Skip to content

Commit

Permalink
Fix route matching case insensitivity
Browse files Browse the repository at this point in the history
  • Loading branch information
@xfra35
xfra35 committed Apr 28, 2021
1 parent e0e7d76 commit c6e8aeb
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 58 deletions.
7 changes: 4 additions & 3 deletions lib/access.php
View file
Expand Up @@ -82,6 +82,7 @@ function granted($route,$subject='') {
foreach ($this->rules as $sub => $verbs)
if ($sub!=$subject && isset($verbs[$verb]))
foreach ($verbs[$verb] as $path => $rule) {
$path=strtolower($path);
if (!isset($others[$path]))
$others[$path]=[$sub=>$rule];
else
Expand All @@ -93,7 +94,7 @@ function granted($route,$subject='') {
//specific paths are processed first:
$paths=array();
foreach ($keys=array_keys($rules) as $key) {
$path=str_replace('@','*@',$key);
$path=str_replace('@','*@',strtolower($key));
if (substr($path,-1)!='*')
$path.='+';
$paths[]=$path;
Expand All @@ -103,8 +104,8 @@ function granted($route,$subject='') {
$rules=array_combine($keys,$vals);
foreach($rules as $path=>$rule)
if (preg_match('/^'.preg_replace('/@\w*/','[^\/]+',
str_replace('\*','.*',preg_quote($path,'/'))).'$/',$uri))
return (strpos($path,'@')!==FALSE && isset($others[$uri]))
str_replace('\*','.*',preg_quote($path,'/'))).'$/i',$uri))
return (strpos($path,'@')!==FALSE && isset($others[strtolower($uri)]))
? !$this->policy==self::DENY: $rule;
return $this->policy==self::ALLOW;
}
Expand Down
136 changes: 81 additions & 55 deletions tests/tests.php
View file
Expand Up @@ -166,61 +166,87 @@ function run($f3) {
'DENY DELETE /foo' => '*',
'ALLOW DELETE /foo' => 'admin',
));
$access=new \Access();
$access->policy('allow');
$f3->route('GET|POST @admin_user_new: /admin/user/new','Class->create');
$f3->route('GET|POST @admin_user_edit: /admin/user/@id','Class->edit');
$f3->route('DELETE @admin_user_delete: /admin/user/@id','Class->delete');
$access->deny('* /admin*','*');
$access->allow('* /admin*','superadmin');
$access->allow('@admin_user_new','user_admin_create');
$access->allow('@admin_user_edit','user_admin_edit');
$access->allow('@admin_user_delete','user_admin_delete');
$test->expect(
$access->granted('GET /admin/user/new','superadmin') &&
$access->granted('GET /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/new','user_admin_create') &&
$access->granted('POST /admin/user/23','user_admin_edit') &&
!$access->granted('POST /admin/user/23','client') &&
!$access->granted('GET /admin/user/new','user_admin_edit') &&
!$access->granted('POST /admin/user/new','user_admin_edit') &&
!$access->granted('GET /admin/user/23','user_admin_create') &&
!$access->granted('POST /admin/user/23','user_admin_create'),
'Static routes precedence'
);
$test->expect(
$access->granted('GET /admin/user/23','superadmin') &&
$access->granted('DELETE /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/23','user_admin_edit') &&
$access->granted('DELETE /admin/user/23','user_admin_delete') &&
!$access->granted('POST /admin/user/23','client') &&
!$access->granted('DELETE /admin/user/23','client') &&
!$access->granted('GET /admin/user/23','user_admin_create') &&
!$access->granted('POST /admin/user/23','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_edit'),
'Named route verb inheritance'
);
$access->policy('deny');
$test->expect(
$access->granted('GET /admin/user/new','superadmin') &&
$access->granted('GET /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/23','superadmin') &&
$access->granted('DELETE /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/new','user_admin_create') &&
$access->granted('POST /admin/user/23','user_admin_edit') &&
$access->granted('DELETE /admin/user/23','user_admin_delete') &&
!$access->granted('POST /admin/user/23','client') &&
!$access->granted('DELETE /admin/user/23','client') &&
!$access->granted('GET /admin/user/new','user_admin_edit') &&
!$access->granted('POST /admin/user/new','user_admin_edit') &&
!$access->granted('GET /admin/user/23','user_admin_create') &&
!$access->granted('POST /admin/user/23','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_edit'),
'Routes precedence & VERB test, reversed default policy'
);
$runs=[
1=>['/admin/user/new','/admin/user/@id','/admin*'],
2=>['/AdMin/uSeR/new','/AdMin/uSeR/@id','/aDmiN*'],
];
foreach ($runs as $run=>$strings) {
$access=new \Access();
$access->policy('allow');
$f3->route('GET|POST @admin_user_new: '.$strings[0],'Class->create');
$f3->route('GET|POST @admin_user_edit: '.$strings[1],'Class->edit');
$f3->route('DELETE @admin_user_delete: '.$strings[1],'Class->delete');
$access->deny('* '.$strings[2],'*');
$access->allow('* '.$strings[2],'superadmin');
$access->allow('@admin_user_new','user_admin_create');
$access->allow('@admin_user_edit','user_admin_edit');
$access->allow('@admin_user_delete','user_admin_delete');
$test->expect(
$access->granted('GET /admin/user/new','superadmin') &&
$access->granted('GET /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/new','user_admin_create') &&
$access->granted('POST /admin/user/23','user_admin_edit') &&
!$access->granted('POST /admin/user/23','client') &&
!$access->granted('GET /admin/user/new','user_admin_edit') &&
!$access->granted('POST /admin/user/new','user_admin_edit') &&
!$access->granted('GET /admin/user/23','user_admin_create') &&
!$access->granted('POST /admin/user/23','user_admin_create'),
'Static routes precedence (run '.$run.')'
);
$test->expect(
$access->granted('GET /admin/user/23','superadmin') &&
$access->granted('DELETE /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/23','user_admin_edit') &&
$access->granted('DELETE /admin/user/23','user_admin_delete') &&
!$access->granted('POST /admin/user/23','client') &&
!$access->granted('DELETE /admin/user/23','client') &&
!$access->granted('GET /admin/user/23','user_admin_create') &&
!$access->granted('POST /admin/user/23','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_edit'),
'Named route verb inheritance (run '.$run.')'
);
$access->policy('deny');
$test->expect(
$access->granted('GET /admin/user/new','superadmin') &&
$access->granted('GET /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/23','superadmin') &&
$access->granted('DELETE /admin/user/23','superadmin') &&
$access->granted('POST /admin/user/new','user_admin_create') &&
$access->granted('POST /admin/user/23','user_admin_edit') &&
$access->granted('DELETE /admin/user/23','user_admin_delete') &&
!$access->granted('POST /admin/user/23','client') &&
!$access->granted('DELETE /admin/user/23','client') &&
!$access->granted('GET /admin/user/new','user_admin_edit') &&
!$access->granted('POST /admin/user/new','user_admin_edit') &&
!$access->granted('GET /admin/user/23','user_admin_create') &&
!$access->granted('POST /admin/user/23','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_create') &&
!$access->granted('DELETE /admin/user/12','user_admin_edit'),
'Routes precedence & VERB test, reversed default policy (run '.$run.')'
);
$test->expect(
$access->granted('GET /Admin/User/New','superadmin') &&
$access->granted('GET /Admin/User/23','superadmin') &&
$access->granted('POST /Admin/User/23','superadmin') &&
$access->granted('DELETE /Admin/User/23','superadmin') &&
$access->granted('POST /Admin/User/New','user_admin_create') &&
$access->granted('POST /Admin/User/23','user_admin_edit') &&
$access->granted('DELETE /Admin/User/23','user_admin_delete') &&
!$access->granted('POST /Admin/User/23','client') &&
!$access->granted('DELETE /Admin/User/23','client') &&
!$access->granted('GET /Admin/User/New','user_admin_edit') &&
!$access->granted('POST /Admin/User/New','user_admin_edit') &&
!$access->granted('GET /Admin/User/23','user_admin_create') &&
!$access->granted('POST /Admin/User/23','user_admin_create') &&
!$access->granted('DELETE /Admin/User/12','user_admin_create') &&
!$access->granted('DELETE /Admin/User/12','user_admin_edit'),
'Case insensitivity test (run '.$run.')'
);
unset($f3->ROUTES[$strings[0]],$f3->ROUTES[$strings[1]]);
unset($f3->ALIASES['admin_user_new'],$f3->ALIASES['admin_user_edit'],$f3->ALIASES['admin_user_delete']);
}
$access=new \Access();
$test->expect(
!$access->granted('/') && !$access->granted('/','admin'),
Expand Down

0 comments on commit c6e8aeb

Please sign in to comment.