey($key) * @param string INI section key as found in acl.ini * @return array Hash with named keys for controller, plugin and prefix */ - protected function deconstructIniKey($key) - { + protected function deconstructIniKey($key) { $res = [ 'plugin' => null, 'prefix' => null @@ -344,8 +337,7 @@ protected function deconstructIniKey($key) * @param Cake\Network\Request $request The request needing authorization. * @return array Hash with named keys for controller, plugin and prefix */ - protected function constructIniKey(Request $request) - { + protected function constructIniKey(Request $request) { $res = Inflector::camelize($request->params['controller']); if (!empty($request->params['prefix'])) { $res = strtolower($request->params['prefix']) . "/$res"; From 56d1a003fe61e65372854067ae8a8a962c1c3d5c Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Fri, 13 Feb 2015 15:08:30 +0000 Subject: [PATCH 06/27] Removes inflection for actions --- src/Auth/TinyAuthorize.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 4f9240c0..ca8cff7d 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -164,9 +164,8 @@ public function validate($roles, Request $request) { } // allow access if user has been granted access to the specific resource - $action = Inflector::underscore($request->action); - if(array_key_exists($action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$action])) { - $matchArray = $this->_acl[$iniKey]['actions'][$action]; + if(array_key_exists($request->action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$request->action])) { + $matchArray = $this->_acl[$iniKey]['actions'][$request->action]; // direct access? (even if he has no roles = GUEST) if (in_array('-1', $matchArray)) { @@ -269,13 +268,12 @@ protected function _getAcl($path = null) { if (!($action = trim($action))) { continue; } - $actionName = Inflector::underscore($action); foreach ($roles as $role) { if (!($role = trim($role)) || $role === '*') { continue; } $newRole = Configure::read($this->_config['aclTable'] . '.' . strtolower($role)); - $res[$key]['actions'][$actionName][] = $newRole; + $res[$key]['actions'][$action][] = $newRole; } } From c34fe5e8c6a83f9e02d40b532428ead67d0b5e0a Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 11:04:42 +0000 Subject: [PATCH 07/27] Underscores protected functions as requested #discussion_r24676385 --- src/Auth/TinyAuthorize.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index ca8cff7d..0e81b819 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -113,7 +113,7 @@ public function authorize($user, Request $request) { //public function validate($roles, $plugin, $controller, $action) { public function validate($roles, Request $request) { // construct the iniKey and iniMap for easy lookups - $iniKey = $this->constructIniKey($request); + $iniKey = $this->_constructIniKey($request); $availableRoles = Configure::read($this->_config['aclTable']); // allow logged in users access to all actions except prefixed @@ -240,8 +240,8 @@ protected function _getAcl($path = null) { $res = []; foreach ($iniArray as $key => $array) { - $key = $this->normalizeIniKey($key); - $res[$key] = $this->deconstructIniKey($key); + $key = $this->_normalizeIniKey($key); + $res[$key] = $this->_deconstructIniKey($key); foreach ($array as $actions => $roles) { // get all roles used in the current ini section @@ -293,8 +293,8 @@ protected function _getAcl($path = null) { * @param string INI section key as found in acl.ini * @return string String converted to use cake conventions */ - protected function normalizeIniKey($key) { - $iniMap = $this->deconstructIniKey($key); + protected function _normalizeIniKey($key) { + $iniMap = $this->_deconstructIniKey($key); $res = Inflector::camelize($iniMap['controller']); if (!empty($iniMap['prefix'])) { $res = strtolower($iniMap['prefix']) . "/$res"; @@ -311,7 +311,7 @@ protected function normalizeIniKey($key) { * @param string INI section key as found in acl.ini * @return array Hash with named keys for controller, plugin and prefix */ - protected function deconstructIniKey($key) { + protected function _deconstructIniKey($key) { $res = [ 'plugin' => null, 'prefix' => null @@ -335,7 +335,7 @@ protected function deconstructIniKey($key) { * @param Cake\Network\Request $request The request needing authorization. * @return array Hash with named keys for controller, plugin and prefix */ - protected function constructIniKey(Request $request) { + protected function _constructIniKey(Request $request) { $res = Inflector::camelize($request->params['controller']); if (!empty($request->params['prefix'])) { $res = strtolower($request->params['prefix']) . "/$res"; From 1fcffc1eef263b1bf79de429e2b90e46b205e6e1 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 12:53:16 +0000 Subject: [PATCH 08/27] Extends tests + fixes allowAdmin logic --- src/Auth/TinyAuthorize.php | 7 +- tests/TestCase/Auth/TinyAuthorizeTest.php | 385 ++++++++++++++++------ 2 files changed, 287 insertions(+), 105 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 0e81b819..0cb76256 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -44,9 +44,9 @@ class TinyAuthorize extends BaseAuthorize { protected $_defaultConfig = [ 'adminRole' => null, // needed together with adminPrefix if allowAdmin is enabled 'superAdminRole' => null, // id of the role to grant access to ALL resources - 'allowUser' => false, // quick way to allow user access to non prefixed urls + 'allowUser' => false, // quick way to allow ALL roles access to non prefixed urls 'allowAdmin' => false, // quick way to allow admin access to admin prefixed urls - 'adminPrefix' => 'admin', + 'adminPrefix' => 'admin', // must be defined in combination with allowAdmin 'cache' => AUTH_CACHE, 'cacheKey' => 'tiny_auth_acl', 'autoClearCache' => false, // usually done by Cache automatically in debug mode, @@ -129,8 +129,7 @@ public function validate($roles, Request $request) { // the specified adminRole. if (!empty($this->_config['allowAdmin']) && !empty($this->_config['adminRole'])) { if (!empty($request->params['prefix']) && $request->params['prefix'] === $this->_config['adminPrefix']) { - $adminRoleId = $availableRoles[$this->_config['adminRole']]; - if (in_array($adminRoleId, $roles)) { + if (in_array($this->_config['adminRole'], $roles)) { return true; } } diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 245dc535..e349951d 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -37,24 +37,56 @@ public function setUp() { $this->request = new Request(); $aclData = <<assertTrue(file_exists(TMP . 'acl.ini')); @@ -103,8 +135,9 @@ public function testGetAcl() { 'actions' => [ 'index' => [1], 'edit' => [1], - 'view' => [1], - '*' => [3] + 'delete' => [3], + 'public_action' => [-1], + 'very_long_action_name_action' => [1] ] ], 'admin/Users' => [ @@ -112,7 +145,11 @@ public function testGetAcl() { 'prefix' => 'admin', 'controller' => 'Users', 'actions' => [ - '*' => [3] + 'index' => [1], + 'edit' => [1], + 'delete' => [3], + 'public_action' => [-1], + 'very_long_action_name_action' => [1] ] ], 'Comments' => [ @@ -120,10 +157,12 @@ public function testGetAcl() { 'prefix' => null, 'controller' => 'Comments', 'actions' => [ - 'add' => [1], + 'index' => [1], 'edit' => [1], - 'delete' => [1], - '*' => [3] + 'view' => [1], + '*' => [3], + 'public_action' => [-1], + 'very_long_action_name_action' => [1] ] ], 'Tags' => [ @@ -131,12 +170,37 @@ public function testGetAcl() { 'prefix' => null, 'controller' => 'Tags', 'actions' => [ - 'add' => [1, 2, 3, -1], - 'very_long_action_name_action' => [1], - 'public_action' => [-1] + '*' => [1, 2, 3, -1] + ] + ], + 'Tags.Tags' => [ + 'plugin' => 'Tags', + 'prefix' => null, + 'controller' => 'Tags', + 'actions' => [ + 'index' => [1], + 'edit' => [1], + 'view' => [1], + '*' => [3], + 'public_action' => [-1], + 'very_long_action_name_action' => [1] + ] + ], + 'Tags.admin/Tags' => [ + 'plugin' => 'Tags', + 'prefix' => 'admin', + 'controller' => 'Tags', + 'actions' => [ + 'index' => [1], + 'edit' => [1], + 'view' => [1], + '*' => [3], + 'public_action' => [-1], + 'very_long_action_name_action' => [1] ] ] ]; + //debug($res); $this->assertEquals($expected, $res); } @@ -144,47 +208,118 @@ public function testGetAcl() { * @return void */ public function testBasicUserMethodDisallowed() { - $this->request->params['controller'] = 'users'; - $this->request->params['action'] = 'add'; - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); $this->assertEquals('Roles', $object->config('aclTable')); $this->assertEquals('role_id', $object->config('aclKey')); - $user = [ - 'role_id' => 4 - ]; + // test standard controller + $this->request->params['controller'] = 'users'; + $this->request->params['action'] = 'add'; + $user = ['role_id' => 4]; // invalid non-existing role $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $user = [ - 'role_id' => 1 - ]; + $user = ['role_id' => 1]; // valid role without authorization + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test standard controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + + $user = ['role_id' => 4]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test plugin controller without prefix + $this->request->params['plugin'] = 'tags'; + $this->request->params['controller'] = 'tags'; + $this->request->params['action'] = 'add'; + + $user = ['role_id' => 4]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test plugin controller with /admin prefix + $this->request->params['plugin'] = 'tags'; + $this->request->params['prefix'] = 'admin'; + $this->request->params['controller'] = 'tags'; + $this->request->params['action'] = 'add'; + + $user = ['role_id' => 4]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); } + /** * @return void */ public function testBasicUserMethodAllowed() { + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + + // test standard controller $this->request->params['controller'] = 'users'; $this->request->params['action'] = 'edit'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $this->request->params['action'] = 'delete'; + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); - // single role_id field in users table - $user = [ - 'role_id' => 1, - ]; + // test standard controller with /admin prefix + $this->request->params['controller'] = 'users'; + $this->request->params['prefix'] = 'admin'; + $this->request->params['action'] = 'edit'; + + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - $this->request->params['action'] = 'admin_index'; + $user = ['role_id' => 3]; + $this->request->params['action'] = 'delete'; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); - $user = [ - 'role_id' => 3, - ]; + // test plugin controller without prefix + $this->request->params['controller'] = 'tags'; + $this->request->params['plugin'] = 'tags'; + $this->request->params['action'] = 'index'; + + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $this->request->params['action'] = 'delete'; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + // test plugin controller with /admin prefix + $this->request->params['plugin'] = 'tags'; + $this->request->params['prefix'] = 'admin'; + $this->request->params['action'] = 'index'; + + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $this->request->params['action'] = 'delete'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -193,21 +328,48 @@ public function testBasicUserMethodAllowed() { * @return void */ public function testBasicUserMethodAllowedWithLongActionNames() { - $this->request->params['controller'] = 'tags'; + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + + // test standard controller + $this->request->params['controller'] = 'users'; $this->request->params['action'] = 'very_long_action_name_action'; - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); - // single role_id field in users table - $user = [ - 'role_id' => 1 - ]; + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test standard controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - $user = [ - 'role_id' => 3 - ]; + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test plugin controller without prefix + $this->request->params['controller'] = 'tags'; + $this->request->params['plugin'] = 'tags'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test plugin controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); } @@ -216,11 +378,11 @@ public function testBasicUserMethodAllowedWithLongActionNames() { * @return void */ public function testBasicUserMethodAllowedMultiRole() { - $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'admin_index'; - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $this->request->params['controller'] = 'Users'; + $this->request->params['action'] = 'delete'; + // flat list of roles $user = [ 'Roles' => [1, 3] @@ -251,101 +413,122 @@ public function testBasicUserMethodAllowedMultiRole() { * @return void */ public function testBasicUserMethodAllowedWildcard() { - $this->request->params['controller'] = 'Tags'; + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $user = ['role_id' => 6]; + + // test standard controller + $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'public_action'; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + // test standard controller with /admin prefiex + $this->request->params['prefix'] = 'admin'; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); - $user = [ - 'role_id' => 6 - ]; + // test plugin controller without prefix + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + // test plugin controller with /admin prefix + $this->request->params['prefix'] = 'admin'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } /** + * Tests with configuration setting 'allowUser' set to true, giving user + * access to all controller/actions except when prefixed with /admin + * + * @todo: discuss logic before completing, see code L120 + * * @return void */ public function testUserMethodsAllowed() { - $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'some_action'; - $object = new TestTinyAuthorize($this->Collection, ['allowUser' => true, 'autoClearCache' => true]); - $user = [ - 'role_id' => 1 - ]; + // test standard controller + $this->request->params['controller'] = 'Users'; + $this->request->params['action'] = 'unknown_action'; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - $this->request->params['controller'] = 'Users'; - $this->request->params['prefix'] = 'admin'; - $this->request->params['action'] = 'index'; - - $object = new TestTinyAuthorize($this->Collection, ['allowUser' => true, 'autoClearCache' => true]); + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + //$this->assertFalse($res); + $this->assertTrue($res); // @todo: this now asserts true, might need to be changed depending on logic - $user = [ - 'role_id' => 1 - ]; + // Test standard controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $user = [ - 'role_id' => 3 - ]; + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); - $this->assertTrue($res); + $this->assertFalse($res); } /** + * Test with enabled configuration settings 'allowAdmin' and 'adminRole' + * giving users having the adminRole ID access to all actions that are + * prefixed using the 'adminPrefix' configuration setting. + * * @return void */ public function testAdminMethodsAllowed() { - $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'some_action'; - $config = ['allowAdmin' => true, 'adminRole' => 3, 'autoClearCache' => true]; - + $config = [ + 'allowAdmin' => true, + 'adminRole' => 3, + 'adminPrefix' => 'admin', + 'autoClearCache' => true + ]; $object = new TestTinyAuthorize($this->Collection, $config); - $user = [ - 'role_id' => 1 - ]; + // test standard controller with /admin prefix + $this->request->params['controller'] = 'Users'; + $this->request->params['prefix'] = 'admin'; + $this->request->params['action'] = 'some_action'; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $this->request->params['controller'] = 'users'; - $this->request->params['action'] = 'admin_index'; - - $object = new TestTinyAuthorize($this->Collection, $config); + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); - $user = [ - 'role_id' => 1 - ]; + // test plugin controller with /admin prefix + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $user = [ - 'role_id' => 3 - ]; + $user = ['role_id' => 3]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } /** - * Should only be used in combination with Auth->allow() to mark those as public in the acl.ini, as well. - * Not necessary and certainly not recommended as acl.ini only. + * Should only be used in combination with Auth->allow() to mark those + * as public in the acl.ini, as well. Not necessary and certainly not + * recommended as acl.ini only. + * + * @todo: discuss, what is this?? * * @return void */ public function testBasicUserMethodAllowedPublically() { - $this->request->params['controller'] = 'tags'; - $this->request->params['action'] = 'add'; - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - $user = [ - 'role_id' => 2 - ]; + // test standard controller + $this->request->params['controller'] = 'Tags'; + $this->request->params['action'] = 'add'; + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -370,12 +553,12 @@ public function testWithRoleTable() { // We want the session to be used. Configure::delete('Roles'); + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + // test standard controller $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'edit'; - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - // User role is 4 here, though. Also contains left joined Role date here just to check that it works, too. $user = [ 'Roles' => [ From 3e03b1a01231494333f8194f422b910a8d3bae95 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 13:17:58 +0000 Subject: [PATCH 09/27] Removes inflection forcing strict acl.ini definitions --- src/Auth/TinyAuthorize.php | 57 +++++---------- tests/TestCase/Auth/TinyAuthorizeTest.php | 86 ++++++++++++++++++----- 2 files changed, 87 insertions(+), 56 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 0cb76256..729df621 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -163,19 +163,21 @@ public function validate($roles, Request $request) { } // allow access if user has been granted access to the specific resource - if(array_key_exists($request->action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$request->action])) { - $matchArray = $this->_acl[$iniKey]['actions'][$request->action]; + if (isset($this->_acl[$iniKey]['actions'])){ + if(array_key_exists($request->action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$request->action])) { + $matchArray = $this->_acl[$iniKey]['actions'][$request->action]; - // direct access? (even if he has no roles = GUEST) - if (in_array('-1', $matchArray)) { - return true; - } - - // normal access (rolebased) - foreach ($roles as $role) { - if (in_array((string)$role, $matchArray)) { + // direct access? (even if he has no roles = GUEST) + if (in_array('-1', $matchArray)) { return true; } + + // normal access (rolebased) + foreach ($roles as $role) { + if (in_array((string)$role, $matchArray)) { + return true; + } + } } } return false; @@ -239,7 +241,6 @@ protected function _getAcl($path = null) { $res = []; foreach ($iniArray as $key => $array) { - $key = $this->_normalizeIniKey($key); $res[$key] = $this->_deconstructIniKey($key); foreach ($array as $actions => $roles) { @@ -282,28 +283,6 @@ protected function _getAcl($path = null) { return $res; } - /** - * Conforms a user specified ACL ini section key to CakePHP conventions. - * This way internal $_acl has correct naming for controllers etc + this - * prevents possible casing problems. - * - * @todo: not changing prefix yet, is the casing user definable? - * - * @param string INI section key as found in acl.ini - * @return string String converted to use cake conventions - */ - protected function _normalizeIniKey($key) { - $iniMap = $this->_deconstructIniKey($key); - $res = Inflector::camelize($iniMap['controller']); - if (!empty($iniMap['prefix'])) { - $res = strtolower($iniMap['prefix']) . "/$res"; - } - if (!empty($iniMap['plugin'])) { - $res = Inflector::camelize($iniMap['plugin']) . ".$res"; - } - return $res; - } - /** * Deconstructs an ACL ini section key into a named array with ACL parts * @@ -317,14 +296,12 @@ protected function _deconstructIniKey($key) { ]; if (strpos($key, '.') !== false) { - list($plugin, $key) = explode('.', $key); - $res['plugin'] = Inflector::camelize($plugin); + list($res['plugin'], $key) = explode('.', $key); } if (strpos($key, '/') !== false) { list($res['prefix'], $key) = explode('/', $key); - $res['prefix'] = strtolower($res['prefix']); } - $res['controller'] = Inflector::camelize($key); + $res['controller'] = $key; return $res; } @@ -335,12 +312,12 @@ protected function _deconstructIniKey($key) { * @return array Hash with named keys for controller, plugin and prefix */ protected function _constructIniKey(Request $request) { - $res = Inflector::camelize($request->params['controller']); + $res = $request->params['controller']; if (!empty($request->params['prefix'])) { - $res = strtolower($request->params['prefix']) . "/$res"; + $res = $request->params['prefix'] . "/$res"; } if (!empty($request->params['plugin'])) { - $res = Inflector::camelize($request->params['plugin']) . ".$res"; + $res = $request->params['plugin'] . ".$res"; } return $res; } diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index e349951d..d71ec698 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -49,7 +49,7 @@ public function setUp() { ; ---------------------------------------------------------- ; UsersController (/admin prefixed route, no plugin) ; ---------------------------------------------------------- -[Admin/Users] +[admin/Users] index = user, undefined-role edit = user delete = admin @@ -213,7 +213,7 @@ public function testBasicUserMethodDisallowed() { $this->assertEquals('role_id', $object->config('aclKey')); // test standard controller - $this->request->params['controller'] = 'users'; + $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'add'; $user = ['role_id' => 4]; // invalid non-existing role $res = $object->authorize($user, $this->request); @@ -235,9 +235,10 @@ public function testBasicUserMethodDisallowed() { $this->assertFalse($res); // test plugin controller without prefix - $this->request->params['plugin'] = 'tags'; - $this->request->params['controller'] = 'tags'; + $this->request->params['plugin'] = 'Tags'; + $this->request->params['controller'] = 'Tags'; $this->request->params['action'] = 'add'; + $this->request->params['prefix'] = null; $user = ['role_id' => 4]; $res = $object->authorize($user, $this->request); @@ -248,9 +249,9 @@ public function testBasicUserMethodDisallowed() { $this->assertFalse($res); // test plugin controller with /admin prefix - $this->request->params['plugin'] = 'tags'; + $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = 'admin'; - $this->request->params['controller'] = 'tags'; + $this->request->params['controller'] = 'Tags'; $this->request->params['action'] = 'add'; $user = ['role_id' => 4]; @@ -262,7 +263,6 @@ public function testBasicUserMethodDisallowed() { $this->assertFalse($res); } - /** * @return void */ @@ -270,7 +270,7 @@ public function testBasicUserMethodAllowed() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // test standard controller - $this->request->params['controller'] = 'users'; + $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'edit'; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); @@ -282,7 +282,6 @@ public function testBasicUserMethodAllowed() { $this->assertTrue($res); // test standard controller with /admin prefix - $this->request->params['controller'] = 'users'; $this->request->params['prefix'] = 'admin'; $this->request->params['action'] = 'edit'; @@ -296,9 +295,10 @@ public function testBasicUserMethodAllowed() { $this->assertTrue($res); // test plugin controller without prefix - $this->request->params['controller'] = 'tags'; - $this->request->params['plugin'] = 'tags'; + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; $this->request->params['action'] = 'index'; + $this->request->params['prefix'] = null; $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); @@ -310,7 +310,6 @@ public function testBasicUserMethodAllowed() { $this->assertTrue($res); // test plugin controller with /admin prefix - $this->request->params['plugin'] = 'tags'; $this->request->params['prefix'] = 'admin'; $this->request->params['action'] = 'index'; @@ -324,6 +323,58 @@ public function testBasicUserMethodAllowed() { $this->assertTrue($res); } + /** + * Tests using incorrect casing, enforces strict acl.ini definitions. + * + * @return void + */ + public function testCaseSensitivity() { + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + + // test incorrect controller casing + $this->request->params['controller'] = 'users'; + $this->request->params['action'] = 'index'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test incorrect controller casing with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test correct controller casing with incorrect prefix casing + $this->request->params['controller'] = 'Users'; + $this->request->params['prefix'] = 'Admin'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test incorrect plugin controller without prefix + $this->request->params['controller'] = 'tags'; + $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = null; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test correct plugin controller with incorrect plugin casing + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'tags'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test correct plugin controller with correct plugin but incorrect prefix + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = 'Admin'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + } + /** * @return void */ @@ -331,7 +382,7 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // test standard controller - $this->request->params['controller'] = 'users'; + $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'very_long_action_name_action'; $user = ['role_id' => 1]; @@ -353,8 +404,9 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $this->assertFalse($res); // test plugin controller without prefix - $this->request->params['controller'] = 'tags'; - $this->request->params['plugin'] = 'tags'; + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = null; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -430,6 +482,7 @@ public function testBasicUserMethodAllowedWildcard() { // test plugin controller without prefix $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = null; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -504,6 +557,7 @@ public function testAdminMethodsAllowed() { // test plugin controller with /admin prefix $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = null; $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -532,7 +586,7 @@ public function testBasicUserMethodAllowedPublically() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - $this->request->params['controller'] = 'comments'; + $this->request->params['controller'] = 'Comments'; $this->request->params['action'] = 'foo'; $user = [ From 4f4da0c5181495540ea1574912d901b89ab884ac Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 14:10:56 +0000 Subject: [PATCH 10/27] Adds tests for _iniConstruct() and _iniDeconstruct() --- tests/TestCase/Auth/TinyAuthorizeTest.php | 93 +++++++++++++++++++++++ 1 file changed, 93 insertions(+) diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index d71ec698..5eddfe3f 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -690,6 +690,99 @@ public function testSuperAdminRole() { } } + /** + * Tests constructing an ACL ini section key using CakeRequest parameters + * + * @return void + */ + public function testIniConstruct() { + // make protected function accessible + $object = new TestTinyAuthorize($this->Collection); + $reflection = new \ReflectionClass(get_class($object)); + $method = $reflection->getMethod('_constructIniKey'); + $method->setAccessible(true); + + // test standard controller + $this->request->params['controller'] = 'Users'; + $expected = 'Users'; + $res = $method->invokeArgs($object, [$this->request]); + $this->assertEquals($expected, $res); + + // test standard controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $expected = 'admin/Users'; + $res = $method->invokeArgs($object, [$this->request]); + $this->assertEquals($expected, $res); + + // test plugin controller without prefix + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = null; + $expected = 'Tags.Tags'; + $res = $method->invokeArgs($object, [$this->request]); + $this->assertEquals($expected, $res); + + // test plugin controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $expected = 'Tags.admin/Tags'; + $res = $method->invokeArgs($object, [$this->request]); + $this->assertEquals($expected, $res); + } + + /** + * Tests deconstructing an ACL ini section key + * + * @return void + */ + public function testIniDeconstruct() { + // make protected function accessible + $object = new TestTinyAuthorize($this->Collection); + $reflection = new \ReflectionClass(get_class($object)); + $method = $reflection->getMethod('_deconstructIniKey'); + $method->setAccessible(true); + + // test standard controller + $key = 'Users'; + $expected = [ + 'controller' => 'Users', + 'plugin' => null, + 'prefix' => null + ]; + $res = $method->invokeArgs($object, [$key]); + $this->assertEquals($expected, $res); + + // test standard controller with /admin prefix + $key = 'admin/Users'; + $expected = [ + 'controller' => 'Users', + 'plugin' => null, + 'prefix' => 'admin' + ]; + $res = $method->invokeArgs($object, [$key]); + $this->assertEquals($expected, $res); + + // test plugin controller without prefix + $key = 'Tags.Tags'; + $expected = [ + 'controller' => 'Tags', + 'plugin' => 'Tags', + 'prefix' => null + ]; + $res = $method->invokeArgs($object, [$key]); + $this->assertEquals($expected, $res); + + // test plugin controller with /admin prefix + $key = 'Tags.admin/Tags'; + $expected = [ + 'controller' => 'Tags', + 'plugin' => 'Tags', + 'prefix' => 'admin' + ]; + $res = $method->invokeArgs($object, [$key]); + $this->assertEquals($expected, $res); + } + + } class TestTinyAuthorize extends TinyAuthorize { From 976be8b704c449350ebd6f902a5abea30630d794 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 14:51:21 +0000 Subject: [PATCH 11/27] Enables access to all actions (prefixed and non-prefixed) except for actions using the --- src/Auth/TinyAuthorize.php | 8 +- tests/TestCase/Auth/TinyAuthorizeTest.php | 189 ++++++++++++++++------ 2 files changed, 145 insertions(+), 52 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 729df621..b868897d 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -116,13 +116,15 @@ public function validate($roles, Request $request) { $iniKey = $this->_constructIniKey($request); $availableRoles = Configure::read($this->_config['aclTable']); - // allow logged in users access to all actions except prefixed - // @todo: this logic is based on the config description above, could - // possibly be changed to allow all prefixes as well except /admin + // Give any logged in user access to ALL actions if `allowUser` is + // enabled, except when the `adminPrefix` is being used. if (!empty($this->_config['allowUser'])) { if (empty($request->params['prefix'])) { return true; } + if ($request->params['prefix'] != $this->_config['adminPrefix']) { + return true; + } } // allow access to all /admin prefixed actions for users belonging to diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 5eddfe3f..5986a307 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -56,15 +56,6 @@ public function setUp() { public_action = public very_long_action_name_action = user ; ---------------------------------------------------------- -; CommentsController (no prefixed route, no plugin) -; ---------------------------------------------------------- -[Comments] -index = user, undefined-role -edit,view = user -* = admin -public_action = public -very_long_action_name_action = user -; ---------------------------------------------------------- ; TagsController (no prefixed route, no plugin) ; ---------------------------------------------------------- [Tags] @@ -87,7 +78,18 @@ public function setUp() { * = admin public_action = public very_long_action_name_action = user +; ---------------------------------------------------------- +; CommentsController (plugin Comments, /special prefixed route) +; ---------------------------------------------------------- +[special/Comments] +* = admin +; ---------------------------------------------------------- +; CommentsController (plugin Comments, /special prefixed route) +; ---------------------------------------------------------- +[Comments.special/Comments] +* = admin INI; + file_put_contents(TMP . 'acl.ini', $aclData); $this->assertTrue(file_exists(TMP . 'acl.ini')); @@ -152,19 +154,19 @@ public function testGetAcl() { 'very_long_action_name_action' => [1] ] ], - 'Comments' => [ - 'plugin' => null, - 'prefix' => null, - 'controller' => 'Comments', - 'actions' => [ - 'index' => [1], - 'edit' => [1], - 'view' => [1], - '*' => [3], - 'public_action' => [-1], - 'very_long_action_name_action' => [1] - ] - ], + // 'Comments' => [ + // 'plugin' => null, + // 'prefix' => null, + // 'controller' => 'Comments', + // 'actions' => [ + // 'index' => [1], + // 'edit' => [1], + // 'view' => [1], + // '*' => [3], + // 'public_action' => [-1], + // 'very_long_action_name_action' => [1] + // ] + // ], 'Tags' => [ 'plugin' => null, 'prefix' => null, @@ -198,6 +200,22 @@ public function testGetAcl() { 'public_action' => [-1], 'very_long_action_name_action' => [1] ] + ], + 'special/Comments' => [ + 'plugin' => null, + 'prefix' => 'special', + 'controller' => 'Comments', + 'actions' => [ + '*' => [3] + ] + ], + 'Comments.special/Comments' => [ + 'plugin' => 'Comments', + 'prefix' => 'special', + 'controller' => 'Comments', + 'actions' => [ + '*' => [3] + ] ] ]; //debug($res); @@ -234,7 +252,7 @@ public function testBasicUserMethodDisallowed() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controller without prefix + // test plugin controller $this->request->params['plugin'] = 'Tags'; $this->request->params['controller'] = 'Tags'; $this->request->params['action'] = 'add'; @@ -294,7 +312,7 @@ public function testBasicUserMethodAllowed() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test plugin controller without prefix + // test plugin controller $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['action'] = 'index'; @@ -351,7 +369,7 @@ public function testCaseSensitivity() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test incorrect plugin controller without prefix + // test incorrect plugin controller $this->request->params['controller'] = 'tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; @@ -403,7 +421,7 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controller without prefix + // test plugin controller $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; @@ -479,7 +497,7 @@ public function testBasicUserMethodAllowedWildcard() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test plugin controller without prefix + // test plugin controller $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; @@ -501,7 +519,10 @@ public function testBasicUserMethodAllowedWildcard() { * @return void */ public function testUserMethodsAllowed() { - $object = new TestTinyAuthorize($this->Collection, ['allowUser' => true, 'autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'allowUser' => true, + 'autoClearCache' => true + ]); // test standard controller $this->request->params['controller'] = 'Users'; @@ -512,8 +533,11 @@ public function testUserMethodsAllowed() { $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); - //$this->assertFalse($res); - $this->assertTrue($res); // @todo: this now asserts true, might need to be changed depending on logic + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); // Test standard controller with /admin prefix $this->request->params['prefix'] = 'admin'; @@ -521,9 +545,76 @@ public function testUserMethodsAllowed() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + $this->request->params['action'] = 'delete'; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + // Test plugin controller + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = null; + + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; // admin should be allowed + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + // Test plugin controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); $this->assertFalse($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + // Users should have access to standard controller using non-admin prefix + $this->request->params['controller'] = 'Comments'; + $this->request->params['plugin'] = null; + $this->request->params['prefix'] = 'special'; + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + // Users should have access to plugin controller using non-admin prefix + $this->request->params['controller'] = 'Comments'; + $this->request->params['plugin'] = 'Comments'; + $this->request->params['prefix'] = 'special'; + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); } /** @@ -576,25 +667,25 @@ public function testAdminMethodsAllowed() { * * @return void */ - public function testBasicUserMethodAllowedPublically() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - - // test standard controller - $this->request->params['controller'] = 'Tags'; - $this->request->params['action'] = 'add'; - $user = ['role_id' => 2]; - $res = $object->authorize($user, $this->request); - $this->assertTrue($res); - - $this->request->params['controller'] = 'Comments'; - $this->request->params['action'] = 'foo'; - - $user = [ - 'role_id' => 3 - ]; - $res = $object->authorize($user, $this->request); - $this->assertTrue($res); - } + // public function testBasicUserMethodAllowedPublically() { + // $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + // + // // test standard controller + // $this->request->params['controller'] = 'Tags'; + // $this->request->params['action'] = 'add'; + // $user = ['role_id' => 2]; + // $res = $object->authorize($user, $this->request); + // $this->assertTrue($res); + // + // $this->request->params['controller'] = 'Comments'; + // $this->request->params['action'] = 'foo'; + // + // $user = [ + // 'role_id' => 3 + // ]; + // $res = $object->authorize($user, $this->request); + // $this->assertTrue($res); + // } /** * TinyAuthorizeTest::testWithRoleTable() From f08b9421a9e16802faee6246053bc60ec68765a0 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 15:07:05 +0000 Subject: [PATCH 12/27] Improves test for 'allowAdmin' --- tests/TestCase/Auth/TinyAuthorizeTest.php | 100 ++++++++++------------ 1 file changed, 45 insertions(+), 55 deletions(-) diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 5986a307..51da6de6 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -75,11 +75,11 @@ public function setUp() { [Tags.admin/Tags] index = user edit,view = user -* = admin +add = admin public_action = public very_long_action_name_action = user ; ---------------------------------------------------------- -; CommentsController (plugin Comments, /special prefixed route) +; CommentsController (no plugin, /special prefixed route) ; ---------------------------------------------------------- [special/Comments] * = admin @@ -154,19 +154,6 @@ public function testGetAcl() { 'very_long_action_name_action' => [1] ] ], - // 'Comments' => [ - // 'plugin' => null, - // 'prefix' => null, - // 'controller' => 'Comments', - // 'actions' => [ - // 'index' => [1], - // 'edit' => [1], - // 'view' => [1], - // '*' => [3], - // 'public_action' => [-1], - // 'very_long_action_name_action' => [1] - // ] - // ], 'Tags' => [ 'plugin' => null, 'prefix' => null, @@ -196,7 +183,7 @@ public function testGetAcl() { 'index' => [1], 'edit' => [1], 'view' => [1], - '*' => [3], + 'add' => [3], 'public_action' => [-1], 'very_long_action_name_action' => [1] ] @@ -230,7 +217,7 @@ public function testBasicUserMethodDisallowed() { $this->assertEquals('Roles', $object->config('aclTable')); $this->assertEquals('role_id', $object->config('aclKey')); - // test standard controller + // Test standard controller $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'add'; $user = ['role_id' => 4]; // invalid non-existing role @@ -241,7 +228,7 @@ public function testBasicUserMethodDisallowed() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test standard controller with /admin prefix + // Test standard controller with /admin prefix $this->request->params['prefix'] = 'admin'; $user = ['role_id' => 4]; @@ -252,7 +239,7 @@ public function testBasicUserMethodDisallowed() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controller + // Test plugin controller $this->request->params['plugin'] = 'Tags'; $this->request->params['controller'] = 'Tags'; $this->request->params['action'] = 'add'; @@ -266,7 +253,7 @@ public function testBasicUserMethodDisallowed() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controller with /admin prefix + // Test plugin controller with /admin prefix $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = 'admin'; $this->request->params['controller'] = 'Tags'; @@ -287,7 +274,7 @@ public function testBasicUserMethodDisallowed() { public function testBasicUserMethodAllowed() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - // test standard controller + // Test standard controller $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'edit'; $user = [ 'role_id' => 1 ]; @@ -299,7 +286,7 @@ public function testBasicUserMethodAllowed() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test standard controller with /admin prefix + // Test standard controller with /admin prefix $this->request->params['prefix'] = 'admin'; $this->request->params['action'] = 'edit'; @@ -312,7 +299,7 @@ public function testBasicUserMethodAllowed() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test plugin controller + // Test plugin controller $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['action'] = 'index'; @@ -323,11 +310,11 @@ public function testBasicUserMethodAllowed() { $this->assertTrue($res); $user = ['role_id' => 3]; - $this->request->params['action'] = 'delete'; + $this->request->params['action'] = 'add'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test plugin controller with /admin prefix + // Test plugin controller with /admin prefix $this->request->params['prefix'] = 'admin'; $this->request->params['action'] = 'index'; @@ -336,7 +323,7 @@ public function testBasicUserMethodAllowed() { $this->assertTrue($res); $user = ['role_id' => 3]; - $this->request->params['action'] = 'delete'; + $this->request->params['action'] = 'add'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -349,27 +336,27 @@ public function testBasicUserMethodAllowed() { public function testCaseSensitivity() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - // test incorrect controller casing + // Test incorrect controller casing $this->request->params['controller'] = 'users'; $this->request->params['action'] = 'index'; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test incorrect controller casing with /admin prefix + // Test incorrect controller casing with /admin prefix $this->request->params['prefix'] = 'admin'; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test correct controller casing with incorrect prefix casing + // Test correct controller casing with incorrect prefix casing $this->request->params['controller'] = 'Users'; $this->request->params['prefix'] = 'Admin'; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test incorrect plugin controller + // Test incorrect plugin controller casing $this->request->params['controller'] = 'tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; @@ -377,14 +364,14 @@ public function testCaseSensitivity() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test correct plugin controller with incorrect plugin casing + // Test correct plugin controller with incorrect plugin casing $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'tags'; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test correct plugin controller with correct plugin but incorrect prefix + // Test correct plugin controller with correct plugin but incorrect prefix casing $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = 'Admin'; @@ -399,7 +386,7 @@ public function testCaseSensitivity() { public function testBasicUserMethodAllowedWithLongActionNames() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - // test standard controller + // Test standard controller $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'very_long_action_name_action'; @@ -411,7 +398,7 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test standard controller with /admin prefix + // Test standard controller with /admin prefix $this->request->params['prefix'] = 'admin'; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); @@ -421,7 +408,7 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controller + // Test plugin controller $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; @@ -433,7 +420,7 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controller with /admin prefix + // Test plugin controller with /admin prefix $this->request->params['prefix'] = 'admin'; $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); @@ -453,14 +440,14 @@ public function testBasicUserMethodAllowedMultiRole() { $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'delete'; - // flat list of roles + // Flat list of roles $user = [ 'Roles' => [1, 3] ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // verbose role defition using the new 2.x contain param for Auth + // Verbose role defition using the new 2.x contain param for Auth $user = [ 'Roles' => [ ['id' => 1, 'RoleUsers' => []], @@ -486,25 +473,25 @@ public function testBasicUserMethodAllowedWildcard() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); $user = ['role_id' => 6]; - // test standard controller + // Test standard controller $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'public_action'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test standard controller with /admin prefiex + // Test standard controller with /admin prefix $this->request->params['prefix'] = 'admin'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test plugin controller + // Test plugin controller $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test plugin controller with /admin prefix + // Test plugin controller with /admin prefix $this->request->params['prefix'] = 'admin'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -524,7 +511,7 @@ public function testUserMethodsAllowed() { 'autoClearCache' => true ]); - // test standard controller + // Test standard controller $this->request->params['controller'] = 'Users'; $this->request->params['action'] = 'unknown_action'; $user = ['role_id' => 1]; @@ -580,6 +567,7 @@ public function testUserMethodsAllowed() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); + $this->request->params['prefix'] = 'add'; $user = ['role_id' => 3]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -588,6 +576,8 @@ public function testUserMethodsAllowed() { $this->request->params['controller'] = 'Comments'; $this->request->params['plugin'] = null; $this->request->params['prefix'] = 'special'; + $this->request->params['prefix'] = 'admin'; + $this->request->params['prefix'] = 'index'; $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -633,7 +623,7 @@ public function testAdminMethodsAllowed() { ]; $object = new TestTinyAuthorize($this->Collection, $config); - // test standard controller with /admin prefix + // Test standard controller with /admin prefix $this->request->params['controller'] = 'Users'; $this->request->params['prefix'] = 'admin'; $this->request->params['action'] = 'some_action'; @@ -645,7 +635,7 @@ public function testAdminMethodsAllowed() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // test plugin controller with /admin prefix + // Test plugin controller with /admin prefix $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; @@ -787,25 +777,25 @@ public function testSuperAdminRole() { * @return void */ public function testIniConstruct() { - // make protected function accessible + // Make protected function accessible $object = new TestTinyAuthorize($this->Collection); $reflection = new \ReflectionClass(get_class($object)); $method = $reflection->getMethod('_constructIniKey'); $method->setAccessible(true); - // test standard controller + // Test standard controller $this->request->params['controller'] = 'Users'; $expected = 'Users'; $res = $method->invokeArgs($object, [$this->request]); $this->assertEquals($expected, $res); - // test standard controller with /admin prefix + // Test standard controller with /admin prefix $this->request->params['prefix'] = 'admin'; $expected = 'admin/Users'; $res = $method->invokeArgs($object, [$this->request]); $this->assertEquals($expected, $res); - // test plugin controller without prefix + // Test plugin controller $this->request->params['controller'] = 'Tags'; $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; @@ -813,7 +803,7 @@ public function testIniConstruct() { $res = $method->invokeArgs($object, [$this->request]); $this->assertEquals($expected, $res); - // test plugin controller with /admin prefix + // Test plugin controller with /admin prefix $this->request->params['prefix'] = 'admin'; $expected = 'Tags.admin/Tags'; $res = $method->invokeArgs($object, [$this->request]); @@ -826,13 +816,13 @@ public function testIniConstruct() { * @return void */ public function testIniDeconstruct() { - // make protected function accessible + // Make protected function accessible $object = new TestTinyAuthorize($this->Collection); $reflection = new \ReflectionClass(get_class($object)); $method = $reflection->getMethod('_deconstructIniKey'); $method->setAccessible(true); - // test standard controller + // Test standard controller $key = 'Users'; $expected = [ 'controller' => 'Users', @@ -842,7 +832,7 @@ public function testIniDeconstruct() { $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); - // test standard controller with /admin prefix + // Test standard controller with /admin prefix $key = 'admin/Users'; $expected = [ 'controller' => 'Users', @@ -852,7 +842,7 @@ public function testIniDeconstruct() { $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); - // test plugin controller without prefix + // Test plugin controller without prefix $key = 'Tags.Tags'; $expected = [ 'controller' => 'Tags', @@ -862,7 +852,7 @@ public function testIniDeconstruct() { $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); - // test plugin controller with /admin prefix + // Test plugin controller with /admin prefix $key = 'Tags.admin/Tags'; $expected = [ 'controller' => 'Tags', From 7eafc85b6f10831c3cf13d110eb7ed4aa4dc4f8f Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 15:16:41 +0000 Subject: [PATCH 13/27] Adds case sensitity tests --- src/Auth/TinyAuthorize.php | 6 +-- tests/TestCase/Auth/TinyAuthorizeTest.php | 50 ++++++++++++++++++++++- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index b868897d..097fa560 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -116,8 +116,8 @@ public function validate($roles, Request $request) { $iniKey = $this->_constructIniKey($request); $availableRoles = Configure::read($this->_config['aclTable']); - // Give any logged in user access to ALL actions if `allowUser` is - // enabled, except when the `adminPrefix` is being used. + // Give any logged in user access to ALL actions when `allowUser` is + // enabled except when the `adminPrefix` is being used. if (!empty($this->_config['allowUser'])) { if (empty($request->params['prefix'])) { return true; @@ -128,7 +128,7 @@ public function validate($roles, Request $request) { } // allow access to all /admin prefixed actions for users belonging to - // the specified adminRole. + // the specified adminRole id. if (!empty($this->_config['allowAdmin']) && !empty($this->_config['adminRole'])) { if (!empty($request->params['prefix']) && $request->params['prefix'] === $this->_config['adminPrefix']) { if (in_array($this->_config['adminRole'], $roles)) { diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 51da6de6..71b6a6a3 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -455,7 +455,6 @@ public function testBasicUserMethodAllowedMultiRole() { ], ]; - $user = [ 'Roles' => [ ['id' => 1, 'RoleUsers' => []], @@ -832,6 +831,10 @@ public function testIniDeconstruct() { $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); + $key = 'users'; // test incorrect casing + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + // Test standard controller with /admin prefix $key = 'admin/Users'; $expected = [ @@ -842,6 +845,18 @@ public function testIniDeconstruct() { $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); + $key = 'admin/users'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'Admin/users'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'Admin/Users'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + // Test plugin controller without prefix $key = 'Tags.Tags'; $expected = [ @@ -852,6 +867,18 @@ public function testIniDeconstruct() { $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); + $key = 'tags/tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'tags/Tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'Tags/tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + // Test plugin controller with /admin prefix $key = 'Tags.admin/Tags'; $expected = [ @@ -861,8 +888,27 @@ public function testIniDeconstruct() { ]; $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); - } + $key = 'tags.admin/tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'tags.Admin/tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'tags.admin/Tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'Tags.Admin/Tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + + $key = 'Tags.Admin/tags'; + $res = $method->invokeArgs($object, [$key]); + $this->assertNotEquals($expected, $res); + } } From eaa03efd2b3e98323dbd26251f451ef0396ad143 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 15:17:03 +0000 Subject: [PATCH 14/27] Removes obsolete tests --- tests/TestCase/Auth/TinyAuthorizeTest.php | 29 ----------------------- 1 file changed, 29 deletions(-) diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 71b6a6a3..deacba49 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -647,35 +647,6 @@ public function testAdminMethodsAllowed() { $this->assertTrue($res); } - /** - * Should only be used in combination with Auth->allow() to mark those - * as public in the acl.ini, as well. Not necessary and certainly not - * recommended as acl.ini only. - * - * @todo: discuss, what is this?? - * - * @return void - */ - // public function testBasicUserMethodAllowedPublically() { - // $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - // - // // test standard controller - // $this->request->params['controller'] = 'Tags'; - // $this->request->params['action'] = 'add'; - // $user = ['role_id' => 2]; - // $res = $object->authorize($user, $this->request); - // $this->assertTrue($res); - // - // $this->request->params['controller'] = 'Comments'; - // $this->request->params['action'] = 'foo'; - // - // $user = [ - // 'role_id' => 3 - // ]; - // $res = $object->authorize($user, $this->request); - // $this->assertTrue($res); - // } - /** * TinyAuthorizeTest::testWithRoleTable() * From 9f17568b3fc11686c41b61fdcc1786efb4d13899 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 15:29:56 +0000 Subject: [PATCH 15/27] Updates descriptions --- src/Auth/TinyAuthorize.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 097fa560..eb9e8191 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -42,11 +42,11 @@ class TinyAuthorize extends BaseAuthorize { protected $_acl = null; protected $_defaultConfig = [ - 'adminRole' => null, // needed together with adminPrefix if allowAdmin is enabled - 'superAdminRole' => null, // id of the role to grant access to ALL resources - 'allowUser' => false, // quick way to allow ALL roles access to non prefixed urls - 'allowAdmin' => false, // quick way to allow admin access to admin prefixed urls - 'adminPrefix' => 'admin', // must be defined in combination with allowAdmin + 'adminRole' => null, // id of the admin role used by allowAdmin + 'superAdminRole' => null, // id of super admin role granted access to ALL resources + 'allowUser' => false, // enable to allow ALL roles access to all actions except prefixed with 'adminPrefix' + 'allowAdmin' => false, // enable to allow admin role access to all 'adminPrefix' prefixed urls + 'adminPrefix' => 'admin', // admin prefix used by allowAdmin 'cache' => AUTH_CACHE, 'cacheKey' => 'tiny_auth_acl', 'autoClearCache' => false, // usually done by Cache automatically in debug mode, From 2f4f1b9df7c9510e56d93d3707de112f8b2ef30d Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Sun, 15 Feb 2015 15:29:56 +0000 Subject: [PATCH 16/27] Updates descriptions --- src/Auth/TinyAuthorize.php | 10 +++++----- tests/TestCase/Auth/TinyAuthorizeTest.php | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 097fa560..eb9e8191 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -42,11 +42,11 @@ class TinyAuthorize extends BaseAuthorize { protected $_acl = null; protected $_defaultConfig = [ - 'adminRole' => null, // needed together with adminPrefix if allowAdmin is enabled - 'superAdminRole' => null, // id of the role to grant access to ALL resources - 'allowUser' => false, // quick way to allow ALL roles access to non prefixed urls - 'allowAdmin' => false, // quick way to allow admin access to admin prefixed urls - 'adminPrefix' => 'admin', // must be defined in combination with allowAdmin + 'adminRole' => null, // id of the admin role used by allowAdmin + 'superAdminRole' => null, // id of super admin role granted access to ALL resources + 'allowUser' => false, // enable to allow ALL roles access to all actions except prefixed with 'adminPrefix' + 'allowAdmin' => false, // enable to allow admin role access to all 'adminPrefix' prefixed urls + 'adminPrefix' => 'admin', // admin prefix used by allowAdmin 'cache' => AUTH_CACHE, 'cacheKey' => 'tiny_auth_acl', 'autoClearCache' => false, // usually done by Cache automatically in debug mode, diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index deacba49..2a15733d 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -1,13 +1,13 @@ Date: Sun, 15 Feb 2015 16:51:02 +0000 Subject: [PATCH 17/27] Sort class order --- src/Auth/TinyAuthorize.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index eb9e8191..47fe222f 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -1,14 +1,14 @@ Date: Mon, 16 Feb 2015 10:25:59 +0000 Subject: [PATCH 18/27] Adds tests for long names using Dashed Routes --- tests/TestCase/Auth/TinyAuthorizeTest.php | 69 +++++++++++++++++++++-- 1 file changed, 64 insertions(+), 5 deletions(-) diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 2a15733d..f7e60a26 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -45,6 +45,7 @@ public function setUp() { edit = user delete = admin very_long_action_name_action = user +veryLongActionNameAction = user public_action = public ; ---------------------------------------------------------- ; UsersController (/admin prefixed route, no plugin) @@ -55,6 +56,7 @@ public function setUp() { delete = admin public_action = public very_long_action_name_action = user +veryLongActionNameAction = user ; ---------------------------------------------------------- ; TagsController (no prefixed route, no plugin) ; ---------------------------------------------------------- @@ -69,6 +71,7 @@ public function setUp() { * = admin public_action = public very_long_action_name_action = user +veryLongActionNameAction = user ; ---------------------------------------------------------- ; TagsController (plugin Tags, /admin prefixed route) ; ---------------------------------------------------------- @@ -78,6 +81,7 @@ public function setUp() { add = admin public_action = public very_long_action_name_action = user +veryLongActionNameAction = user ; ---------------------------------------------------------- ; CommentsController (no plugin, /special prefixed route) ; ---------------------------------------------------------- @@ -139,7 +143,8 @@ public function testGetAcl() { 'edit' => [1], 'delete' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1] + 'very_long_action_name_action' => [1], + 'veryLongActionNameAction' => [1] ] ], 'admin/Users' => [ @@ -151,7 +156,8 @@ public function testGetAcl() { 'edit' => [1], 'delete' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1] + 'very_long_action_name_action' => [1], + 'veryLongActionNameAction' => [1] ] ], 'Tags' => [ @@ -172,7 +178,8 @@ public function testGetAcl() { 'view' => [1], '*' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1] + 'very_long_action_name_action' => [1], + 'veryLongActionNameAction' => [1] ] ], 'Tags.admin/Tags' => [ @@ -185,7 +192,8 @@ public function testGetAcl() { 'view' => [1], 'add' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1] + 'very_long_action_name_action' => [1], + 'veryLongActionNameAction' => [1] ] ], 'special/Comments' => [ @@ -383,7 +391,7 @@ public function testCaseSensitivity() { /** * @return void */ - public function testBasicUserMethodAllowedWithLongActionNames() { + public function testBasicUserMethodAllowedWithLongActionNamesInflectedRoute() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // Test standard controller @@ -431,6 +439,57 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $this->assertFalse($res); } + /** + * @return void + */ + public function testBasicUserMethodAllowedWithLongActionNamesDashedRoute() { + $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + + // Test standard controller + $this->request->params['controller'] = 'Users'; + $this->request->params['action'] = 'veryLongActionNameAction'; + + $user = ['role_id' => 1]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // Test standard controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // Test plugin controller + $this->request->params['controller'] = 'Tags'; + $this->request->params['plugin'] = 'Tags'; + $this->request->params['prefix'] = null; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // Test plugin controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = [ 'role_id' => 1 ]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + } + /** * @return void */ From 35f2db94adb7eb8f5e484eed79e4e69801e40b6e Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Mon, 16 Feb 2015 12:32:19 +0000 Subject: [PATCH 19/27] Renames tests for long_underscored_actions --- tests/TestCase/Auth/TinyAuthorizeTest.php | 36 +++++++++++------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index f7e60a26..a409a1fb 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -44,7 +44,7 @@ public function setUp() { index = user, undefined-role edit = user delete = admin -very_long_action_name_action = user +very_long_underscored_action = user veryLongActionNameAction = user public_action = public ; ---------------------------------------------------------- @@ -55,7 +55,7 @@ public function setUp() { edit = user delete = admin public_action = public -very_long_action_name_action = user +very_long_underscored_action = user veryLongActionNameAction = user ; ---------------------------------------------------------- ; TagsController (no prefixed route, no plugin) @@ -70,7 +70,7 @@ public function setUp() { edit,view = user * = admin public_action = public -very_long_action_name_action = user +very_long_underscored_action = user veryLongActionNameAction = user ; ---------------------------------------------------------- ; TagsController (plugin Tags, /admin prefixed route) @@ -80,7 +80,7 @@ public function setUp() { edit,view = user add = admin public_action = public -very_long_action_name_action = user +very_long_underscored_action = user veryLongActionNameAction = user ; ---------------------------------------------------------- ; CommentsController (no plugin, /special prefixed route) @@ -143,7 +143,7 @@ public function testGetAcl() { 'edit' => [1], 'delete' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1], + 'very_long_underscored_action' => [1], 'veryLongActionNameAction' => [1] ] ], @@ -156,7 +156,7 @@ public function testGetAcl() { 'edit' => [1], 'delete' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1], + 'very_long_underscored_action' => [1], 'veryLongActionNameAction' => [1] ] ], @@ -178,7 +178,7 @@ public function testGetAcl() { 'view' => [1], '*' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1], + 'very_long_underscored_action' => [1], 'veryLongActionNameAction' => [1] ] ], @@ -192,7 +192,7 @@ public function testGetAcl() { 'view' => [1], 'add' => [3], 'public_action' => [-1], - 'very_long_action_name_action' => [1], + 'very_long_underscored_action' => [1], 'veryLongActionNameAction' => [1] ] ], @@ -391,12 +391,12 @@ public function testCaseSensitivity() { /** * @return void */ - public function testBasicUserMethodAllowedWithLongActionNamesInflectedRoute() { + public function testBasicUserMethodAllowedWithLongActionNames() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // Test standard controller $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'very_long_action_name_action'; + $this->request->params['action'] = 'veryLongActionNameAction'; $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); @@ -440,14 +440,14 @@ public function testBasicUserMethodAllowedWithLongActionNamesInflectedRoute() { } /** - * @return void - */ - public function testBasicUserMethodAllowedWithLongActionNamesDashedRoute() { + * @return void + */ + public function testBasicUserMethodAllowedWithLongActionNamesUnderscored() { $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); // Test standard controller $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'veryLongActionNameAction'; + $this->request->params['action'] = 'very_long_underscored_action'; $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); @@ -840,10 +840,10 @@ public function testIniConstruct() { } /** - * Tests deconstructing an ACL ini section key - * - * @return void - */ + * Tests deconstructing an ACL ini section key + * + * @return void + */ public function testIniDeconstruct() { // Make protected function accessible $object = new TestTinyAuthorize($this->Collection); From 26643b46ca98d5e957e9c7b8c7818ad303d068ec Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Mon, 16 Feb 2015 15:59:05 +0000 Subject: [PATCH 20/27] Adds base documentation --- docs/authorize.md | 131 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 docs/authorize.md diff --git a/docs/authorize.md b/docs/authorize.md new file mode 100644 index 00000000..21ca0e3e --- /dev/null +++ b/docs/authorize.md @@ -0,0 +1,131 @@ +# TinyAuth Autorization + +Enable TinyAuth Authorize if you want to add instant (and easy) role based +access to your application. + +## Enabling + +Assuming you already have Authentiction set up correctly you can enable +Authorization in your controllers beforeFilter like this example: + +```php +// src/Controller/AppController + +use Cake\Event\Event; + +public function beforeFilter(Event $event) +{ + parent::beforeFilter($event); + $this->loadComponent('Auth', [ + 'authorize' => [ + 'TinyAuth.Tiny' => [ + 'autoClearCache' => true, + 'allowUser' => false, + 'allowAdmin' => false, + 'adminRole' => 'admin', + 'superAdminRole' => null + ] + ] + ]); +} +``` + +## Roles + +You need to define some roles for Authorize to work, for example: + +```php +// config/app_custom.php + + +/** +* Optionally define constants for easy referencing throughout your code authorization +*/ +define('ROLE_PUBLIC', -1); +define('ROLE_USERS', 1); +define('ROLE_ADMINS', 2); +define('ROLE_SUPERADMINS', 9); + +return [ + 'Roles' => [ + 'public' => ROLE_PUBLIC, + 'user' => ROLE_USERS, + 'admin' => ROLE_ADMINS, + 'supergirls' => ROLE_SUPERADMINS + ] +]; +``` + +## acl.ini + +Authorize expects an ``acl.ini`` file in your config directory. +Use it to specify who gets access to which resources. + +The section key syntax follows the CakePHP naming convention for plugins. + +Make sure to create an entry for each action you want to expose and use: + +- one or more role names (groups granted access) +- the ``*`` wildcard to allow access to all authenticated users +- the special `public` group to allow access to unauthenticated users + +```ini +; ---------------------------------------------------------- +; Userscontroller +; ---------------------------------------------------------- +[Users] +index = user, admin, undefined-role +edit, view = user, admin +* = admin +; ---------------------------------------------------------- +; UsersController using /api prefixed route +; ---------------------------------------------------------- +[api/Users] +index = public +view = user +* = admin +; ---------------------------------------------------------- +; UsersController using /admin prefixed route +; ---------------------------------------------------------- +[admin/Users] +* = admin +; ---------------------------------------------------------- +; AccountsController in plugin named Accounts +; ---------------------------------------------------------- +[Accounts.Accounts] +view, edit = user +* = admin +; ---------------------------------------------------------- +; AccountsController in plugin named Accounts using /admin +; prefixed route +; ---------------------------------------------------------- +[Accounts.admin/Accounts] +* = admin +; ---------------------------------------------------------- +; CompaniesController in plugin named Accounts +; ---------------------------------------------------------- +[Accounts.Companies] +view, edit = user +* = admin +; ---------------------------------------------------------- +; CompaniesController in plugin named Accounts using /admin +; prefixed route +; ---------------------------------------------------------- +[Accounts.admin/Companies] +* = admin +``` + +## Configuration + +Authorize supports the following configuration options. + +Option | Type|Description +--------|------------ +allowUser|boolean|True will give authenticated users access to all resources except those using the `adminPrefix` +allowAdmin|boolean|True will give users with a role id matching `adminRole` access to all resources using the `adminPrefix` +adminRole|int|Id of the role you will use as admins. Users with this role are granted access to all actions using `adminPrefix` but only when `allowAdmin` is enabled +superAdminRole|int|Id of the super admin role. Users with this role will have access to ALL resources. +adminPrefix|string|Name of the prefix used for admin pages. Defaults to admin. +autoClearCache|Boolean|True will generate a new acl cache file every time. +aclKey|string|Name of the column holding your user role id (only for single role per user/BT) +aclTable|string|Name of the table holding your user roles (only for multiple roles per user/HABTM) From d96f9f22393f27ffe0dc2e132d717041288623ce Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Mon, 16 Feb 2015 16:07:47 +0000 Subject: [PATCH 21/27] Fixes typo --- docs/authorize.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/authorize.md b/docs/authorize.md index 21ca0e3e..9eb50765 100644 --- a/docs/authorize.md +++ b/docs/authorize.md @@ -39,7 +39,7 @@ You need to define some roles for Authorize to work, for example: /** -* Optionally define constants for easy referencing throughout your code authorization +* Optionally define constants for easy referencing throughout your code */ define('ROLE_PUBLIC', -1); define('ROLE_USERS', 1); From 88fb5684238d72a381924064f7b869feb3804185 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Mon, 16 Feb 2015 16:28:23 +0000 Subject: [PATCH 22/27] Removes public example --- docs/authorize.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/authorize.md b/docs/authorize.md index 9eb50765..eaf33b8c 100644 --- a/docs/authorize.md +++ b/docs/authorize.md @@ -41,14 +41,12 @@ You need to define some roles for Authorize to work, for example: /** * Optionally define constants for easy referencing throughout your code */ -define('ROLE_PUBLIC', -1); define('ROLE_USERS', 1); define('ROLE_ADMINS', 2); define('ROLE_SUPERADMINS', 9); return [ 'Roles' => [ - 'public' => ROLE_PUBLIC, 'user' => ROLE_USERS, 'admin' => ROLE_ADMINS, 'supergirls' => ROLE_SUPERADMINS @@ -67,7 +65,6 @@ Make sure to create an entry for each action you want to expose and use: - one or more role names (groups granted access) - the ``*`` wildcard to allow access to all authenticated users -- the special `public` group to allow access to unauthenticated users ```ini ; ---------------------------------------------------------- @@ -81,7 +78,6 @@ edit, view = user, admin ; UsersController using /api prefixed route ; ---------------------------------------------------------- [api/Users] -index = public view = user * = admin ; ---------------------------------------------------------- From 6a4bd8dbd6550cf257a6585edb32f1edc4096509 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Tue, 17 Feb 2015 09:48:42 +0000 Subject: [PATCH 23/27] Changes superadmin example --- docs/authorize.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/authorize.md b/docs/authorize.md index eaf33b8c..d32c2f98 100644 --- a/docs/authorize.md +++ b/docs/authorize.md @@ -49,7 +49,7 @@ return [ 'Roles' => [ 'user' => ROLE_USERS, 'admin' => ROLE_ADMINS, - 'supergirls' => ROLE_SUPERADMINS + 'superadmin' => ROLE_SUPERADMIN ] ]; ``` From dd505e3ed0684aee9f7940cb2ad3534bb678c3c8 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Tue, 17 Feb 2015 10:00:49 +0000 Subject: [PATCH 24/27] Correctes superadmin constant --- docs/authorize.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/authorize.md b/docs/authorize.md index d32c2f98..427ccdd4 100644 --- a/docs/authorize.md +++ b/docs/authorize.md @@ -43,7 +43,7 @@ You need to define some roles for Authorize to work, for example: */ define('ROLE_USERS', 1); define('ROLE_ADMINS', 2); -define('ROLE_SUPERADMINS', 9); +define('ROLE_SUPERADMIN', 9); return [ 'Roles' => [ From 07c7848432ab7e6afac267cca1af00f36eed1040 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Tue, 17 Feb 2015 10:55:35 +0000 Subject: [PATCH 25/27] Removes obsolete guest checks + extends wildcard tests --- src/Auth/TinyAuthorize.php | 10 -- tests/TestCase/Auth/TinyAuthorizeTest.php | 198 ++++++++++++++++++++-- 2 files changed, 188 insertions(+), 20 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index 47fe222f..f0833b54 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -154,9 +154,6 @@ public function validate($roles, Request $request) { // allow access if user has a role with wildcard access to the resource if (isset($this->_acl[$iniKey]['actions']['*'])) { $matchArray = $this->_acl[$iniKey]['actions']['*']; - if (in_array('-1', $matchArray)) { - return true; - } foreach ($roles as $role) { if (in_array((string)$role, $matchArray)) { return true; @@ -168,13 +165,6 @@ public function validate($roles, Request $request) { if (isset($this->_acl[$iniKey]['actions'])){ if(array_key_exists($request->action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$request->action])) { $matchArray = $this->_acl[$iniKey]['actions'][$request->action]; - - // direct access? (even if he has no roles = GUEST) - if (in_array('-1', $matchArray)) { - return true; - } - - // normal access (rolebased) foreach ($roles as $role) { if (in_array((string)$role, $matchArray)) { return true; diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index a409a1fb..556a41f4 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -92,6 +92,28 @@ public function setUp() { ; ---------------------------------------------------------- [Comments.special/Comments] * = admin +; ---------------------------------------------------------- +; PostsController (for testing generic wildcard access) +; ---------------------------------------------------------- +[Posts] +*=* +[admin/Posts] +* = * +[Posts.Posts] +* = * +[Posts.admin/Posts] +* = * +; ---------------------------------------------------------- +; BlogsController (for testing specific wildcard access) +; ---------------------------------------------------------- +[Blogs] +*= moderator +[admin/Blogs] +* = moderator +[Blogs.Blogs] +* = moderator +[Blogs.admin/Blogs] +* = moderator INI; file_put_contents(TMP . 'acl.ini', $aclData); @@ -211,6 +233,70 @@ public function testGetAcl() { 'actions' => [ '*' => [3] ] + ], + 'Posts' => [ + 'plugin' => null, + 'prefix' => null, + 'controller' => 'Posts', + 'actions' => [ + '*' => [1, 2, 3, -1] + ] + ], + 'admin/Posts' => [ + 'plugin' => null, + 'prefix' => 'admin', + 'controller' => 'Posts', + 'actions' => [ + '*' => [1, 2, 3, -1] + ] + ], + 'Posts.Posts' => [ + 'plugin' => 'Posts', + 'prefix' => null, + 'controller' => 'Posts', + 'actions' => [ + '*' => [1, 2, 3, -1] + ] + ], + 'Posts.admin/Posts' => [ + 'plugin' => 'Posts', + 'prefix' => 'admin', + 'controller' => 'Posts', + 'actions' => [ + '*' => [1, 2, 3, -1] + ] + ], + 'Blogs' => [ + 'plugin' => null, + 'prefix' => null, + 'controller' => 'Blogs', + 'actions' => [ + '*' => [2] + ] + ], + 'admin/Blogs' => [ + 'plugin' => null, + 'prefix' => 'admin', + 'controller' => 'Blogs', + 'actions' => [ + '*' => [2] + ] + ], + 'Blogs.Blogs' => [ + 'plugin' => 'Blogs', + 'prefix' => null, + 'controller' => 'Blogs', + 'actions' => [ + '*' => [2] + ] + ], + 'Blogs.admin/Blogs' => [ + 'plugin' => 'Blogs', + 'prefix' => 'admin', + 'controller' => 'Blogs', + 'actions' => [ + '*' => [2] + ] ] ]; //debug($res); @@ -525,36 +611,128 @@ public function testBasicUserMethodAllowedMultiRole() { } /** + * Tests access to a controller that uses the * wildcard for both the + * action and the allowed groups (* = *). + * + * Note: users without a valid/defined role will not be granted access. + * * @return void */ public function testBasicUserMethodAllowedWildcard() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); - $user = ['role_id' => 6]; + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); - // Test standard controller - $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'public_action'; + // Test *=* for standard controller + $this->request->params['controller'] = 'Posts'; + $this->request->params['action'] = 'any_action'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // Test standard controller with /admin prefix + $user = ['role_id' => 123]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // Test *=* for standard controller with /admin prefix + $this->request->params['controller'] = 'Posts'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = null; + + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // Test plugin controller - $this->request->params['controller'] = 'Tags'; - $this->request->params['plugin'] = 'Tags'; + $user = ['role_id' => 123]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // Test *=* for plugin controller + $this->request->params['controller'] = 'Posts'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Posts'; + + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // Test plugin controller with /admin prefix + $user = ['role_id' => 123]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // Test *=* for plugin controller with /admin prefix + $this->request->params['controller'] = 'Posts'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = 'Posts'; + + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); + + $user = ['role_id' => 123]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + } + /** + * Tests access to a controller that uses the * wildcard for the action + * but combines it with a specific group (e.g. * = moderators). + * + * @return void + */ + public function testBasicUserMethodAllowedWildcardSpecificGroup() { + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); + $user = ['role_id' => 2]; + + // test standard controller + $this->request->params['controller'] = 'Blogs'; + $this->request->params['action'] = 'any_action'; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test standard controller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test plugin controlller + $this->request->params['plugin'] = 'Blogs'; + $this->request->params['prefix'] = null; + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + + // test plugin controlller with /admin prefix + $this->request->params['prefix'] = 'admin'; + $user = ['role_id' => 2]; + $res = $object->authorize($user, $this->request); + $this->assertTrue($res); + + $user = ['role_id' => 3]; + $res = $object->authorize($user, $this->request); + $this->assertFalse($res); + } + + /** * Tests with configuration setting 'allowUser' set to true, giving user * access to all controller/actions except when prefixed with /admin From d71951cb37ca2332b52caa2240f1237ff916ac33 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Tue, 17 Feb 2015 11:55:33 +0000 Subject: [PATCH 26/27] Tests cleanup and refactoring --- tests/TestCase/Auth/TinyAuthorizeTest.php | 382 +++++++++++++--------- 1 file changed, 236 insertions(+), 146 deletions(-) diff --git a/tests/TestCase/Auth/TinyAuthorizeTest.php b/tests/TestCase/Auth/TinyAuthorizeTest.php index 556a41f4..533f7b4f 100644 --- a/tests/TestCase/Auth/TinyAuthorizeTest.php +++ b/tests/TestCase/Auth/TinyAuthorizeTest.php @@ -38,9 +38,9 @@ public function setUp() { $aclData = <<getAcl(); $expected = [ - 'Users' => [ - 'plugin' => null, + 'Tags' => [ + 'controller' => 'Tags', 'prefix' => null, - 'controller' => 'Users', + 'plugin' => null, 'actions' => [ 'index' => [1], 'edit' => [1], @@ -169,10 +162,10 @@ public function testGetAcl() { 'veryLongActionNameAction' => [1] ] ], - 'admin/Users' => [ - 'plugin' => null, + 'admin/Tags' => [ + 'controller' => 'Tags', 'prefix' => 'admin', - 'controller' => 'Users', + 'plugin' => null, 'actions' => [ 'index' => [1], 'edit' => [1], @@ -182,118 +175,110 @@ public function testGetAcl() { 'veryLongActionNameAction' => [1] ] ], - 'Tags' => [ - 'plugin' => null, - 'prefix' => null, - 'controller' => 'Tags', - 'actions' => [ - '*' => [1, 2, 3, -1] - ] - ], 'Tags.Tags' => [ - 'plugin' => 'Tags', - 'prefix' => null, 'controller' => 'Tags', + 'prefix' => null, + 'plugin' => 'Tags', 'actions' => [ 'index' => [1], 'edit' => [1], 'view' => [1], - '*' => [3], + 'delete' => [3], 'public_action' => [-1], 'very_long_underscored_action' => [1], 'veryLongActionNameAction' => [1] ] ], 'Tags.admin/Tags' => [ - 'plugin' => 'Tags', - 'prefix' => 'admin', 'controller' => 'Tags', + 'prefix' => 'admin', + 'plugin' => 'Tags', 'actions' => [ 'index' => [1], 'edit' => [1], 'view' => [1], - 'add' => [3], + 'delete' => [3], 'public_action' => [-1], 'very_long_underscored_action' => [1], 'veryLongActionNameAction' => [1] ] ], 'special/Comments' => [ - 'plugin' => null, - 'prefix' => 'special', 'controller' => 'Comments', + 'prefix' => 'special', + 'plugin' => null, 'actions' => [ '*' => [3] ] ], 'Comments.special/Comments' => [ - 'plugin' => 'Comments', - 'prefix' => 'special', 'controller' => 'Comments', + 'prefix' => 'special', + 'plugin' => 'Comments', 'actions' => [ '*' => [3] ] ], 'Posts' => [ - 'plugin' => null, - 'prefix' => null, 'controller' => 'Posts', + 'prefix' => null, + 'plugin' => null, 'actions' => [ '*' => [1, 2, 3, -1] ] ], 'admin/Posts' => [ - 'plugin' => null, - 'prefix' => 'admin', 'controller' => 'Posts', + 'prefix' => 'admin', + 'plugin' => null, 'actions' => [ '*' => [1, 2, 3, -1] ] ], 'Posts.Posts' => [ - 'plugin' => 'Posts', - 'prefix' => null, 'controller' => 'Posts', + 'prefix' => null, + 'plugin' => 'Posts', 'actions' => [ '*' => [1, 2, 3, -1] ] ], 'Posts.admin/Posts' => [ - 'plugin' => 'Posts', - 'prefix' => 'admin', 'controller' => 'Posts', + 'prefix' => 'admin', + 'plugin' => 'Posts', 'actions' => [ '*' => [1, 2, 3, -1] ] ], 'Blogs' => [ - 'plugin' => null, - 'prefix' => null, 'controller' => 'Blogs', + 'prefix' => null, + 'plugin' => null, 'actions' => [ '*' => [2] ] ], 'admin/Blogs' => [ - 'plugin' => null, - 'prefix' => 'admin', 'controller' => 'Blogs', + 'prefix' => 'admin', + 'plugin' => null, 'actions' => [ '*' => [2] ] ], 'Blogs.Blogs' => [ - 'plugin' => 'Blogs', - 'prefix' => null, 'controller' => 'Blogs', + 'prefix' => null, + 'plugin' => 'Blogs', 'actions' => [ '*' => [2] ] ], 'Blogs.admin/Blogs' => [ - 'plugin' => 'Blogs', - 'prefix' => 'admin', 'controller' => 'Blogs', + 'prefix' => 'admin', + 'plugin' => 'Blogs', 'actions' => [ '*' => [2] ] @@ -307,13 +292,20 @@ public function testGetAcl() { * @return void */ public function testBasicUserMethodDisallowed() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); $this->assertEquals('Roles', $object->config('aclTable')); $this->assertEquals('role_id', $object->config('aclKey')); - // Test standard controller - $this->request->params['controller'] = 'Users'; + // All tests performed against this action $this->request->params['action'] = 'add'; + + // Test standard controller + $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; + $user = ['role_id' => 4]; // invalid non-existing role $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -323,7 +315,9 @@ public function testBasicUserMethodDisallowed() { $this->assertFalse($res); // Test standard controller with /admin prefix - $this->request->params['prefix'] = 'admin'; + $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; $user = ['role_id' => 4]; $res = $object->authorize($user, $this->request); @@ -334,10 +328,9 @@ public function testBasicUserMethodDisallowed() { $this->assertFalse($res); // Test plugin controller - $this->request->params['plugin'] = 'Tags'; $this->request->params['controller'] = 'Tags'; - $this->request->params['action'] = 'add'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; $user = ['role_id' => 4]; $res = $object->authorize($user, $this->request); @@ -348,10 +341,9 @@ public function testBasicUserMethodDisallowed() { $this->assertFalse($res); // Test plugin controller with /admin prefix - $this->request->params['plugin'] = 'Tags'; - $this->request->params['prefix'] = 'admin'; $this->request->params['controller'] = 'Tags'; - $this->request->params['action'] = 'add'; + $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = 'Tags'; $user = ['role_id' => 4]; $res = $object->authorize($user, $this->request); @@ -366,12 +358,17 @@ public function testBasicUserMethodDisallowed() { * @return void */ public function testBasicUserMethodAllowed() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); // Test standard controller - $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'edit'; + $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + $user = [ 'role_id' => 1 ]; + $this->request->params['action'] = 'edit'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -381,10 +378,12 @@ public function testBasicUserMethodAllowed() { $this->assertTrue($res); // Test standard controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; - $this->request->params['action'] = 'edit'; + $this->request->params['plugin'] = null; $user = [ 'role_id' => 1 ]; + $this->request->params['action'] = 'edit'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -395,29 +394,31 @@ public function testBasicUserMethodAllowed() { // Test plugin controller $this->request->params['controller'] = 'Tags'; - $this->request->params['plugin'] = 'Tags'; - $this->request->params['action'] = 'index'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; $user = ['role_id' => 1]; + $this->request->params['action'] = 'edit'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); $user = ['role_id' => 3]; - $this->request->params['action'] = 'add'; + $this->request->params['action'] = 'delete'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); // Test plugin controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; - $this->request->params['action'] = 'index'; + $this->request->params['plugin'] = 'Tags'; $user = ['role_id' => 1]; + $this->request->params['action'] = 'edit'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); $user = ['role_id' => 3]; - $this->request->params['action'] = 'add'; + $this->request->params['action'] = 'delete'; $res = $object->authorize($user, $this->request); $this->assertTrue($res); } @@ -428,17 +429,27 @@ public function testBasicUserMethodAllowed() { * @return void */ public function testCaseSensitivity() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true] + ); - // Test incorrect controller casing - $this->request->params['controller'] = 'users'; + // All tests performed against this action $this->request->params['action'] = 'index'; + + // Test incorrect controller casing + $this->request->params['controller'] = 'tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); // Test incorrect controller casing with /admin prefix + $this->request->params['controller'] = 'tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = null; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -446,29 +457,35 @@ public function testCaseSensitivity() { // Test correct controller casing with incorrect prefix casing $this->request->params['controller'] = 'Users'; $this->request->params['prefix'] = 'Admin'; + $this->request->params['plugin'] = null; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); // Test incorrect plugin controller casing $this->request->params['controller'] = 'tags'; - $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); // Test correct plugin controller with incorrect plugin casing $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; $this->request->params['plugin'] = 'tags'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); // Test correct plugin controller with correct plugin but incorrect prefix casing $this->request->params['controller'] = 'Tags'; - $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = 'Admin'; + $this->request->params['plugin'] = 'Tags'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -478,12 +495,18 @@ public function testCaseSensitivity() { * @return void */ public function testBasicUserMethodAllowedWithLongActionNames() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); - // Test standard controller - $this->request->params['controller'] = 'Users'; + // All tests performed against this action $this->request->params['action'] = 'veryLongActionNameAction'; + // Test standard controller + $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -493,7 +516,10 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $this->assertFalse($res); // Test standard controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = null; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -504,8 +530,9 @@ public function testBasicUserMethodAllowedWithLongActionNames() { // Test plugin controller $this->request->params['controller'] = 'Tags'; - $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -515,7 +542,10 @@ public function testBasicUserMethodAllowedWithLongActionNames() { $this->assertFalse($res); // Test plugin controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = 'Tags'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -529,12 +559,18 @@ public function testBasicUserMethodAllowedWithLongActionNames() { * @return void */ public function testBasicUserMethodAllowedWithLongActionNamesUnderscored() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); - // Test standard controller - $this->request->params['controller'] = 'Users'; + // All tests performed against this action $this->request->params['action'] = 'very_long_underscored_action'; + // Test standard controller + $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -544,7 +580,10 @@ public function testBasicUserMethodAllowedWithLongActionNamesUnderscored() { $this->assertFalse($res); // Test standard controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = null; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -555,8 +594,9 @@ public function testBasicUserMethodAllowedWithLongActionNamesUnderscored() { // Test plugin controller $this->request->params['controller'] = 'Tags'; - $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -566,7 +606,10 @@ public function testBasicUserMethodAllowedWithLongActionNamesUnderscored() { $this->assertFalse($res); // Test plugin controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = 'Tags'; + $user = [ 'role_id' => 1 ]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -580,9 +623,11 @@ public function testBasicUserMethodAllowedWithLongActionNamesUnderscored() { * @return void */ public function testBasicUserMethodAllowedMultiRole() { - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); - $this->request->params['controller'] = 'Users'; + $this->request->params['controller'] = 'Tags'; $this->request->params['action'] = 'delete'; // Flat list of roles @@ -623,9 +668,11 @@ public function testBasicUserMethodAllowedWildcard() { 'autoClearCache' => true ]); - // Test *=* for standard controller - $this->request->params['controller'] = 'Posts'; + // All tests performed against this action $this->request->params['action'] = 'any_action'; + + // Test standard controller + $this->request->params['controller'] = 'Posts'; $this->request->params['prefix'] = null; $this->request->params['plugin'] = null; @@ -675,12 +722,11 @@ public function testBasicUserMethodAllowedWildcard() { $user = ['role_id' => 123]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - } /** * Tests access to a controller that uses the * wildcard for the action - * but combines it with a specific group (e.g. * = moderators). + * but combines it with a specific group (here: * = moderators). * * @return void */ @@ -688,11 +734,16 @@ public function testBasicUserMethodAllowedWildcardSpecificGroup() { $object = new TestTinyAuthorize($this->Collection, [ 'autoClearCache' => true ]); - $user = ['role_id' => 2]; - // test standard controller - $this->request->params['controller'] = 'Blogs'; + // All tests performed against this action $this->request->params['action'] = 'any_action'; + + // Test standard controller + $this->request->params['controller'] = 'Blogs'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -700,8 +751,11 @@ public function testBasicUserMethodAllowedWildcardSpecificGroup() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test standard controller with /admin prefix + // Test standard controller with /admin prefix + $this->request->params['controller'] = 'Blogs'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = null; + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -710,9 +764,11 @@ public function testBasicUserMethodAllowedWildcardSpecificGroup() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controlller - $this->request->params['plugin'] = 'Blogs'; + // Test plugin controlller + $this->request->params['controller'] = 'Blogs'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Blogs'; + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -721,8 +777,11 @@ public function testBasicUserMethodAllowedWildcardSpecificGroup() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - // test plugin controlller with /admin prefix + // Test plugin controlller with /admin prefix + $this->request->params['controller'] = 'Blogs'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = 'Blogs'; + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -737,19 +796,23 @@ public function testBasicUserMethodAllowedWildcardSpecificGroup() { * Tests with configuration setting 'allowUser' set to true, giving user * access to all controller/actions except when prefixed with /admin * - * @todo: discuss logic before completing, see code L120 - * * @return void */ public function testUserMethodsAllowed() { $object = new TestTinyAuthorize($this->Collection, [ 'allowUser' => true, - 'autoClearCache' => true + 'autoClearCache' => true, + 'adminPrefix' => 'admin' ]); + // All tests performed against this action + $this->request->params['action'] = 'any_action'; + // Test standard controller - $this->request->params['controller'] = 'Users'; - $this->request->params['action'] = 'unknown_action'; + $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -762,24 +825,29 @@ public function testUserMethodsAllowed() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // Test standard controller with /admin prefix + // Test standard controller with /admin prefix. Note: users should NOT + // be allowed access here since the prefix matches the 'adminPrefix' + // configuration setting. + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = null; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $user = ['role_id' => 3]; + $user = ['role_id' => 2]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $this->request->params['action'] = 'delete'; + $user = ['role_id' => 3]; $res = $object->authorize($user, $this->request); - $this->assertTrue($res); + $this->assertFalse($res); // Test plugin controller $this->request->params['controller'] = 'Tags'; - $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); @@ -789,12 +857,16 @@ public function testUserMethodsAllowed() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - $user = ['role_id' => 3]; // admin should be allowed + $user = ['role_id' => 3]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // Test plugin controller with /admin prefix + // Test plugin controller with /admin prefix. Again: access should + // NOT be allowed because of matching 'adminPrefix' + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = 'Tags'; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -803,17 +875,16 @@ public function testUserMethodsAllowed() { $res = $object->authorize($user, $this->request); $this->assertFalse($res); - $this->request->params['prefix'] = 'add'; $user = ['role_id' => 3]; $res = $object->authorize($user, $this->request); - $this->assertTrue($res); + $this->assertFalse($res); - // Users should have access to standard controller using non-admin prefix + // Test access to a standard controller using a prefix not matching the + // 'adminPrefix' => users should be allowed access. $this->request->params['controller'] = 'Comments'; - $this->request->params['plugin'] = null; $this->request->params['prefix'] = 'special'; - $this->request->params['prefix'] = 'admin'; - $this->request->params['prefix'] = 'index'; + $this->request->params['plugin'] = null; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -826,10 +897,12 @@ public function testUserMethodsAllowed() { $res = $object->authorize($user, $this->request); $this->assertTrue($res); - // Users should have access to plugin controller using non-admin prefix + // Test access to a plugin controller using a prefix not matching the + // 'adminPrefix' => users should be allowed access. $this->request->params['controller'] = 'Comments'; - $this->request->params['plugin'] = 'Comments'; $this->request->params['prefix'] = 'special'; + $this->request->params['plugin'] = 'Comments'; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertTrue($res); @@ -859,10 +932,14 @@ public function testAdminMethodsAllowed() { ]; $object = new TestTinyAuthorize($this->Collection, $config); + // All tests performed against this action + $this->request->params['action'] = 'any_action'; + // Test standard controller with /admin prefix - $this->request->params['controller'] = 'Users'; + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; - $this->request->params['action'] = 'some_action'; + $this->request->params['plugin'] = null; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -873,8 +950,9 @@ public function testAdminMethodsAllowed() { // Test plugin controller with /admin prefix $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = 'admin'; $this->request->params['plugin'] = 'Tags'; - $this->request->params['prefix'] = null; + $user = ['role_id' => 1]; $res = $object->authorize($user, $this->request); $this->assertFalse($res); @@ -895,10 +973,12 @@ public function testWithRoleTable() { // We want the session to be used. Configure::delete('Roles'); - $object = new TestTinyAuthorize($this->Collection, ['autoClearCache' => true]); + $object = new TestTinyAuthorize($this->Collection, [ + 'autoClearCache' => true + ]); // test standard controller - $this->request->params['controller'] = 'Users'; + $this->request->params['controller'] = 'Tags'; $this->request->params['action'] = 'edit'; // User role is 4 here, though. Also contains left joined Role date here just to check that it works, too. @@ -991,27 +1071,37 @@ public function testIniConstruct() { $method->setAccessible(true); // Test standard controller - $this->request->params['controller'] = 'Users'; - $expected = 'Users'; + $this->request->params['controller'] = 'Tags'; + $this->request->params['prefix'] = null; + $this->request->params['plugin'] = null; + + $expected = 'Tags'; $res = $method->invokeArgs($object, [$this->request]); $this->assertEquals($expected, $res); // Test standard controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; - $expected = 'admin/Users'; + $this->request->params['plugin'] = null; + + $expected = 'admin/Tags'; $res = $method->invokeArgs($object, [$this->request]); $this->assertEquals($expected, $res); // Test plugin controller $this->request->params['controller'] = 'Tags'; - $this->request->params['plugin'] = 'Tags'; $this->request->params['prefix'] = null; + $this->request->params['plugin'] = 'Tags'; + $expected = 'Tags.Tags'; $res = $method->invokeArgs($object, [$this->request]); $this->assertEquals($expected, $res); // Test plugin controller with /admin prefix + $this->request->params['controller'] = 'Tags'; $this->request->params['prefix'] = 'admin'; + $this->request->params['plugin'] = 'Tags'; + $expected = 'Tags.admin/Tags'; $res = $method->invokeArgs($object, [$this->request]); $this->assertEquals($expected, $res); @@ -1030,38 +1120,38 @@ public function testIniDeconstruct() { $method->setAccessible(true); // Test standard controller - $key = 'Users'; + $key = 'Tags'; $expected = [ - 'controller' => 'Users', + 'controller' => 'Tags', 'plugin' => null, 'prefix' => null ]; $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); - $key = 'users'; // test incorrect casing + $key = 'tags'; // test incorrect casing $res = $method->invokeArgs($object, [$key]); $this->assertNotEquals($expected, $res); // Test standard controller with /admin prefix - $key = 'admin/Users'; + $key = 'admin/Tags'; $expected = [ - 'controller' => 'Users', - 'plugin' => null, - 'prefix' => 'admin' + 'controller' => 'Tags', + 'prefix' => 'admin', + 'plugin' => null ]; $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); - $key = 'admin/users'; + $key = 'admin/tags'; $res = $method->invokeArgs($object, [$key]); $this->assertNotEquals($expected, $res); - $key = 'Admin/users'; + $key = 'Admin/tags'; $res = $method->invokeArgs($object, [$key]); $this->assertNotEquals($expected, $res); - $key = 'Admin/Users'; + $key = 'Admin/Tags'; $res = $method->invokeArgs($object, [$key]); $this->assertNotEquals($expected, $res); @@ -1069,8 +1159,8 @@ public function testIniDeconstruct() { $key = 'Tags.Tags'; $expected = [ 'controller' => 'Tags', - 'plugin' => 'Tags', - 'prefix' => null + 'prefix' => null, + 'plugin' => 'Tags' ]; $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); @@ -1091,8 +1181,8 @@ public function testIniDeconstruct() { $key = 'Tags.admin/Tags'; $expected = [ 'controller' => 'Tags', - 'plugin' => 'Tags', - 'prefix' => 'admin' + 'prefix' => 'admin', + 'plugin' => 'Tags' ]; $res = $method->invokeArgs($object, [$key]); $this->assertEquals($expected, $res); From 1a05d5d56bb396494af60882b8d9ea115690c133 Mon Sep 17 00:00:00 2001 From: bravo-kernel Date: Tue, 17 Feb 2015 12:09:48 +0000 Subject: [PATCH 27/27] PHPCS fixes --- src/Auth/TinyAuthorize.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Auth/TinyAuthorize.php b/src/Auth/TinyAuthorize.php index f0833b54..b6233974 100644 --- a/src/Auth/TinyAuthorize.php +++ b/src/Auth/TinyAuthorize.php @@ -140,7 +140,7 @@ public function validate($roles, Request $request) { // allow logged in super admins access to all resources if (!empty($this->_config['superAdminRole'])) { foreach ($roles as $role) { - if ($role == $this->_config['superAdminRole']) { + if ($role === $this->_config['superAdminRole']) { return true; } } @@ -162,7 +162,7 @@ public function validate($roles, Request $request) { } // allow access if user has been granted access to the specific resource - if (isset($this->_acl[$iniKey]['actions'])){ + if (isset($this->_acl[$iniKey]['actions'])) { if(array_key_exists($request->action, $this->_acl[$iniKey]['actions']) && !empty($this->_acl[$iniKey]['actions'][$request->action])) { $matchArray = $this->_acl[$iniKey]['actions'][$request->action]; foreach ($roles as $role) {