Completed
Push — EZEE-2932 ( 56d766...1a1757 )
by
unknown
39:19 queued 18:43
created

testHasAccessForCurrentUserYes()   A

Complexity

Conditions 1
Paths 1

Size

Total Lines 24

Duplication

Lines 24
Ratio 100 %

Importance

Changes 0
Metric Value
cc 1
nc 1
nop 0
dl 24
loc 24
rs 9.536
c 0
b 0
f 0
1
<?php
2
3
/**
4
 * @copyright Copyright (C) eZ Systems AS. All rights reserved.
5
 * @license For full copyright and license information view LICENSE file distributed with this source code.
6
 */
7
namespace eZ\Publish\API\Repository\Tests;
8
9
use function array_filter;
10
use eZ\Publish\API\Repository\Repository;
11
use eZ\Publish\API\Repository\Values\Content\ContentCreateStruct;
12
use eZ\Publish\API\Repository\Values\User\Limitation;
13
use eZ\Publish\API\Repository\Values\User\LookupLimitationResult;
14
use eZ\Publish\API\Repository\Values\User\LookupPolicyLimitations;
15
use eZ\Publish\API\Repository\Values\ValueObject;
16
use eZ\Publish\Core\Repository\Values\User\UserReference;
17
18
/**
19
 *  Test case for operations in the PermissionResolver.
20
 *
21
 * @see \eZ\Publish\API\Repository\PermissionResolver
22
 * @group integration
23
 * @group permission
24
 */
25
class PermissionResolverTest extends BaseTest
26
{
27
    /**
28
     * Test for the getCurrentUser() method.
29
     *
30
     * @see \eZ\Publish\API\Repository\PermissionResolver::getCurrentUserReference()
31
     */
32
    public function testGetCurrentUserReferenceReturnsAnonymousUserReference()
33
    {
34
        $repository = $this->getRepository();
35
        $anonymousUserId = $this->generateId('user', 10);
36
        $repository->getPermissionResolver()->setCurrentUserReference(
37
            new UserReference($anonymousUserId)
38
        );
39
40
        /* BEGIN: Use Case */
41
        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
42
        // Publish demo installation.
43
        // Only a UserReference has previously been set to the $repository
44
45
        $permissionResolver = $repository->getPermissionResolver();
46
        $anonymousUserReference = $permissionResolver->getCurrentUserReference();
47
        /* END: Use Case */
48
49
        $this->assertInstanceOf(
50
            'eZ\Publish\API\Repository\Values\User\UserReference',
51
            $anonymousUserReference
52
        );
53
        $this->assertEquals(
54
            $anonymousUserReference->getUserId(),
55
            $repository->getUserService()->loadUser($anonymousUserId)->id
56
        );
57
    }
58
59
    /**
60
     * Test for the setCurrentUser() method.
61
     *
62
     * @see \eZ\Publish\API\Repository\PermissionResolver::setCurrentUserReference()
63
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
64
     */
65 View Code Duplication
    public function testSetCurrentUserReference()
66
    {
67
        $repository = $this->getRepository();
68
        $repository->getPermissionResolver()->setCurrentUserReference(
69
            new UserReference(
70
                $this->generateId('user', 10)
71
            )
72
        );
73
74
        $administratorUserId = $this->generateId('user', 14);
75
76
        /* BEGIN: Use Case */
77
        // $administratorUserId contains the ID of the administrator user
78
79
        $permissionResolver = $repository->getPermissionResolver();
80
81
        $userService = $repository->getUserService();
82
83
        // Load administrator user
84
        $administratorUser = $userService->loadUser($administratorUserId);
85
86
        // Set administrator user as current user reference
87
        $permissionResolver->setCurrentUserReference($administratorUser);
88
        /* END: Use Case */
89
90
        $this->assertEquals(
91
            $administratorUserId,
92
            $permissionResolver->getCurrentUserReference()->getUserId()
93
        );
94
95
        $this->assertSame(
96
            $administratorUser,
97
            $permissionResolver->getCurrentUserReference()
98
        );
99
    }
100
101
    /**
102
     * Test for the hasAccess() method.
103
     *
104
     * @see \eZ\Publish\API\Repository\PermissionResolver::hasAccess()
105
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
106
     */
107
    public function testHasAccessWithAnonymousUserNo()
108
    {
109
        $repository = $this->getRepository();
110
111
        $anonymousUserId = $this->generateId('user', 10);
112
113
        /* BEGIN: Use Case */
114
        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
115
        // Publish demo installation.
116
117
        $userService = $repository->getUserService();
118
        $permissionResolver = $repository->getPermissionResolver();
119
120
        // Load anonymous user
121
        $anonymousUser = $userService->loadUser($anonymousUserId);
122
123
        // This call will return false because anonymous user does not have access
124
        // to content removal
125
        $hasAccess = $permissionResolver->hasAccess('content', 'remove', $anonymousUser);
126
        /* END: Use Case */
127
128
        $this->assertFalse($hasAccess);
129
    }
130
131
    /**
132
     * Test for the hasAccess() method.
133
     *
134
     * @see \eZ\Publish\API\Repository\PermissionResolver::hasAccess()
135
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
136
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessWithAnonymousUserNo
137
     */
138 View Code Duplication
    public function testHasAccessForCurrentUserNo()
139
    {
140
        $repository = $this->getRepository();
141
142
        $anonymousUserId = $this->generateId('user', 10);
143
144
        /* BEGIN: Use Case */
145
        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
146
        // Publish demo installation.
147
148
        $userService = $repository->getUserService();
149
        $permissionResolver = $repository->getPermissionResolver();
150
151
        // Load anonymous user
152
        $anonymousUser = $userService->loadUser($anonymousUserId);
153
154
        // Set anonymous user as current user reference
155
        $permissionResolver->setCurrentUserReference($anonymousUser);
156
157
        // This call will return false because anonymous user does not have access
158
        // to content removal
159
        $hasAccess = $permissionResolver->hasAccess('content', 'remove');
160
        /* END: Use Case */
161
162
        $this->assertFalse($hasAccess);
163
    }
164
165
    /**
166
     * Test for the hasAccess() method.
167
     *
168
     * @see \eZ\Publish\API\Repository\PermissionResolver::hasAccess()
169
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
170
     */
171
    public function testHasAccessWithAdministratorUser()
172
    {
173
        $repository = $this->getRepository();
174
175
        $administratorUserId = $this->generateId('user', 14);
176
177
        /* BEGIN: Use Case */
178
        // $administratorUserId contains the ID of the administrator user
179
180
        $userService = $repository->getUserService();
181
        $permissionResolver = $repository->getPermissionResolver();
182
183
        // Load administrator user
184
        $administratorUser = $userService->loadUser($administratorUserId);
185
186
        // This call will return true
187
        $hasAccess = $permissionResolver->hasAccess('content', 'read', $administratorUser);
188
        /* END: Use Case */
189
190
        $this->assertTrue($hasAccess);
191
    }
192
193
    /**
194
     * Test for the hasAccess() method.
195
     *
196
     * @see \eZ\Publish\API\Repository\PermissionResolver::hasAccess()
197
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
198
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testSetCurrentUserReference
199
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessWithAdministratorUser
200
     */
201 View Code Duplication
    public function testHasAccessForCurrentUserYes()
202
    {
203
        $repository = $this->getRepository();
204
205
        $administratorUserId = $this->generateId('user', 14);
206
207
        /* BEGIN: Use Case */
208
        // $administratorUserId contains the ID of the administrator user
209
210
        $userService = $repository->getUserService();
211
        $permissionResolver = $repository->getPermissionResolver();
212
213
        // Load administrator user
214
        $administratorUser = $userService->loadUser($administratorUserId);
215
216
        // Set administrator user as current user reference
217
        $permissionResolver->setCurrentUserReference($administratorUser);
218
219
        // This call will return true
220
        $hasAccess = $permissionResolver->hasAccess('content', 'read');
221
        /* END: Use Case */
222
223
        $this->assertTrue($hasAccess);
224
    }
225
226
    /**
227
     * Test for the hasAccess() method.
228
     *
229
     * @see \eZ\Publish\API\Repository\PermissionResolver::hasAccess()
230
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
231
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testSetCurrentUserReference
232
     */
233 View Code Duplication
    public function testHasAccessLimited()
234
    {
235
        $repository = $this->getRepository();
236
237
        /* BEGIN: Use Case */
238
        $user = $this->createUserVersion1();
239
240
        $permissionResolver = $repository->getPermissionResolver();
241
242
        // Set created user as current user reference
243
        $permissionResolver->setCurrentUserReference($user);
244
245
        // This call will return an array of permission sets describing user's access
246
        // to reading content
247
        $permissionSets = $permissionResolver->hasAccess('content', 'read');
248
        /* END: Use Case */
249
250
        $this->assertInternalType(
0 ignored issues
show
Deprecated Code introduced by
The method PHPUnit\Framework\Assert::assertInternalType() has been deprecated with message: https://github.com/sebastianbergmann/phpunit/issues/3369

This method has been deprecated. The supplier of the class has supplied an explanatory message.

The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead.

Loading history...
251
            'array',
252
            $permissionSets
253
        );
254
        $this->assertNotEmpty($permissionSets);
255
    }
256
257
    /**
258
     * Test for the canUser() method.
259
     *
260
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
261
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
262
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
263
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessForCurrentUserNo
264
     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
265
     */
266
    public function testCanUserForAnonymousUserNo()
267
    {
268
        $repository = $this->getRepository();
269
270
        $homeId = $this->generateId('object', 57);
271
272
        $anonymousUserId = $this->generateId('user', 10);
273
        /* BEGIN: Use Case */
274
        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
275
        // Publish demo installation.
276
        // $homeId contains the ID of the "Home" frontpage
277
278
        $contentService = $repository->getContentService();
279
        $userService = $repository->getUserService();
280
        $permissionResolver = $repository->getPermissionResolver();
281
282
        // Load anonymous user
283
        $anonymousUser = $userService->loadUser($anonymousUserId);
284
285
        // Set anonymous user as current user reference
286
        $permissionResolver->setCurrentUserReference($anonymousUser);
287
288
        // Load the ContentInfo for "Home" frontpage
289
        $contentInfo = $contentService->loadContentInfo($homeId);
290
291
        // This call will return false because anonymous user does not have access
292
        // to content removal and hence no permission to remove given content
293
        $canUser = $permissionResolver->canUser('content', 'remove', $contentInfo);
294
295
        // Performing an action without necessary permissions will fail with "UnauthorizedException"
296
        if (!$canUser) {
297
            $contentService->deleteContent($contentInfo);
298
        }
299
        /* END: Use Case */
300
    }
301
302
    /**
303
     * Test for the canUser() method.
304
     *
305
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
306
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
307
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
308
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessForCurrentUserYes
309
     * @expectedException \eZ\Publish\API\Repository\Exceptions\NotFoundException
310
     */
311 View Code Duplication
    public function testCanUserForAdministratorUser()
312
    {
313
        $repository = $this->getRepository();
314
315
        $administratorUserId = $this->generateId('user', 14);
316
        $homeId = $this->generateId('object', 57);
317
318
        /* BEGIN: Use Case */
319
        // $administratorUserId contains the ID of the administrator user
320
        // $homeId contains the ID of the "Home" frontpage
321
322
        $contentService = $repository->getContentService();
323
        $userService = $repository->getUserService();
324
        $permissionResolver = $repository->getPermissionResolver();
325
326
        // Load administrator user
327
        $administratorUser = $userService->loadUser($administratorUserId);
328
329
        // Set administrator user as current user reference
330
        $permissionResolver->setCurrentUserReference($administratorUser);
331
332
        // Load the ContentInfo for "Home" frontpage
333
        $contentInfo = $contentService->loadContentInfo($homeId);
334
335
        // This call will return true
336
        $canUser = $permissionResolver->canUser('content', 'remove', $contentInfo);
337
338
        // Performing an action having necessary permissions will succeed
339
        $contentService->deleteContent($contentInfo);
340
        /* END: Use Case */
341
342
        $this->assertTrue($canUser);
343
        $contentService->loadContent($homeId);
344
    }
345
346
    /**
347
     * Test for the canUser() method.
348
     *
349
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
350
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
351
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
352
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessLimited
353
     */
354 View Code Duplication
    public function testCanUserWithLimitationYes()
355
    {
356
        $repository = $this->getRepository();
357
358
        $imagesFolderId = $this->generateId('object', 49);
359
360
        /* BEGIN: Use Case */
361
        // $imagesFolderId contains the ID of the "Images" folder
362
363
        $user = $this->createUserVersion1();
364
365
        $permissionResolver = $repository->getPermissionResolver();
366
367
        // Set created user as current user reference
368
        $permissionResolver->setCurrentUserReference($user);
369
370
        $contentService = $repository->getContentService();
371
372
        // Performing an action having necessary permissions will succeed
373
        $imagesFolder = $contentService->loadContent($imagesFolderId);
374
375
        // This call will return true
376
        $canUser = $permissionResolver->canUser('content', 'read', $imagesFolder);
377
        /* END: Use Case */
378
379
        $this->assertTrue($canUser);
380
    }
381
382
    /**
383
     * Test for the canUser() method.
384
     *
385
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
386
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
387
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
388
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessLimited
389
     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
390
     */
391 View Code Duplication
    public function testCanUserWithLimitationNo()
392
    {
393
        $repository = $this->getRepository();
394
395
        $administratorUserId = $this->generateId('user', 14);
396
397
        /* BEGIN: Use Case */
398
        // $administratorUserId contains the ID of the administrator user
399
400
        $user = $this->createUserVersion1();
401
402
        $permissionResolver = $repository->getPermissionResolver();
403
404
        // Set created user as current user reference
405
        $permissionResolver->setCurrentUserReference($user);
406
407
        $userService = $repository->getUserService();
408
409
        // Load administrator user using UserService, this does not check for permissions
410
        $administratorUser = $userService->loadUser($administratorUserId);
411
412
        // This call will return false as user with Editor role does not have
413
        // permission to read "Users" subtree
414
        $canUser = $permissionResolver->canUser('content', 'read', $administratorUser);
415
416
        $contentService = $repository->getContentService();
417
418
        // Performing an action without necessary permissions will fail with "UnauthorizedException"
419
        if (!$canUser) {
420
            $content = $contentService->loadContent($administratorUserId);
0 ignored issues
show
Unused Code introduced by
$content is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
421
        }
422
        /* END: Use Case */
423
    }
424
425
    /**
426
     * Test for the canUser() method.
427
     *
428
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
429
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
430
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentTypeService
431
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testSetCurrentUserReference
432
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessLimited
433
     * @expectedException \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
434
     */
435 View Code Duplication
    public function testCanUserThrowsInvalidArgumentException()
436
    {
437
        $repository = $this->getRepository();
438
439
        $userGroupContentTypeId = $this->generateId('type', 3);
440
441
        /* BEGIN: Use Case */
442
        // $userGroupContentTypeId contains the ID of the "UserGroup" ContentType
443
444
        $user = $this->createUserVersion1();
445
446
        $permissionResolver = $repository->getPermissionResolver();
447
448
        // Set created user as current user reference
449
        $permissionResolver->setCurrentUserReference($user);
450
451
        $contentTypeService = $repository->getContentTypeService();
452
453
        // Load the "UserGroup" ContentType
454
        $userGroupContentType = $contentTypeService->loadContentType($userGroupContentTypeId);
455
456
        // This call will throw "InvalidArgumentException" because $userGroupContentType
457
        // is an instance of \eZ\Publish\API\Repository\Values\ContentType\ContentType,
458
        // which can not be checked for user access
459
        $canUser = $permissionResolver->canUser('content', 'create', $userGroupContentType);
0 ignored issues
show
Unused Code introduced by
$canUser is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
460
        /* END: Use Case */
461
    }
462
463
    /**
464
     * Test for the canUser() method.
465
     *
466
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
467
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
468
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
469
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentTypeService
470
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessLimited
471
     */
472 View Code Duplication
    public function testCanUserWithTargetYes()
473
    {
474
        $repository = $this->getRepository();
475
476
        $homeLocationId = $this->generateId('location', 2);
477
478
        /* BEGIN: Use Case */
479
        // $homeLocationId contains the ID of the "Home" location
480
481
        $user = $this->createUserVersion1();
482
483
        $permissionResolver = $repository->getPermissionResolver();
484
485
        // Set created user as current user reference
486
        $permissionResolver->setCurrentUserReference($user);
487
488
        $contentTypeService = $repository->getContentTypeService();
489
490
        $contentType = $contentTypeService->loadContentTypeByIdentifier('forums');
491
492
        $contentService = $repository->getContentService();
493
494
        $contentCreateStruct = $contentService->newContentCreateStruct($contentType, 'eng-US');
495
        $contentCreateStruct->setField('title', 'My awesome forums');
496
        $contentCreateStruct->remoteId = 'abcdef0123456789abcdef0123456789';
497
        $contentCreateStruct->alwaysAvailable = true;
498
499
        $locationService = $repository->getLocationService();
500
        $locationCreateStruct = $locationService->newLocationCreateStruct($homeLocationId);
501
502
        // This call will return true
503
        $canUser = $permissionResolver->canUser(
504
            'content',
505
            'create',
506
            $contentCreateStruct,
507
            [$locationCreateStruct]
508
        );
509
510
        // Performing an action having necessary permissions will succeed
511
        $contentDraft = $contentService->createContent(
512
            $contentCreateStruct,
513
            [$locationCreateStruct]
514
        );
515
        /* END: Use Case */
516
517
        $this->assertTrue($canUser);
518
        $this->assertEquals(
519
            'My awesome forums',
520
            $contentDraft->getFieldValue('title')->text
521
        );
522
    }
523
524
    /**
525
     * Test for the canUser() method.
526
     *
527
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
528
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
529
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
530
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentTypeService
531
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessLimited
532
     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
533
     */
534 View Code Duplication
    public function testCanUserWithTargetNo()
535
    {
536
        $repository = $this->getRepository();
537
538
        $homeLocationId = $this->generateId('location', 2);
539
540
        /* BEGIN: Use Case */
541
        // $homeLocationId contains the ID of the "Home" frontpage location
542
543
        $user = $this->createUserVersion1();
544
545
        $permissionResolver = $repository->getPermissionResolver();
546
547
        // Set created user as current user reference
548
        $permissionResolver->setCurrentUserReference($user);
549
550
        $contentTypeService = $repository->getContentTypeService();
551
552
        $contentType = $contentTypeService->loadContentTypeByIdentifier('forum');
553
554
        $contentService = $repository->getContentService();
555
556
        $contentCreateStruct = $contentService->newContentCreateStruct($contentType, 'eng-US');
557
        $contentCreateStruct->setField('name', 'My awesome forum');
558
        $contentCreateStruct->remoteId = 'abcdef0123456789abcdef0123456789';
559
        $contentCreateStruct->alwaysAvailable = true;
560
561
        $locationService = $repository->getLocationService();
562
        $locationCreateStruct = $locationService->newLocationCreateStruct($homeLocationId);
563
564
        // This call will return false because user with Editor role has permission to
565
        // create "forum" type content only under "folder" type content.
566
        $canUser = $permissionResolver->canUser(
567
            'content',
568
            'create',
569
            $contentCreateStruct,
570
            [$locationCreateStruct]
571
        );
572
573
        // Performing an action without necessary permissions will fail with "UnauthorizedException"
574
        if (!$canUser) {
575
            $contentDraft = $contentService->createContent(
0 ignored issues
show
Unused Code introduced by
$contentDraft is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
576
                $contentCreateStruct,
577
                [$locationCreateStruct]
578
            );
579
        }
580
        /* END: Use Case */
581
    }
582
583
    /**
584
     * Test for the canUser() method.
585
     *
586
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
587
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
588
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
589
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentTypeService
590
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessLimited
591
     */
592 View Code Duplication
    public function testCanUserWithMultipleTargetsYes()
593
    {
594
        $repository = $this->getRepository();
595
596
        $imagesLocationId = $this->generateId('location', 51);
597
        $filesLocationId = $this->generateId('location', 52);
598
599
        /* BEGIN: Use Case */
600
        // $imagesLocationId contains the ID of the "Images" location
601
        // $filesLocationId contains the ID of the "Files" location
602
603
        $user = $this->createUserVersion1();
604
605
        $permissionResolver = $repository->getPermissionResolver();
606
607
        // Set created user as current user reference
608
        $permissionResolver->setCurrentUserReference($user);
609
610
        $contentTypeService = $repository->getContentTypeService();
611
612
        $contentType = $contentTypeService->loadContentTypeByIdentifier('folder');
613
614
        $contentService = $repository->getContentService();
615
616
        $contentCreateStruct = $contentService->newContentCreateStruct($contentType, 'eng-US');
617
        $contentCreateStruct->setField('name', 'My multipurpose folder');
618
        $contentCreateStruct->remoteId = 'abcdef0123456789abcdef0123456789';
619
        $contentCreateStruct->alwaysAvailable = true;
620
621
        $locationService = $repository->getLocationService();
622
        $locationCreateStruct1 = $locationService->newLocationCreateStruct($imagesLocationId);
623
        $locationCreateStruct2 = $locationService->newLocationCreateStruct($filesLocationId);
624
        $locationCreateStructs = [$locationCreateStruct1, $locationCreateStruct2];
625
626
        // This call will return true
627
        $canUser = $permissionResolver->canUser(
628
            'content',
629
            'create',
630
            $contentCreateStruct,
631
            $locationCreateStructs
632
        );
633
634
        // Performing an action having necessary permissions will succeed
635
        $contentDraft = $contentService->createContent($contentCreateStruct, $locationCreateStructs);
636
        /* END: Use Case */
637
638
        $this->assertTrue($canUser);
639
        $this->assertEquals(
640
            'My multipurpose folder',
641
            $contentDraft->getFieldValue('name')->text
642
        );
643
    }
644
645
    /**
646
     * Test for the canUser() method.
647
     *
648
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
649
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
650
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
651
     * @depends eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentTypeService
652
     * @depends eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessLimited
653
     * @expectedException \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
654
     */
655 View Code Duplication
    public function testCanUserWithMultipleTargetsNo()
656
    {
657
        $repository = $this->getRepository();
658
659
        $homeLocationId = $this->generateId('location', 2);
660
        $administratorUsersLocationId = $this->generateId('location', 13);
661
662
        /* BEGIN: Use Case */
663
        // $homeLocationId contains the ID of the "Home" location
664
        // $administratorUsersLocationId contains the ID of the "Administrator users" location
665
666
        $user = $this->createUserVersion1();
667
668
        $permissionResolver = $repository->getPermissionResolver();
669
670
        // Set created user as current user reference
671
        $permissionResolver->setCurrentUserReference($user);
672
673
        $contentTypeService = $repository->getContentTypeService();
674
675
        $contentType = $contentTypeService->loadContentTypeByIdentifier('forums');
676
677
        $contentService = $repository->getContentService();
678
679
        $contentCreateStruct = $contentService->newContentCreateStruct($contentType, 'eng-US');
680
        $contentCreateStruct->setField('name', 'My awesome forums');
681
        $contentCreateStruct->remoteId = 'abcdef0123456789abcdef0123456789';
682
        $contentCreateStruct->alwaysAvailable = true;
683
684
        $locationService = $repository->getLocationService();
685
        $locationCreateStruct1 = $locationService->newLocationCreateStruct($homeLocationId);
686
        $locationCreateStruct2 = $locationService->newLocationCreateStruct($administratorUsersLocationId);
687
        $locationCreateStructs = [$locationCreateStruct1, $locationCreateStruct2];
688
689
        // This call will return false because user with Editor role does not have permission to
690
        // create content in the "Administrator users" location subtree
691
        $canUser = $permissionResolver->canUser(
692
            'content',
693
            'create',
694
            $contentCreateStruct,
695
            $locationCreateStructs
696
        );
697
698
        // Performing an action without necessary permissions will fail with "UnauthorizedException"
699
        if (!$canUser) {
700
            $contentDraft = $contentService->createContent($contentCreateStruct, $locationCreateStructs);
0 ignored issues
show
Unused Code introduced by
$contentDraft is not used, you could remove the assignment.

This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently.

$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

Both the $myVar assignment in line 1 and the $higher assignment in line 2 are dead. The first because $myVar is never used and the second because $higher is always overwritten for every possible time line.

Loading history...
701
        }
702
        /* END: Use Case */
703
    }
704
705
    /**
706
     * Test for the canUser() method.
707
     *
708
     * @see \eZ\Publish\API\Repository\PermissionResolver::canUser()
709
     * @expectedException \eZ\Publish\API\Repository\Exceptions\BadStateException
710
     */
711
    public function testCanUserThrowsBadStateException()
712
    {
713
        $this->markTestIncomplete(
714
            'Cannot be tested on current fixture since policy with unsupported limitation value is not available.'
715
        );
716
    }
717
718
    /**
719
     * Test PermissionResolver::canUser for Users with different Limitations.
720
     *
721
     * @covers       \eZ\Publish\API\Repository\PermissionResolver::canUser
722
     *
723
     * @dataProvider getDataForTestCanUserWithLimitations
724
     *
725
     * @param \eZ\Publish\API\Repository\Values\User\Limitation $limitation
726
     * @param string $module
727
     * @param string $function
728
     * @param \eZ\Publish\API\Repository\Values\ValueObject $object
729
     * @param array $targets
730
     * @param bool $expectedResult expected result of canUser check
731
     *
732
     * @throws \eZ\Publish\API\Repository\Exceptions\BadStateException
733
     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
734
     */
735
    public function testCanUserWithLimitations(
736
        Limitation $limitation,
737
        $module,
738
        $function,
739
        ValueObject $object,
740
        array $targets,
741
        $expectedResult
742
    ) {
743
        $repository = $this->getRepository();
744
        $userService = $repository->getUserService();
745
        $roleService = $repository->getRoleService();
746
        $permissionResolver = $repository->getPermissionResolver();
747
748
        $role = $this->createRoleWithPolicies(
749
            'role_' . __FUNCTION__,
750
            [
751
                ['module' => $module, 'function' => $function, 'limitations' => [$limitation]],
752
            ]
753
        );
754
        // create user in root user group to avoid overlapping of existing policies and limitations
755
        $user = $this->createUser('user', 'John', 'Doe', $userService->loadUserGroup(4));
756
        $roleLimitation = $limitation instanceof Limitation\RoleLimitation ? $limitation : null;
757
        $roleService->assignRoleToUser($role, $user, $roleLimitation);
758
759
        $permissionResolver->setCurrentUserReference($user);
760
761
        self::assertEquals(
762
            $expectedResult,
763
            $permissionResolver->canUser($module, $function, $object, $targets)
764
        );
765
    }
766
767
    /**
768
     * Data provider for testCanUserWithLimitations.
769
     * @see testCanUserWithLimitations
770
     *
771
     * @return array
772
     *
773
     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
774
     */
775
    public function getDataForTestCanUserWithLimitations()
776
    {
777
        $repository = $this->getRepository();
778
        $contentService = $repository->getContentService();
779
        $contentTypeService = $repository->getContentTypeService();
780
781
        $contentType = $contentTypeService->loadContentTypeByIdentifier('folder');
782
783
        $contentCreateStruct = $contentService->newContentCreateStruct($contentType, 'eng-US');
784
        $contentCreateStruct->sectionId = 2;
785
786
        // return data sets, numbered for readability and debugging
787
        return [
788
            0 => [
789
                new Limitation\SubtreeLimitation(['limitationValues' => ['/1/2/']]),
790
                'content',
791
                'create',
792
                $contentCreateStruct,
793
                [],
794
                false,
795
            ],
796
            1 => [
797
                new Limitation\SectionLimitation(['limitationValues' => [2]]),
798
                'content',
799
                'create',
800
                $contentCreateStruct,
801
                [],
802
                true,
803
            ],
804
            2 => [
805
                new Limitation\ParentContentTypeLimitation(['limitationValues' => [1]]),
806
                'content',
807
                'create',
808
                $contentCreateStruct,
809
                [],
810
                false,
811
            ],
812
            3 => [
813
                new Limitation\ParentContentTypeLimitation(['limitationValues' => [3]]), // parent type has to be the UserGroup
814
                'content',
815
                'create',
816
                $contentService->loadContentInfo(14), // content type user (Administrator)
817
                [],
818
                true,
819
            ],
820
        ];
821
    }
822
823
    /**
824
     * Test for the lookupLimitations() method.
825
     *
826
     * @see \eZ\Publish\API\Repository\PermissionResolver::lookupLimitations()
827
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
828
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
829
     * @depends \eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessForCurrentUserNo
830
     */
831 View Code Duplication
    public function testLookupLimitationsForAnonymousUserHasNoAccess(): void
832
    {
833
        $repository = $this->getRepository();
834
835
        $homeId = $this->generateId('object', 57);
836
837
        $anonymousUserId = $this->generateId('user', 10);
838
        /* BEGIN: Use Case */
839
        // $anonymousUserId is the ID of the "Anonymous" user in a eZ
840
        // Publish demo installation.
841
        // $homeId contains the ID of the "Home" frontpage
842
843
        $contentService = $repository->getContentService();
844
        $userService = $repository->getUserService();
845
        $permissionResolver = $repository->getPermissionResolver();
846
847
        // Load anonymous user
848
        $anonymousUser = $userService->loadUser($anonymousUserId);
849
850
        // Set anonymous user as current user reference
851
        $permissionResolver->setCurrentUserReference($anonymousUser);
852
853
        // Load the ContentInfo for "Home" frontpage
854
        $contentInfo = $contentService->loadContentInfo($homeId);
855
856
        // `$lookupLimitations->hasAccess` will return false because anonymous user does not have access
857
        // to content removal and hence no permission to remove given content. `$lookupLimitations->lookupPolicyLimitations`
858
        // will be empty array
859
        $lookupLimitations = $permissionResolver->lookupLimitations('content', 'remove', $contentInfo);
860
        /* END: Use Case */
861
862
        $this->assertFalse($lookupLimitations->hasAccess);
863
        $this->assertEquals($lookupLimitations->roleLimitations, []);
864
        $this->assertEquals($lookupLimitations->lookupPolicyLimitations, []);
865
    }
866
867
    /**
868
     * Test for the lookupLimitations() method.
869
     *
870
     * @see \eZ\Publish\API\Repository\PermissionResolver::lookupLimitations()
871
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
872
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
873
     * @depends \eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessForCurrentUserYes
874
     */
875 View Code Duplication
    public function testLookupLimitationsForAdministratorUser(): void
876
    {
877
        $repository = $this->getRepository();
878
879
        $administratorUserId = $this->generateId('user', 14);
880
        $homeId = $this->generateId('object', 57);
881
882
        /* BEGIN: Use Case */
883
        // $administratorUserId contains the ID of the administrator user
884
        // $homeId contains the ID of the "Home" frontpage
885
886
        $contentService = $repository->getContentService();
887
        $userService = $repository->getUserService();
888
        $permissionResolver = $repository->getPermissionResolver();
889
890
        // Load administrator user
891
        $administratorUser = $userService->loadUser($administratorUserId);
892
893
        // Set administrator user as current user reference
894
        $permissionResolver->setCurrentUserReference($administratorUser);
895
896
        // Load the ContentInfo for "Home" frontpage
897
        $contentInfo = $contentService->loadContentInfo($homeId);
898
899
        // This call will return true
900
        $lookupLimitations = $permissionResolver->lookupLimitations('content', 'remove', $contentInfo);
901
        /* END: Use Case */
902
903
        $this->assertTrue($lookupLimitations->hasAccess);
904
        $this->assertEquals($lookupLimitations->roleLimitations, []);
905
        $this->assertEquals($lookupLimitations->lookupPolicyLimitations, []);
906
    }
907
908
    /**
909
     * When one of policy pass then all limitation should be returned.
910
     *
911
     * @see \eZ\Publish\API\Repository\PermissionResolver::lookupLimitations()
912
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
913
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
914
     * @depends \eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessForCurrentUserYes
915
     *
916
     * @throws \eZ\Publish\API\Repository\Exceptions\BadStateException
917
     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
918
     * @throws \eZ\Publish\API\Repository\Exceptions\LimitationValidationException
919
     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
920
     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
921
     */
922
    public function testLookupLimitationsWithLimitations(): void
923
    {
924
        $repository = $this->getRepository();
925
        $userService = $repository->getUserService();
926
        $permissionResolver = $repository->getPermissionResolver();
927
        $roleService = $repository->getRoleService();
928
929
        $module = 'content';
930
        $function = 'create';
931
932
        $role = $this->createRoleWithPolicies(
933
            'role_' . __FUNCTION__,
934
            [
935
                ['module' => $module, 'function' => $function, 'limitations' => [new Limitation\SubtreeLimitation(['limitationValues' => ['/1/2/']])]],
936
                ['module' => $module, 'function' => $function, 'limitations' => [
937
                    new Limitation\SectionLimitation(['limitationValues' => [2]]),
938
                    new Limitation\LanguageLimitation(['limitationValues' => ['eng-US']]),
939
                ]],
940
                ['module' => 'content', 'function' => 'edit', 'limitations' => [new Limitation\SectionLimitation(['limitationValues' => [2]])]],
941
            ]
942
        );
943
        // create user in root user group to avoid overlapping of existing policies and limitations
944
        $user = $this->createUser('user', 'John', 'Doe', $userService->loadUserGroup(4));
945
        // Here we have no RoleLimitation
946
        $roleService->assignRoleToUser($role, $user);
947
        $permissionResolver->setCurrentUserReference($user);
948
949
        $expected = new LookupLimitationResult(
950
            true,
951
            [],
952
            [
953
                new LookupPolicyLimitations(
954
                    $role->getPolicies()[1],
955
                    [
956
                        new Limitation\SectionLimitation(['limitationValues' => [2]]),
957
                        new Limitation\LanguageLimitation(['limitationValues' => ['eng-US']]),
958
                    ]
959
                ),
960
            ]
961
        );
962
963
        self::assertEquals(
964
            $expected,
965
            $permissionResolver->lookupLimitations($module, $function, $this->getContentCreateStruct($repository), [])
966
        );
967
    }
968
969
    /**
970
     * When one of policy pass then only filtered limitation should be returned.
971
     *
972
     * @see \eZ\Publish\API\Repository\PermissionResolver::lookupLimitations()
973
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetUserService
974
     * @depends \eZ\Publish\API\Repository\Tests\RepositoryTest::testGetContentService
975
     * @depends \eZ\Publish\API\Repository\Tests\PermissionResolverTest::testHasAccessForCurrentUserYes
976
     *
977
     * @throws \eZ\Publish\API\Repository\Exceptions\BadStateException
978
     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
979
     * @throws \eZ\Publish\API\Repository\Exceptions\LimitationValidationException
980
     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
981
     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
982
     */
983
    public function testLookupLimitationsWithFilteredLimitations(): void
984
    {
985
        $repository = $this->getRepository();
986
        $userService = $repository->getUserService();
987
        $permissionResolver = $repository->getPermissionResolver();
988
        $roleService = $repository->getRoleService();
989
990
        $module = 'content';
991
        $function = 'create';
992
993
        $role = $this->createRoleWithPolicies(
994
            'role_' . __FUNCTION__,
995
            [
996
                ['module' => $module, 'function' => $function, 'limitations' => [new Limitation\SubtreeLimitation(['limitationValues' => ['/1/2/']])]],
997
                ['module' => $module, 'function' => $function, 'limitations' => [
998
                    new Limitation\SectionLimitation(['limitationValues' => [2]]),
999
                    new Limitation\LanguageLimitation(['limitationValues' => ['eng-US']]),
1000
                ]],
1001
                ['module' => 'content', 'function' => 'edit', 'limitations' => [new Limitation\SectionLimitation(['limitationValues' => [2]])]],
1002
            ]
1003
        );
1004
        // create user in root user group to avoid overlapping of existing policies and limitations
1005
        $user = $this->createUser('user', 'John', 'Doe', $userService->loadUserGroup(4));
1006
        // Here we have no RoleLimitation
1007
        $roleService->assignRoleToUser($role, $user);
1008
        $permissionResolver->setCurrentUserReference($user);
1009
1010
        $expected = new LookupLimitationResult(
1011
            true,
1012
            [],
1013
            [
1014
                new LookupPolicyLimitations(
1015
                    $role->getPolicies()[1],
1016
                    [
1017
                        new Limitation\SectionLimitation(['limitationValues' => [2]]),
1018
                    ]
1019
                ),
1020
            ]
1021
        );
1022
1023
        self::assertEquals(
1024
            $expected,
1025
            $permissionResolver->lookupLimitations($module, $function, $this->getContentCreateStruct($repository), [], [Limitation::SECTION])
1026
        );
1027
    }
1028
1029
    /**
1030
     * If the role limitation is set it should be taken into account. In this case, role limitation
1031
     * will pass and ContentTypeLimitation should be returned.
1032
     *
1033
     * @throws \eZ\Publish\API\Repository\Exceptions\BadStateException
1034
     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
1035
     * @throws \eZ\Publish\API\Repository\Exceptions\LimitationValidationException
1036
     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
1037
     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
1038
     */
1039
    public function testLookupLimitationsWithRoleLimitationsHasAccess(): void
1040
    {
1041
        $repository = $this->getRepository();
1042
        $userService = $repository->getUserService();
1043
        $permissionResolver = $repository->getPermissionResolver();
1044
        $roleService = $repository->getRoleService();
1045
1046
        $module = 'content';
1047
        $function = 'create';
1048
1049
        /* BEGIN: Use Case */
1050
        $role = $this->createRoleWithPolicies(
1051
            'role_' . __FUNCTION__,
1052
            [
1053
                ['module' => $module, 'function' => $function, 'limitations' => [new Limitation\SubtreeLimitation(['limitationValues' => ['/1/2/']])]],
1054
                ['module' => $module, 'function' => $function, 'limitations' => [new Limitation\LanguageLimitation(['limitationValues' => ['eng-US']])]],
1055
                ['module' => 'content', 'function' => 'edit', 'limitations' => [new Limitation\SectionLimitation(['limitationValues' => [2]])]],
1056
            ]
1057
        );
1058
        // create user in root user group to avoid overlapping of existing policies and limitations
1059
        $user = $this->createUser('user', 'John', 'Doe', $userService->loadUserGroup(4));
1060
        // SectionLimitation as RoleLimitation will pass
1061
        $roleLimitation = new Limitation\SectionLimitation(['limitationValues' => [2]]);
1062
        $roleService->assignRoleToUser($role, $user, $roleLimitation);
1063
        $permissionResolver->setCurrentUserReference($user);
1064
        /* END: Use Case */
1065
1066
        $expected = new LookupLimitationResult(
1067
            true,
1068
            [$roleLimitation],
1069
            [
1070
                new LookupPolicyLimitations(
1071
                    $role->getPolicies()[1],
1072
                    [new Limitation\LanguageLimitation(['limitationValues' => ['eng-US']])]
1073
                ),
1074
            ]
1075
        );
1076
1077
        self::assertEquals(
1078
            $expected,
1079
            $permissionResolver->lookupLimitations($module, $function, $this->getContentCreateStruct($repository), [])
1080
        );
1081
    }
1082
1083
    /**
1084
     * If the role limitation is set and policy limitation is not set it should be taken into account.
1085
     * In this case, role limitation will pass and SectionLimitation should be returned as role limitation
1086
     * and limitations in LookupPolicyLimitations should be an empty array.
1087
     *
1088
     * @see https://jira.ez.no/browse/EZP-30728
1089
     *
1090
     * @throws \eZ\Publish\API\Repository\Exceptions\BadStateException
1091
     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
1092
     * @throws \eZ\Publish\API\Repository\Exceptions\LimitationValidationException
1093
     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
1094
     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
1095
     */
1096
    public function testLookupLimitationsWithRoleLimitationsWithoutPolicyLimitationsHasAccess(): void
1097
    {
1098
        $repository = $this->getRepository();
1099
        $userService = $repository->getUserService();
1100
        $permissionResolver = $repository->getPermissionResolver();
1101
        $roleService = $repository->getRoleService();
1102
1103
        $module = 'content';
1104
        $function = 'create';
1105
1106
        /* BEGIN: Use Case */
1107
        $role = $this->createRoleWithPolicies(
1108
            'role_' . __FUNCTION__,
1109
            [
1110
                ['module' => $module, 'function' => $function, 'limitations' => []],
1111
                ['module' => 'content', 'function' => 'edit', 'limitations' => []],
1112
            ]
1113
        );
1114
        // create user in root user group to avoid overlapping of existing policies and limitations
1115
        $user = $this->createUser('user', 'John', 'Doe', $userService->loadUserGroup(4));
1116
        // SectionLimitation as RoleLimitation will pass
1117
        $roleLimitation = new Limitation\SectionLimitation(['limitationValues' => [2]]);
1118
        $roleService->assignRoleToUser($role, $user, $roleLimitation);
1119
        $permissionResolver->setCurrentUserReference($user);
1120
        /* END: Use Case */
1121
1122
        $expectedPolicy = current(array_filter($role->getPolicies(), function ($policy) use ($module, $function) {
1123
            return $policy->module === $module && $policy->function === $function;
1124
        }));
1125
1126
        $expected = new LookupLimitationResult(
1127
            true,
1128
            [$roleLimitation],
1129
            [
1130
                new LookupPolicyLimitations(
1131
                    $expectedPolicy,
1132
                    []
1133
                ),
1134
            ]
1135
        );
1136
1137
        self::assertEquals(
1138
            $expected,
1139
            $permissionResolver->lookupLimitations($module, $function, $this->getContentCreateStruct($repository), [])
1140
        );
1141
    }
1142
1143
    /**
1144
     * If the role limitation is set it should be taken into account. In this case, role limitation
1145
     * will not pass and ContentTypeLimitation should not be returned.
1146
     *
1147
     * @throws \eZ\Publish\API\Repository\Exceptions\BadStateException
1148
     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
1149
     * @throws \eZ\Publish\API\Repository\Exceptions\LimitationValidationException
1150
     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
1151
     * @throws \eZ\Publish\API\Repository\Exceptions\UnauthorizedException
1152
     */
1153
    public function testLookupLimitationsWithRoleLimitationsHasNoAccess(): void
1154
    {
1155
        $repository = $this->getRepository();
1156
        $userService = $repository->getUserService();
1157
        $permissionResolver = $repository->getPermissionResolver();
1158
        $roleService = $repository->getRoleService();
1159
1160
        $module = 'content';
1161
        $function = 'create';
1162
1163
        /* BEGIN: Use Case */
1164
        $role = $this->createRoleWithPolicies(
1165
            'role_' . __FUNCTION__,
1166
            [
1167
                ['module' => $module, 'function' => $function, 'limitations' => [new Limitation\SubtreeLimitation(['limitationValues' => ['/1/2/']])]],
1168
                ['module' => $module, 'function' => $function, 'limitations' => [new Limitation\LanguageLimitation(['limitationValues' => ['eng-US']])]],
1169
                ['module' => 'content', 'function' => 'edit', 'limitations' => [new Limitation\SectionLimitation(['limitationValues' => [2]])]],
1170
            ]
1171
        );
1172
        // create user in root user group to avoid overlapping of existing policies and limitations
1173
        $user = $this->createUser('user', 'John', 'Doe', $userService->loadUserGroup(4));
1174
        // SectionLimitation as RoleLimitation will not pass
1175
        $roleLimitation = new Limitation\SectionLimitation(['limitationValues' => [3]]);
1176
        $roleService->assignRoleToUser($role, $user, $roleLimitation);
1177
        $permissionResolver->setCurrentUserReference($user);
1178
        /* END: Use Case */
1179
1180
        $expected = new LookupLimitationResult(
1181
            false,
1182
            [],
1183
            []
1184
        );
1185
1186
        self::assertEquals(
1187
            $expected,
1188
            $permissionResolver->lookupLimitations($module, $function, $this->getContentCreateStruct($repository), [])
1189
        );
1190
    }
1191
1192
    /**
1193
     * @param \eZ\Publish\API\Repository\Repository $repository
1194
     * @param string $contentTypeIdentifier
1195
     * @param string $mainLanguageCode
1196
     * @param int $sectionId
1197
     *
1198
     * @return \eZ\Publish\API\Repository\Values\Content\ContentCreateStruct
1199
     *
1200
     * @throws \eZ\Publish\API\Repository\Exceptions\NotFoundException
1201
     */
1202
    private function getContentCreateStruct(
1203
        Repository $repository,
1204
        string $contentTypeIdentifier = 'folder',
1205
        string $mainLanguageCode = 'eng-US',
1206
        int $sectionId = 2
1207
    ): ContentCreateStruct {
1208
        $contentService = $repository->getContentService();
1209
        $contentTypeService = $repository->getContentTypeService();
1210
        $contentType = $contentTypeService->loadContentTypeByIdentifier($contentTypeIdentifier);
1211
        $contentCreateStruct = $contentService->newContentCreateStruct($contentType, $mainLanguageCode);
1212
        $contentCreateStruct->sectionId = $sectionId;
1213
1214
        return $contentCreateStruct;
1215
    }
1216
}
1217