Skip to content
This repository has been archived by the owner on Jul 3, 2020. It is now read-only.

Update ControllerPermissionsGuard add condition check #359

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update ControllerPermissionsGuard add condition check #359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 36 additions & 5 deletions src/ZfcRbac/Guard/ControllerPermissionsGuard.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,9 @@ public function __construct(AuthorizationServiceInterface $authorizationService,
*
* [
* 'controller' => 'ControllerName',
* 'actions' => []/string
* 'roles' => []/string
* 'actions' => []/string,
* 'roles' => []/string,
* 'condition' => GuardInterface::CONDITION_AND/GuardInterface::CONDITION_OR
* ]
*
* @param array $rules
Expand All @@ -84,6 +85,9 @@ public function setRules(array $rules)
$actions = isset($rule['actions']) ? (array)$rule['actions'] : [];
$permissions = (array)$rule['permissions'];

// Set condition AND is default
$this->rules[$controller][1] = isset($rule['condition'])? $rule['condition'] :GuardInterface::CONDITION_AND;

if (empty($actions)) {
$this->rules[$controller][0] = $permissions;
continue;
Expand Down Expand Up @@ -130,12 +134,39 @@ public function isGranted(MvcEvent $event)
return true;
}

foreach ($allowedPermissions as $permission) {
if (!$this->authorizationService->isGranted($permission)) {
return false;
/**
* GuardInterface::CONDITION_AND|GuardInterface::CONDITION_OR
* Default condition is 'AND' and it is set in 'setRules' method
*
* @var string Guard permissions condition
*/
$condition = $this->rules[$controller][1];

if (GuardInterface::CONDITION_AND === $condition) {
foreach ($allowedPermissions as $permission) {
if (!$this->authorizationService->isGranted($permission)) {
return false;
}
}

return true;
}

if (GuardInterface::CONDITION_OR === $condition) {
foreach ($allowedPermissions as $permission) {
if ($this->authorizationService->isGranted($permission)) {
return true;
}
}

return false;
}

throw new InvalidArgumentException(sprintf(
'Condition must be either "AND" or "OR", %s given',
is_object($condition) ? get_class($condition) : gettype($condition)
));

return true;
}
}
144 changes: 133 additions & 11 deletions tests/ZfcRbacTest/Guard/ControllerPermissionsGuardTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,34 @@ public function rulesConversionProvider()
])
],
'expected' => [
'mycontroller' => [0 => ['post.manage']],
'mycontroller2' => [0 => ['post.update', 'post.delete']],
'mycontroller3' => [0 => ['post.manage']]
'mycontroller' => [0 => ['post.manage'], 1 => GuardInterface::CONDITION_AND,],
'mycontroller2' => [0 => ['post.update', 'post.delete'], 1 => GuardInterface::CONDITION_AND,],
'mycontroller3' => [0 => ['post.manage'], 1 => GuardInterface::CONDITION_AND,]
]
],
// Without actions condition or
[
'rules' => [
[
'controller' => 'MyController',
'permissions' => 'post.manage',
'condition' => GuardInterface::CONDITION_OR,
],
[
'controller' => 'MyController2',
'permissions' => ['post.update', 'post.delete'],
'condition' => GuardInterface::CONDITION_OR,
],
new \ArrayIterator([
'controller' => 'MyController3',
'permissions' => new \ArrayIterator(['post.manage']),
'condition' => GuardInterface::CONDITION_OR,
])
],
'expected' => [
'mycontroller' => [0 => ['post.manage'], 1 => GuardInterface::CONDITION_OR,],
'mycontroller2' => [0 => ['post.update', 'post.delete'], 1 => GuardInterface::CONDITION_OR,],
'mycontroller3' => [0 => ['post.manage'], 1 => GuardInterface::CONDITION_OR,]
]
],
// With one action
Expand All @@ -99,13 +124,53 @@ public function rulesConversionProvider()
],
'expected' => [
'mycontroller' => [
'delete' => ['permission1']
'delete' => ['permission1'],
1 => GuardInterface::CONDITION_AND,
],
'mycontroller2' => [
'delete' => ['permission2'],
1 => GuardInterface::CONDITION_AND,
],
'mycontroller3' => [
'delete' => ['permission3'],
1 => GuardInterface::CONDITION_AND,
],
]
],
// With one action and condition or
[
'rules' => [
[
'controller' => 'MyController',
'actions' => 'DELETE',
'permissions' => 'permission1',
'condition' => GuardInterface::CONDITION_OR,
],
[
'controller' => 'MyController2',
'actions' => ['delete'],
'permissions' => 'permission2',
'condition' => GuardInterface::CONDITION_OR,
],
new \ArrayIterator([
'controller' => 'MyController3',
'actions' => new \ArrayIterator(['DELETE']),
'permissions' => new \ArrayIterator(['permission3']),
'condition' => GuardInterface::CONDITION_OR,
])
],
'expected' => [
'mycontroller' => [
'delete' => ['permission1'],
1 => GuardInterface::CONDITION_OR,
],
'mycontroller2' => [
'delete' => ['permission2']
'delete' => ['permission2'],
1 => GuardInterface::CONDITION_OR,
],
'mycontroller3' => [
'delete' => ['permission3']
'delete' => ['permission3'],
1 => GuardInterface::CONDITION_OR,
],
]
],
Expand All @@ -126,11 +191,42 @@ public function rulesConversionProvider()
'expected' => [
'mycontroller' => [
'edit' => ['permission1'],
'delete' => ['permission1']
'delete' => ['permission1'],
1 => GuardInterface::CONDITION_AND,
],
'mycontroller2' => [
'edit' => ['permission2'],
'delete' => ['permission2']
'delete' => ['permission2'],
1 => GuardInterface::CONDITION_AND,
]
]
],
// With multiple actions condition or
[
'rules' => [
[
'controller' => 'MyController',
'actions' => ['EDIT', 'delete'],
'permissions' => 'permission1',
'condition' => GuardInterface::CONDITION_OR,
],
new \ArrayIterator([
'controller' => 'MyController2',
'actions' => new \ArrayIterator(['edit', 'DELETE']),
'permissions' => new \ArrayIterator(['permission2']),
'condition' => GuardInterface::CONDITION_OR,
])
],
'expected' => [
'mycontroller' => [
'edit' => ['permission1'],
'delete' => ['permission1'],
1 => GuardInterface::CONDITION_OR,
],
'mycontroller2' => [
'edit' => ['permission2'],
'delete' => ['permission2'],
1 => GuardInterface::CONDITION_OR,
]
]
],
Expand All @@ -141,17 +237,43 @@ public function rulesConversionProvider()
[
'controller' => 'MyController',
'actions' => ['edit'],
'permissions' => 'permission1'
'permissions' => 'permission1',
],
[
'controller' => 'MyController',
'permissions' => 'permission2'
'permissions' => 'permission2',
]
],
'expected' => [
'mycontroller' => [
'edit' => ['permission1'],
0 => ['permission2'],
1 => GuardInterface::CONDITION_AND,
]
]
],
// Test that that if a rule is set globally to the controller, it does not override any
// action specific rule that may have been specified before
// OR condition
[
'rules' => [
[
'controller' => 'MyController',
'actions' => ['edit'],
'permissions' => 'permission1',
'condition' => GuardInterface::CONDITION_OR
],
[
'controller' => 'MyController',
'permissions' => 'permission2',
'condition' => GuardInterface::CONDITION_OR
]
],
'expected' => [
'mycontroller' => [
'edit' => ['permission1'],
0 => ['permission2']
0 => ['permission2'],
1 => GuardInterface::CONDITION_OR,
]
]
]
Expand Down