Permalink
Browse files

Added configurable roles to be ignored in IddqdVoter

  • Loading branch information...
1 parent 7353def commit c1efa31436708d477f5963790c6ace7e238321ae @ricbra ricbra committed Feb 1, 2013
@@ -52,6 +52,11 @@ public function getConfigTreeBuilder()
->children()
->booleanNode('secure_all_services')->defaultFalse()->end()
->booleanNode('enable_iddqd_attribute')->defaultFalse()->end()
+ ->arrayNode('iddqd_ignore_roles')
+ ->defaultValue(array('ROLE_PREVIOUS_ADMIN'))
+ ->prototype('scalar')
+ ->end()
+ ->end()
->scalarNode('cache_dir')->cannotBeEmpty()->defaultValue('%kernel.cache_dir%/jms_security')->end()
->booleanNode('expressions')->defaultFalse()->end()
->arrayNode('voters')
@@ -85,6 +85,8 @@ public function load(array $configs, ContainerBuilder $container)
// FIXME: Also add an iddqd after invocation provider
}
+ $container->setParameter('security.extra.iddqd_ignore_roles', $config['iddqd_ignore_roles']);
+
$container->setParameter('security.iddqd_aliases',
isset($config['iddqd_aliases']) ? $config['iddqd_aliases'] : array());
@@ -36,14 +36,33 @@ class IddqdVoter implements VoterInterface
/** @var array */
private $iddqdAliases = array('ROLE_IDDQD');
- public function __construct(array $iddqdAliases)
+ /** @var array */
+ private $ignoredRoles;
+
+ public function __construct(array $iddqdAliases, array $ignoredRoles)
{
$this->iddqdAliases = array_merge($this->iddqdAliases, $iddqdAliases);
+ $this->ignoredRoles = $ignoredRoles;
}
public function vote(TokenInterface $token, $object, array $attributes)
{
- return $this->isIddqd($token) ? VoterInterface::ACCESS_GRANTED : VoterInterface::ACCESS_ABSTAIN;
+ if (! $this->isIddqd($token) || $this->isIgnoredRole($attributes)) {
+ return VoterInterface::ACCESS_ABSTAIN;
+ }
+
+ return VoterInterface::ACCESS_GRANTED;
+ }
+
+ protected function isIgnoredRole(array $attributes)
+ {
+ foreach ($attributes as $attribute) {
+ if (in_array($attribute, $this->ignoredRoles, true)) {
+ return true;
+ }
+ }
+
+ return false;
}
protected function isIddqd(TokenInterface $token)
@@ -0,0 +1,60 @@
+<?php
+
+namespace JMS\SecurityExtraBundle\Tests\Security\Authorization\Voter;
+
+use JMS\SecurityExtraBundle\Security\Authorization\Voter\IddqdVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+class IddqdVoterTest extends \PHPUnit_Framework_TestCase
+{
+ public function testRoleIddqd()
+ {
+ $token = $this->getToken(array('ROLE_IDDQD'));
+ $voter = new IddqdVoter(array(), array('ROLE_PREVIOUS_ADMIN'));
+ $this->assertEquals($voter->vote($token, null, array('ROLE_FOO')), VoterInterface::ACCESS_GRANTED);
+ }
+
+ public function testIgnoresRolePreviousAdmin()
+ {
+ $token = $this->getToken(array('ROLE_IDDQD'));
+ $voter = new IddqdVoter(array(), array('ROLE_USER', 'ROLE_PREVIOUS_ADMIN'));
+ $this->assertEquals($voter->vote($token, null, array('ROLE_PREVIOUS_ADMIN')), VoterInterface::ACCESS_ABSTAIN);
+ }
+
+ public function testNotIgnoresRolePreviousAdmin()
+ {
+ $token = $this->getToken(array('ROLE_IDDQD'));
+ $voter = new IddqdVoter(array(), array());
+ $this->assertEquals($voter->vote($token, null, array('ROLE_PREVIOUS_ADMIN')), VoterInterface::ACCESS_GRANTED);
+ }
+
+ public function testRoleIddqdWithAlias()
+ {
+ $token = $this->getToken(array('ROLE_SUPER_ADMIN'));
+ $voter = new IddqdVoter(array('ROLE_SUPER_ADMIN'), array());
+ $this->assertEquals($voter->vote($token, null, array('ROLE_USER')), VoterInterface::ACCESS_GRANTED);
+ }
+
+ protected function getToken(array $roles)
+ {
+ $tokenRoles = array();
+ foreach ($roles as $value) {
+ $role = $this->getMock('Symfony\Component\Security\Core\Role\RoleInterface');
+ $role
+ ->expects($this->once())
+ ->method('getRole')
+ ->will($this->returnValue($value))
+ ;
+ $tokenRoles[] = $role;
+ }
+
+ $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
+ $token
+ ->expects($this->once())
+ ->method('getRoles')
+ ->will($this->returnValue($tokenRoles))
+ ;
+
+ return $token;
+ }
+}

0 comments on commit c1efa31

Please sign in to comment.