|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/** |
|
4
|
|
|
* This file is part of the eZ Publish Kernel package. |
|
5
|
|
|
* |
|
6
|
|
|
* @copyright Copyright (C) eZ Systems AS. All rights reserved. |
|
7
|
|
|
* @license For full copyright and license information view LICENSE file distributed with this source code. |
|
8
|
|
|
*/ |
|
9
|
|
|
namespace eZ\Publish\API\Repository\Tests\Values\User\Limitation; |
|
10
|
|
|
|
|
11
|
|
|
use eZ\Publish\API\Repository\Values\Content\Query\Criterion; |
|
12
|
|
|
use eZ\Publish\API\Repository\Values\Content\LocationQuery; |
|
13
|
|
|
use eZ\Publish\API\Repository\Values\User\Limitation\ContentTypeLimitation; |
|
14
|
|
|
use eZ\Publish\API\Repository\Values\User\Limitation\SectionLimitation; |
|
15
|
|
|
use eZ\Publish\API\Repository\Values\User\Limitation\SubtreeLimitation; |
|
16
|
|
|
use eZ\Publish\API\Repository\Values\User\RoleCreateStruct; |
|
17
|
|
|
use eZ\Publish\API\Repository\Values\User\UserGroup; |
|
18
|
|
|
|
|
19
|
|
|
class RolePolicyLimitationTest extends BaseLimitationTest |
|
20
|
|
|
{ |
|
21
|
|
|
/** |
|
22
|
|
|
* Data provider for {@see testRolePoliciesWithOverlappingLimitations}. |
|
23
|
|
|
*/ |
|
24
|
|
|
public function providerForTestRolePoliciesWithOverlappingLimitations() |
|
25
|
|
|
{ |
|
26
|
|
|
// get actual locations count for the given subtree when user is (by default) an admin |
|
27
|
|
|
$actualSubtreeLocationsCount = $this->getSubtreeLocationsCount('/1/2/'); |
|
28
|
|
|
$this->assertGreaterThan(0, $actualSubtreeLocationsCount); |
|
29
|
|
|
|
|
30
|
|
|
return [ |
|
31
|
|
|
[$actualSubtreeLocationsCount, 'content', '*'], |
|
32
|
|
|
[$actualSubtreeLocationsCount, 'content', 'read'], |
|
33
|
|
|
[$actualSubtreeLocationsCount, '*', '*'], |
|
34
|
|
|
// different module / all functions should not overlap other policies |
|
35
|
|
|
[0, 'user', '*'], |
|
36
|
|
|
]; |
|
37
|
|
|
} |
|
38
|
|
|
|
|
39
|
|
|
/** |
|
40
|
|
|
* Test if role with wider policy is not overlapped by limitation (uncovered in EZP-26476). |
|
41
|
|
|
* |
|
42
|
|
|
* @dataProvider providerForTestRolePoliciesWithOverlappingLimitations |
|
43
|
|
|
* @param int $expectedSubtreeLocationsCount |
|
44
|
|
|
* @param string $widePolicyModule |
|
45
|
|
|
* @param string $widePolicyFunction |
|
46
|
|
|
*/ |
|
47
|
|
|
public function testRolePoliciesWithOverlappingLimitations( |
|
48
|
|
|
$expectedSubtreeLocationsCount, |
|
49
|
|
|
$widePolicyModule, |
|
50
|
|
|
$widePolicyFunction |
|
51
|
|
|
) { |
|
52
|
|
|
$repository = $this->getRepository(); |
|
53
|
|
|
$roleService = $repository->getRoleService(); |
|
54
|
|
|
|
|
55
|
|
|
$subtreePathString = '/1/2/'; |
|
56
|
|
|
|
|
57
|
|
|
// EZP-26476 use case: |
|
58
|
|
|
|
|
59
|
|
|
// create new role with overlapping limitation |
|
60
|
|
|
$roleName = 'role_with_overlapping_policies'; |
|
61
|
|
|
$roleCreateStruct = $roleService->newRoleCreateStruct($roleName); |
|
62
|
|
|
|
|
63
|
|
|
$this->addPolicyToNewRole($roleCreateStruct, $widePolicyModule, $widePolicyFunction, []); |
|
64
|
|
|
$this->addPolicyToNewRole($roleCreateStruct, 'user', 'login', []); |
|
65
|
|
|
$this->addPolicyToNewRole($roleCreateStruct, 'content', 'read', [ |
|
66
|
|
|
new ContentTypeLimitation([ |
|
67
|
|
|
'limitationValues' => [4, 3], |
|
68
|
|
|
]), |
|
69
|
|
|
new SectionLimitation([ |
|
70
|
|
|
'limitationValues' => [2], |
|
71
|
|
|
]), |
|
72
|
|
|
]); |
|
73
|
|
|
|
|
74
|
|
|
$roleService->publishRoleDraft( |
|
75
|
|
|
$roleService->createRole($roleCreateStruct) |
|
76
|
|
|
); |
|
77
|
|
|
|
|
78
|
|
|
$role = $roleService->loadRoleByIdentifier($roleName); |
|
79
|
|
|
|
|
80
|
|
|
// create group and assign new role to that group, limited by subtree |
|
81
|
|
|
$userGroup = $this->createGroup('Test group', 'eng-US', 4); |
|
82
|
|
|
$roleService->assignRoleToUserGroup($role, $userGroup, new SubtreeLimitation([ |
|
83
|
|
|
'limitationValues' => [$subtreePathString], |
|
84
|
|
|
])); |
|
85
|
|
|
|
|
86
|
|
|
// create user assigned to the just created group |
|
87
|
|
|
$user = $this->createUserInGroup($userGroup); |
|
88
|
|
|
$repository->setCurrentUser($user); |
|
|
|
|
|
|
89
|
|
|
|
|
90
|
|
|
$this->refreshSearch($repository); |
|
91
|
|
|
|
|
92
|
|
|
// check if searching by subtree returns the same result as for an admin |
|
93
|
|
|
$this->assertEquals($expectedSubtreeLocationsCount, $this->getSubtreeLocationsCount($subtreePathString)); |
|
94
|
|
|
|
|
95
|
|
|
// check if searching by subtree which is not a part of role assignment limitation does not return results |
|
96
|
|
|
$this->assertEquals(0, $this->getSubtreeLocationsCount('/1/5/')); |
|
97
|
|
|
} |
|
98
|
|
|
|
|
99
|
|
|
/** |
|
100
|
|
|
* Perform search by the Subtree Criterion for the given subtree path and return results count. |
|
101
|
|
|
* |
|
102
|
|
|
* @param $subtreePathString |
|
103
|
|
|
* @return int|null |
|
104
|
|
|
*/ |
|
105
|
|
|
protected function getSubtreeLocationsCount($subtreePathString) |
|
106
|
|
|
{ |
|
107
|
|
|
$criterion = new Criterion\Subtree($subtreePathString); |
|
108
|
|
|
$query = new LocationQuery(['filter' => $criterion]); |
|
109
|
|
|
|
|
110
|
|
|
$result = $this->getRepository()->getSearchService()->findLocations($query); |
|
111
|
|
|
|
|
112
|
|
|
return $result->totalCount; |
|
113
|
|
|
} |
|
114
|
|
|
|
|
115
|
|
|
/** |
|
116
|
|
|
* Create test User in the given User Group. |
|
117
|
|
|
* |
|
118
|
|
|
* @param \eZ\Publish\API\Repository\Values\User\UserGroup $group |
|
119
|
|
|
* @return \eZ\Publish\API\Repository\Values\User\User |
|
120
|
|
|
*/ |
|
121
|
|
|
protected function createUserInGroup(UserGroup $group) |
|
122
|
|
|
{ |
|
123
|
|
|
$userService = $this->getRepository()->getUserService(); |
|
124
|
|
|
|
|
125
|
|
|
// Instantiate a create struct with mandatory properties |
|
126
|
|
|
$userCreateStruct = $userService->newUserCreateStruct( |
|
127
|
|
|
'user', |
|
128
|
|
|
'[email protected]', |
|
129
|
|
|
'secret', |
|
130
|
|
|
'eng-US' |
|
131
|
|
|
); |
|
132
|
|
|
$userCreateStruct->enabled = true; |
|
133
|
|
|
|
|
134
|
|
|
// Set some fields required by the user ContentType |
|
135
|
|
|
$userCreateStruct->setField('first_name', 'Example'); |
|
136
|
|
|
$userCreateStruct->setField('last_name', 'User'); |
|
137
|
|
|
|
|
138
|
|
|
// Create a new user instance. |
|
139
|
|
|
$user = $userService->createUser($userCreateStruct, [$group]); |
|
140
|
|
|
|
|
141
|
|
|
return $user; |
|
142
|
|
|
} |
|
143
|
|
|
|
|
144
|
|
|
/** |
|
145
|
|
|
* Add policy to a new role. |
|
146
|
|
|
* |
|
147
|
|
|
* @param \eZ\Publish\API\Repository\Values\User\RoleCreateStruct $roleCreateStruct |
|
148
|
|
|
* @param string $module |
|
149
|
|
|
* @param string $function |
|
150
|
|
|
* @param \eZ\Publish\API\Repository\Values\User\Limitation[] $limitations |
|
151
|
|
|
*/ |
|
152
|
|
|
protected function addPolicyToNewRole(RoleCreateStruct $roleCreateStruct, $module, $function, array $limitations) |
|
153
|
|
|
{ |
|
154
|
|
|
$roleService = $this->getRepository()->getRoleService(); |
|
155
|
|
|
$policyCreateStruct = $roleService->newPolicyCreateStruct($module, $function); |
|
156
|
|
|
foreach ($limitations as $limitation) { |
|
157
|
|
|
$policyCreateStruct->addLimitation($limitation); |
|
158
|
|
|
} |
|
159
|
|
|
$roleCreateStruct->addPolicy($policyCreateStruct); |
|
160
|
|
|
} |
|
161
|
|
|
|
|
162
|
|
|
/** |
|
163
|
|
|
* Create User Group. |
|
164
|
|
|
* |
|
165
|
|
|
* @param string $groupName |
|
166
|
|
|
* @param string $mainLanguageCode |
|
167
|
|
|
* @param int $parentGroupId |
|
168
|
|
|
* @return \eZ\Publish\API\Repository\Values\User\UserGroup |
|
169
|
|
|
*/ |
|
170
|
|
|
protected function createGroup($groupName, $mainLanguageCode, $parentGroupId) |
|
171
|
|
|
{ |
|
172
|
|
|
$userService = $this->getRepository()->getUserService(); |
|
173
|
|
|
|
|
174
|
|
|
$userGroupCreateStruct = $userService->newUserGroupCreateStruct($mainLanguageCode); |
|
175
|
|
|
$usersGroup = $userService->loadUserGroup($parentGroupId); |
|
176
|
|
|
$userGroupCreateStruct->setField('name', $groupName); |
|
177
|
|
|
|
|
178
|
|
|
return $userService->createUserGroup($userGroupCreateStruct, $usersGroup); |
|
179
|
|
|
} |
|
180
|
|
|
} |
|
181
|
|
|
|
ezsystems /
ezpublish-kernel
This method has been deprecated. The supplier of the class has supplied an explanatory message.
The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead.