rend-acl 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- data/README.md +1 -1
- data/lib/rend/acl.rb +27 -26
- data/lib/rend/acl/resource.rb +4 -0
- data/lib/rend/acl/role.rb +5 -4
- data/lib/rend/acl/version.rb +1 -1
- data/test/test_acl.rb +930 -139
- metadata +5 -5
data/README.md
CHANGED
@@ -22,4 +22,4 @@ Rend-Acl is a port of [Zend_Acl](http://framework.zend.com/manual/1.12/en/zend.a
|
|
22
22
|
|
23
23
|
## Acknowledgements
|
24
24
|
* This project is **not** associated with, or endorsed by, Zend Technologies USA, Inc., nor any of its contributors.
|
25
|
-
* Rend's modular design was heavily influced by [RSpec](https://github.com/rspec/rspec) approach.
|
25
|
+
* Rend's modular design was heavily influced by [RSpec](https://github.com/rspec/rspec)'s approach.
|
data/lib/rend/acl.rb
CHANGED
@@ -1,4 +1,5 @@
|
|
1
1
|
require 'rend/core'
|
2
|
+
|
2
3
|
require 'rend/acl/version'
|
3
4
|
require 'rend/acl/exception'
|
4
5
|
require 'rend/acl/role'
|
@@ -76,7 +77,7 @@ module Rend
|
|
76
77
|
# @param Rend::Acl::Role|string role
|
77
78
|
# @uses Rend::Acl::Role::Registry::get!()
|
78
79
|
# @return Rend::Acl::Role
|
79
|
-
def role(role)
|
80
|
+
def role!(role)
|
80
81
|
role_registry.get!(role)
|
81
82
|
end
|
82
83
|
|
@@ -174,14 +175,14 @@ module Rend
|
|
174
175
|
|
175
176
|
resource_id = resource.id
|
176
177
|
|
177
|
-
raise Rend::Acl::Exception, "Resource id 'resource_id' already exists in the ACL" if
|
178
|
+
raise Rend::Acl::Exception, "Resource id 'resource_id' already exists in the ACL" if has_resource?(resource_id)
|
178
179
|
|
179
180
|
resource_parent = nil
|
180
181
|
|
181
182
|
if parent
|
182
183
|
begin
|
183
184
|
resource_parent_id = (parent.class <= Rend::Acl::Resource) ? parent.id : parent
|
184
|
-
resource_parent =
|
185
|
+
resource_parent = resource!(resource_parent_id)
|
185
186
|
rescue Rend::Acl::Exception
|
186
187
|
raise Rend::Acl::Exception, "Parent Resource id 'resource_parent_id' does not exist"
|
187
188
|
end
|
@@ -200,9 +201,9 @@ module Rend
|
|
200
201
|
# @throws Rend::Acl::Exception
|
201
202
|
# @return Rend::Acl::Resource
|
202
203
|
|
203
|
-
def
|
204
|
+
def resource!(resource)
|
204
205
|
resource_id = (resource.class <= Rend::Acl::Resource) ? resource.id : resource.to_s
|
205
|
-
raise Rend::Acl::Exception, "Resource 'resource_id' not found" unless
|
206
|
+
raise Rend::Acl::Exception, "Resource 'resource_id' not found" unless has_resource?(resource)
|
206
207
|
@_resources[resource_id][:instance]
|
207
208
|
end
|
208
209
|
|
@@ -212,7 +213,7 @@ module Rend
|
|
212
213
|
#
|
213
214
|
# @param Rend::Acl::Resource|string resource
|
214
215
|
# @return boolean
|
215
|
-
def
|
216
|
+
def has_resource?(resource)
|
216
217
|
resource_id = (resource.class <= Rend::Acl::Resource) ? resource.id : resource.to_s
|
217
218
|
@_resources.keys.include?(resource_id)
|
218
219
|
end
|
@@ -230,9 +231,9 @@ module Rend
|
|
230
231
|
# @param boolean onlyParent
|
231
232
|
# @throws Rend_Acl_Resource_Registry_Exception
|
232
233
|
# @return boolean
|
233
|
-
def
|
234
|
-
resource_id =
|
235
|
-
inherit_id =
|
234
|
+
def inherits_resource?(resource, inherit, only_parent = false)
|
235
|
+
resource_id = resource!(resource).id
|
236
|
+
inherit_id = resource!(inherit).id
|
236
237
|
|
237
238
|
if @_resources[resource_id][:parent]
|
238
239
|
parent_id = @_resources[resource_id][:parent].id
|
@@ -256,8 +257,8 @@ module Rend
|
|
256
257
|
# @param Rend::Acl::Resource|string resource
|
257
258
|
# @throws Rend::Acl::Exception
|
258
259
|
# @return Rend::Acl Provides a fluent interface
|
259
|
-
def
|
260
|
-
resource_id =
|
260
|
+
def remove_resource!(resource)
|
261
|
+
resource_id = resource!(resource).id
|
261
262
|
resources_removed = [resource_id]
|
262
263
|
|
263
264
|
if resource_parent = @_resources[resource_id][:parent]
|
@@ -265,7 +266,7 @@ module Rend
|
|
265
266
|
end
|
266
267
|
|
267
268
|
@_resources[resource_id][:children].each do |child_id, child|
|
268
|
-
|
269
|
+
remove_resource!(child_id)
|
269
270
|
resources_removed.push(child_id)
|
270
271
|
end
|
271
272
|
|
@@ -285,7 +286,7 @@ module Rend
|
|
285
286
|
# Removes all Resources
|
286
287
|
#
|
287
288
|
# @return Rend::Acl Provides a fluent interface
|
288
|
-
def
|
289
|
+
def remove_resource_all!
|
289
290
|
@_resources.each do |resource_id, resource|
|
290
291
|
@_rules[:by_resource_id].each do |resource_id_current, rules|
|
291
292
|
@_rules[:by_resource_id].delete(resource_id_current) if resource_id == resource_id_current
|
@@ -402,12 +403,12 @@ module Rend
|
|
402
403
|
resources = Array(resources)
|
403
404
|
resources << nil if resources.empty?
|
404
405
|
resources = resources.reduce([]) do |seed, resource|
|
405
|
-
seed << (resource ?
|
406
|
+
seed << (resource ? resource!(resource) : nil)
|
406
407
|
end
|
407
408
|
else
|
408
409
|
# this might be used later if resource iteration is required
|
409
|
-
all_resources = @_resources.reduce([]) do |seed,
|
410
|
-
seed <<
|
410
|
+
all_resources = @_resources.values.reduce([]) do |seed, r_target|
|
411
|
+
seed << r_target[:instance]
|
411
412
|
end
|
412
413
|
end
|
413
414
|
|
@@ -428,8 +429,8 @@ module Rend
|
|
428
429
|
roles.each do |role|
|
429
430
|
rules = _rules(resource, role, true)
|
430
431
|
if privileges.empty?
|
431
|
-
rules[:all_privileges]
|
432
|
-
rules[:by_privilege_id]
|
432
|
+
rules[:all_privileges] = {:type => type}
|
433
|
+
rules[:by_privilege_id] = {} unless rules.has_key?(:by_privilege_id)
|
433
434
|
else
|
434
435
|
privileges.each do |privilege|
|
435
436
|
rules[:by_privilege_id][privilege] = {:type => type}
|
@@ -468,7 +469,6 @@ module Rend
|
|
468
469
|
end
|
469
470
|
next
|
470
471
|
end
|
471
|
-
|
472
472
|
if rules[:all_privileges].has_key?(:type) && rules[:all_privileges][:type] == type
|
473
473
|
rules.delete(:all_privileges)
|
474
474
|
end
|
@@ -564,18 +564,21 @@ module Rend
|
|
564
564
|
if resource
|
565
565
|
# keep track of originally called resource
|
566
566
|
@_is_allowed_resource = resource
|
567
|
-
resource =
|
567
|
+
resource = resource!(resource)
|
568
568
|
unless @_is_allowed_resource.class <= Rend::Acl::Resource
|
569
569
|
@_is_allowed_resource = resource
|
570
570
|
end
|
571
571
|
end
|
572
572
|
|
573
|
+
|
573
574
|
if privilege.nil?
|
574
575
|
# query on all privileges
|
575
576
|
loop do # loop terminates at :all_resources pseudo-parent
|
576
577
|
# depth-first search on role if it is not :all_roles pseudo-parent
|
577
|
-
result = _role_dfs_all_privileges(role, resource)
|
578
|
-
|
578
|
+
if !role.nil? && !(result = _role_dfs_all_privileges(role, resource)).nil?
|
579
|
+
return result
|
580
|
+
end
|
581
|
+
|
579
582
|
|
580
583
|
# look for rule on :all_roles psuedo-parent
|
581
584
|
rules = _rules(resource, nil)
|
@@ -592,16 +595,14 @@ module Rend
|
|
592
595
|
resource = @_resources[resource.id][:parent]
|
593
596
|
end
|
594
597
|
else
|
595
|
-
# IN HERE
|
596
598
|
@_is_allowed_privilege = privilege
|
597
599
|
# query on one privilege
|
598
600
|
loop do # loop terminates at :all_resources pseudo-parent
|
599
601
|
# depth-first search on role if it is not :all_roles pseudo-parent
|
600
|
-
if nil
|
602
|
+
if !role.nil? && !(result = _role_dfs_one_privilege(role, resource, privilege)).nil?
|
601
603
|
return result
|
602
604
|
end
|
603
605
|
|
604
|
-
|
605
606
|
# look for rule on 'allRoles' pseudo-parent
|
606
607
|
if nil != (rule_type = _rule_type(resource, nil, privilege))
|
607
608
|
return TYPE_ALLOW == rule_type
|
@@ -635,7 +636,7 @@ module Rend
|
|
635
636
|
# @param Rend::Acl::Resource resource
|
636
637
|
# @return boolean|nil
|
637
638
|
def _role_dfs_all_privileges(role, resource = nil)
|
638
|
-
type_hint! Rend::Acl::Role,
|
639
|
+
type_hint! Rend::Acl::Role, role, :is_required => true
|
639
640
|
type_hint! Rend::Acl::Resource, resource
|
640
641
|
|
641
642
|
dfs = {:visited => {}, :stack => []}
|
data/lib/rend/acl/resource.rb
CHANGED
data/lib/rend/acl/role.rb
CHANGED
@@ -1,17 +1,18 @@
|
|
1
1
|
require 'rend/acl/role/registry'
|
2
|
+
|
2
3
|
module Rend
|
3
4
|
class Acl
|
4
5
|
class Role
|
5
6
|
|
6
7
|
# Unique id of Role
|
7
8
|
attr_reader :id # @var string
|
8
|
-
# attr_accessor :parents -- future
|
9
|
-
# attr_accessor :children -- future
|
10
9
|
|
11
10
|
def initialize(id)
|
12
11
|
@id = id.to_s
|
13
|
-
|
14
|
-
|
12
|
+
end
|
13
|
+
|
14
|
+
def to_s
|
15
|
+
@id
|
15
16
|
end
|
16
17
|
|
17
18
|
end
|
data/lib/rend/acl/version.rb
CHANGED
data/test/test_acl.rb
CHANGED
@@ -3,207 +3,998 @@ require 'rend/acl'
|
|
3
3
|
|
4
4
|
class AclTest < Test::Unit::TestCase
|
5
5
|
|
6
|
-
|
7
|
-
def test_multiple_inheritance_among_roles
|
6
|
+
def setup
|
8
7
|
@acl = Rend::Acl.new
|
9
|
-
|
8
|
+
end
|
10
9
|
|
11
|
-
|
12
|
-
|
10
|
+
def test_storing_acl_data_for_persistence_with_marshal
|
11
|
+
assert_use_case_1 Marshal.load( Marshal.dump(use_case_1) )
|
12
|
+
end
|
13
13
|
|
14
|
-
|
14
|
+
def test_storing_acl_data_for_persistence_with_yaml
|
15
|
+
require 'yaml'
|
16
|
+
assert_use_case_1 YAML.load( YAML.dump(use_case_1) )
|
17
|
+
end
|
15
18
|
|
16
|
-
|
17
|
-
|
19
|
+
def test_acl_user_case_1
|
20
|
+
assert_use_case_1(use_case_1)
|
21
|
+
end
|
22
|
+
|
23
|
+
# ==== Orignal Zend_Acl Tests Below
|
18
24
|
|
19
|
-
|
25
|
+
# Ensures that basic addition and retrieval of a single Role works
|
26
|
+
def test_role_registry_add_and_get_one
|
27
|
+
role_guest = Rend::Acl::Role.new('guest')
|
28
|
+
@acl.add_role!(role_guest)
|
29
|
+
assert_equal role_guest, @acl.role!(role_guest.id)
|
20
30
|
end
|
21
31
|
|
22
|
-
#
|
23
|
-
def
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
@acl.add_role! Rend::Acl::Role.new('editor'), 'staff'
|
29
|
-
@acl.add_role! Rend::Acl::Role.new('administrator')
|
32
|
+
# Ensures that basic addition and retrieval of a single Resource works
|
33
|
+
def test_role_add_and_get_one_by_string
|
34
|
+
role = @acl.add_role!('area').role!('area')
|
35
|
+
assert_kind_of Rend::Acl::Role, role
|
36
|
+
assert_equal 'area', role.id
|
37
|
+
end
|
30
38
|
|
31
|
-
|
32
|
-
|
39
|
+
# # Ensures that basic removal of a single Role works
|
40
|
+
def test_role_registry_remove_one
|
41
|
+
role_guest = Rend::Acl::Role.new('guest')
|
42
|
+
@acl.add_role!(role_guest).remove_role!(role_guest)
|
43
|
+
assert_equal false, @acl.has_role?(role_guest)
|
44
|
+
end
|
33
45
|
|
34
|
-
|
35
|
-
|
36
|
-
|
46
|
+
# Ensures that an exception is thrown when a non-existent Role is specified for removal
|
47
|
+
def test_role_registry_remove_one_non_existent
|
48
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
49
|
+
@acl.remove_role!('nonexistent')
|
50
|
+
flunk('Expected Rend::Acl::Role::Registry::Exception not thrown upon removing a non-existent Role')
|
51
|
+
end
|
52
|
+
end
|
37
53
|
|
38
|
-
|
39
|
-
|
40
|
-
|
54
|
+
# # Ensures that removal of all Roles works
|
55
|
+
def test_role_registry_remove_all
|
56
|
+
role_guest = Rend::Acl::Role.new('guest')
|
57
|
+
@acl.add_role!(role_guest).remove_role_all!
|
58
|
+
assert_equal false, @acl.has_role?(role_guest)
|
59
|
+
end
|
41
60
|
|
42
|
-
|
43
|
-
|
61
|
+
# Ensures that an exception is thrown when a non-existent Role is specified as a parent upon Role addition
|
62
|
+
def test_role_registry_add_inherits_non_existent
|
63
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
64
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'), 'nonexistent')
|
65
|
+
flunk('Expected Rend::Acl::Role::Registry::Exception not thrown upon specifying a non-existent parent')
|
66
|
+
end
|
67
|
+
end
|
44
68
|
|
69
|
+
# Ensures that an exception is thrown when a non-existent Role is specified to each parameter of inherits
|
70
|
+
def test_role_registry_inherits_non_existent
|
71
|
+
role_guest = Rend::Acl::Role.new('guest')
|
72
|
+
@acl.add_role!(role_guest)
|
73
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
74
|
+
@acl.inherits_role?('nonexistent', role_guest)
|
75
|
+
flunk('Expected Rend::Acl::Role::Registry::Exception not thrown upon specifying a non-existent child Role')
|
76
|
+
end
|
77
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
78
|
+
@acl.inherits_role?(role_guest, 'nonexistent')
|
79
|
+
flunk('Expected Rend::Acl::Role::Registry::Exception not thrown upon specifying a non-existent parent Role')
|
80
|
+
end
|
81
|
+
end
|
45
82
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
83
|
+
# Tests basic Role inheritance
|
84
|
+
def test_role_registry_inherits
|
85
|
+
role_guest = Rend::Acl::Role.new('guest')
|
86
|
+
role_member = Rend::Acl::Role.new('member')
|
87
|
+
role_editor = Rend::Acl::Role.new('editor')
|
88
|
+
|
89
|
+
role_registry = Rend::Acl::Role::Registry.new
|
90
|
+
role_registry.add!(role_guest)
|
91
|
+
role_registry.add!(role_member, role_guest.id)
|
92
|
+
role_registry.add!(role_editor, role_member)
|
93
|
+
|
94
|
+
assert_equal 0, role_registry.parents(role_guest).length
|
95
|
+
|
96
|
+
role_member_parents = role_registry.parents(role_member)
|
97
|
+
assert_equal 1, role_member_parents.length
|
98
|
+
assert_equal true, role_member_parents.has_key?('guest')
|
99
|
+
|
100
|
+
role_editor_parents = role_registry.parents(role_editor)
|
101
|
+
assert_equal 1, role_editor_parents.length
|
102
|
+
assert_equal true, role_editor_parents.has_key?('member')
|
103
|
+
assert_equal true, role_registry.inherits?(role_member, role_guest, true)
|
104
|
+
assert_equal true, role_registry.inherits?(role_editor, role_member, true)
|
105
|
+
assert_equal true, role_registry.inherits?(role_editor, role_guest)
|
106
|
+
assert_equal false, role_registry.inherits?(role_guest, role_member)
|
107
|
+
assert_equal false, role_registry.inherits?(role_member, role_editor)
|
108
|
+
assert_equal false, role_registry.inherits?(role_guest, role_editor)
|
109
|
+
|
110
|
+
role_registry.remove!(role_member)
|
111
|
+
assert_equal 0, role_registry.parents(role_editor).length
|
112
|
+
assert_equal false, role_registry.inherits?(role_editor, role_guest)
|
54
113
|
end
|
55
114
|
|
56
|
-
#
|
57
|
-
def
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
115
|
+
# Tests basic Role multiple inheritance
|
116
|
+
def test_role_registry_inherits_multiple
|
117
|
+
role_parent0 = Rend::Acl::Role.new('parent0')
|
118
|
+
role_parent1 = Rend::Acl::Role.new('parent1')
|
119
|
+
role_child = Rend::Acl::Role.new('child')
|
120
|
+
|
121
|
+
role_registry = Rend::Acl::Role::Registry.new
|
122
|
+
role_registry.add!(role_parent0)
|
123
|
+
role_registry.add!(role_parent1)
|
124
|
+
role_registry.add!(role_child, [role_parent0, role_parent1])
|
125
|
+
|
126
|
+
role_child_parents = role_registry.parents(role_child)
|
127
|
+
assert_equal 2, role_child_parents.length
|
128
|
+
role_child_parents.each_with_index do |(role_parent_id, role_parent), i|
|
129
|
+
assert_equal "parent#{i}", role_parent_id
|
130
|
+
end
|
131
|
+
assert_equal true, role_registry.inherits?(role_child, role_parent0)
|
132
|
+
assert_equal true, role_registry.inherits?(role_child, role_parent1)
|
133
|
+
|
134
|
+
role_registry.remove!(role_parent0)
|
135
|
+
role_child_parents = role_registry.parents(role_child)
|
136
|
+
assert_equal 1, role_child_parents.length
|
137
|
+
assert_equal true, role_child_parents.has_key?('parent1')
|
138
|
+
assert_equal true, role_registry.inherits?(role_child, role_parent1)
|
139
|
+
end
|
64
140
|
|
65
|
-
|
66
|
-
|
141
|
+
# Ensures that the same Role cannot be registered more than once to the registry
|
142
|
+
def test_role_registry_duplicate
|
143
|
+
role_guest = Rend::Acl::Role.new('guest')
|
144
|
+
role_registry = Rend::Acl::Role::Registry.new
|
145
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
146
|
+
role_registry.add!(role_guest).add!(role_guest)
|
147
|
+
flunk('Expected exception not thrown upon adding same Role twice')
|
148
|
+
end
|
149
|
+
end
|
67
150
|
|
68
|
-
|
69
|
-
|
70
|
-
|
151
|
+
# Ensures that two Roles having the same ID cannot be registered
|
152
|
+
def test_role_registry_duplicate_id
|
153
|
+
role_guest1 = Rend::Acl::Role.new('guest')
|
154
|
+
role_guest2 = Rend::Acl::Role.new('guest')
|
155
|
+
role_registry = Rend::Acl::Role::Registry.new
|
156
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
157
|
+
role_registry.add!(role_guest1).add!(role_guest2)
|
158
|
+
flunk('Expected exception not thrown upon adding same Role twice')
|
159
|
+
end
|
160
|
+
end
|
71
161
|
|
72
|
-
|
73
|
-
|
74
|
-
|
162
|
+
# Ensures that basic addition and retrieval of a single Resource works
|
163
|
+
def test_resource_add_and_get_one
|
164
|
+
resource_area = Rend::Acl::Resource.new('area')
|
165
|
+
@acl.add_resource!(resource_area)
|
75
166
|
|
76
|
-
|
77
|
-
|
167
|
+
resource = @acl.resource!(resource_area.id)
|
168
|
+
assert_equal resource_area, resource
|
78
169
|
|
79
|
-
|
80
|
-
|
170
|
+
resource = @acl.resource!(resource_area)
|
171
|
+
assert_equal resource_area, resource
|
172
|
+
end
|
81
173
|
|
82
|
-
|
174
|
+
# Ensures that basic addition and retrieval of a single Resource works
|
175
|
+
def test_resource_add_and_get_one_by_string
|
176
|
+
@acl.add_resource!('area')
|
83
177
|
|
84
|
-
|
85
|
-
|
178
|
+
resource = @acl.resource!('area')
|
179
|
+
assert_kind_of Rend::Acl::Resource, resource
|
180
|
+
assert_equal 'area', resource.id
|
181
|
+
end
|
86
182
|
|
87
|
-
|
88
|
-
|
183
|
+
# Ensures that basic removal of a single Resource works
|
184
|
+
def test_resource_remove_one
|
185
|
+
resource_area = Rend::Acl::Resource.new('area')
|
186
|
+
@acl.add_resource!(resource_area).remove_resource!(resource_area)
|
187
|
+
assert_equal false, @acl.has_resource?(resource_area)
|
188
|
+
end
|
89
189
|
|
90
|
-
|
91
|
-
|
190
|
+
# Ensures that an exception is thrown when a non-existent Resource is specified for removal
|
191
|
+
def test_resource_remove_one_non_existent
|
192
|
+
assert_raises Rend::Acl::Exception do
|
193
|
+
@acl.remove_resource!('nonexistent')
|
194
|
+
flunk('Expected Rend::Acl::Exception not thrown upon removing a non-existent Resource')
|
195
|
+
end
|
196
|
+
end
|
92
197
|
|
93
|
-
|
94
|
-
|
198
|
+
# Ensures that removal of all Resources works
|
199
|
+
def test_resource_remove_all
|
200
|
+
resource_area = Rend::Acl::Resource.new('area')
|
201
|
+
@acl.add_resource!(resource_area).remove_resource_all!
|
202
|
+
assert_equal false, @acl.has_resource?(resource_area)
|
203
|
+
end
|
95
204
|
|
96
|
-
|
205
|
+
# Ensures that an exception is thrown when a non-existent Resource is specified as a parent upon Resource addition
|
206
|
+
def test_resource_add_inherits_non_existent
|
207
|
+
assert_raises Rend::Acl::Exception do
|
208
|
+
@acl.add_resource!(Rend::Acl::Resource.new('area'), 'nonexistent')
|
209
|
+
flunk('Expected Rend::Acl::Exception not thrown upon specifying a non-existent parent')
|
210
|
+
end
|
211
|
+
end
|
97
212
|
|
98
|
-
|
99
|
-
|
213
|
+
# Ensures that an exception is thrown when a non-existent Resource is specified to each parameter of inherits
|
214
|
+
def test_resource_inherits_non_existent
|
215
|
+
resource_area = Rend::Acl::Resource.new('area')
|
216
|
+
@acl.add_resource!(resource_area)
|
217
|
+
assert_raises Rend::Acl::Exception do
|
218
|
+
@acl.inherits_resource?('nonexistent', resource_area)
|
219
|
+
flunk('Expected Rend::Acl::Exception not thrown upon specifying a non-existent child Resource')
|
220
|
+
end
|
221
|
+
assert_raises Rend::Acl::Exception do
|
222
|
+
@acl.inherits_resource?(resource_area, 'nonexistent')
|
223
|
+
flunk('Expected Rend::Acl::Exception not thrown upon specifying a non-existent parent Resource')
|
224
|
+
end
|
225
|
+
end
|
100
226
|
|
101
|
-
|
102
|
-
|
227
|
+
# Tests basic Resource inheritance
|
228
|
+
def test_resource_inherits
|
229
|
+
resource_city = Rend::Acl::Resource.new('city')
|
230
|
+
resource_building = Rend::Acl::Resource.new('building')
|
231
|
+
resource_room = Rend::Acl::Resource.new('room')
|
232
|
+
|
233
|
+
@acl.add_resource!(resource_city)
|
234
|
+
@acl.add_resource!(resource_building, resource_city.id)
|
235
|
+
@acl.add_resource!(resource_room, resource_building)
|
236
|
+
|
237
|
+
assert_equal true, @acl.inherits_resource?(resource_building, resource_city, true)
|
238
|
+
assert_equal true, @acl.inherits_resource?(resource_room, resource_building, true)
|
239
|
+
assert_equal true, @acl.inherits_resource?(resource_room, resource_city)
|
240
|
+
assert_equal false, @acl.inherits_resource?(resource_city, resource_building)
|
241
|
+
assert_equal false, @acl.inherits_resource?(resource_building, resource_room)
|
242
|
+
assert_equal false, @acl.inherits_resource?(resource_city, resource_room)
|
243
|
+
|
244
|
+
@acl.remove_resource!(resource_building)
|
245
|
+
assert_equal false, @acl.has_resource?(resource_room)
|
246
|
+
end
|
103
247
|
|
104
|
-
|
105
|
-
|
248
|
+
# Ensures that the same Resource cannot be added more than once
|
249
|
+
def test_resource_duplicate
|
250
|
+
assert_raises Rend::Acl::Exception do
|
251
|
+
resource_area = Rend::Acl::Resource.new('area')
|
252
|
+
@acl.add_resource!(resource_area)
|
253
|
+
@acl.add_resource!(resource_area)
|
254
|
+
flunk('Expected exception not thrown upon adding same Resource twice')
|
255
|
+
end
|
256
|
+
end
|
106
257
|
|
258
|
+
# Ensures that two Resources having the same ID cannot be added
|
259
|
+
def test_resource_duplicate_id
|
260
|
+
assert_raises Rend::Acl::Exception do
|
261
|
+
resource_area1 = Rend::Acl::Resource.new('area')
|
262
|
+
resource_area2 = Rend::Acl::Resource.new('area')
|
263
|
+
@acl.add_resource!(resource_area1)
|
264
|
+
@acl.add_resource!(resource_area2)
|
265
|
+
flunk('Expected exception not thrown upon adding two Resources with same ID')
|
266
|
+
end
|
267
|
+
end
|
107
268
|
|
108
|
-
|
269
|
+
# Ensures that an exception is thrown when a non-existent Role and Resource parameters are specified to is_allowed
|
270
|
+
def test_is_allowed_non_existent
|
271
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
272
|
+
@acl.allowed?('nonexistent')
|
273
|
+
flunk('Expected Rend::Acl::Role::Registry::Exception not thrown upon non-existent Role')
|
274
|
+
end
|
275
|
+
assert_raises Rend::Acl::Exception do
|
276
|
+
@acl.allowed?(nil, 'nonexistent')
|
277
|
+
flunk('Expected Rend::Acl::Exception not thrown upon non-existent Resource')
|
278
|
+
end
|
279
|
+
end
|
109
280
|
|
110
|
-
|
111
|
-
|
112
|
-
assert_equal false, @acl.allowed?
|
113
|
-
|
114
|
-
assert_equal true, @acl.allowed?('marketing' , 'latest' , 'archive') # allowed
|
115
|
-
assert_equal false, @acl.allowed?('marketing' , 'latest' , 'revise') # denied
|
116
|
-
assert_equal false, @acl.allowed?('editor' , 'announcement' , 'archive') # denied
|
117
|
-
assert_equal false, @acl.allowed?('administrator' , 'announcement' , 'archive') # denied
|
281
|
+
# Ensures that by default, Zend_Acl denies access to everything by all
|
282
|
+
def test_default_deny
|
283
|
+
assert_equal false, @acl.allowed?
|
284
|
+
end
|
118
285
|
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
286
|
+
# Ensures that ACL-wide rules (all Roles, Resources, and privileges) work properly
|
287
|
+
def test_default_rule_set
|
288
|
+
@acl.allow!
|
289
|
+
assert_equal true, @acl.allowed?
|
290
|
+
@acl.deny!
|
291
|
+
assert_equal false, @acl.allowed?
|
292
|
+
end
|
123
293
|
|
124
|
-
|
125
|
-
|
126
|
-
assert_equal
|
294
|
+
# Ensures that by default, Zend_Acl denies access to a privilege on anything by all
|
295
|
+
def test_default_privilege_deny
|
296
|
+
assert_equal false, @acl.allowed?(nil, nil, 'some_privilege')
|
297
|
+
end
|
127
298
|
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
assert_equal
|
299
|
+
# Ensures that ACL-wide rules apply to privileges
|
300
|
+
def test_default_rule_set_privilege
|
301
|
+
@acl.allow!
|
302
|
+
assert_equal true, @acl.allowed?(nil, nil, 'some_privilege')
|
303
|
+
@acl.deny!
|
304
|
+
assert_equal false, @acl.allowed?(nil, nil, 'some_privilege')
|
305
|
+
end
|
132
306
|
|
133
|
-
|
134
|
-
|
135
|
-
|
307
|
+
# Ensures that a privilege allowed for all Roles upon all Resources works properly
|
308
|
+
def test_privilege_allow
|
309
|
+
@acl.allow!(nil, nil, 'some_privilege')
|
310
|
+
assert_equal true, @acl.allowed?(nil, nil, 'some_privilege')
|
311
|
+
end
|
136
312
|
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
assert_equal
|
313
|
+
# Ensures that a privilege denied for all Roles upon all Resources works properly
|
314
|
+
def test_privilege_deny
|
315
|
+
@acl.allow!
|
316
|
+
@acl.deny!(nil, nil, 'some_privilege')
|
317
|
+
assert_equal false, @acl.allowed?(nil, nil, 'some_privilege')
|
142
318
|
end
|
143
319
|
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
@acl.
|
148
|
-
@acl.
|
149
|
-
@acl.
|
150
|
-
@acl.
|
320
|
+
# Ensures that multiple privileges work properly
|
321
|
+
def test_privileges
|
322
|
+
@acl.allow!(nil, nil, ['p1', 'p2', 'p3'])
|
323
|
+
assert_equal true, @acl.allowed?(nil, nil, 'p1')
|
324
|
+
assert_equal true, @acl.allowed?(nil, nil, 'p2')
|
325
|
+
assert_equal true, @acl.allowed?(nil, nil, 'p3')
|
326
|
+
assert_equal false, @acl.allowed?(nil, nil, 'p4')
|
327
|
+
|
328
|
+
@acl.deny!(nil, nil, 'p1')
|
329
|
+
assert_equal false, @acl.allowed?(nil, nil, 'p1')
|
330
|
+
|
331
|
+
@acl.deny!(nil, nil, ['p2', 'p3'])
|
332
|
+
assert_equal false, @acl.allowed?(nil, nil, 'p2')
|
333
|
+
assert_equal false, @acl.allowed?(nil, nil, 'p3')
|
334
|
+
end
|
335
|
+
|
336
|
+
# # [NOT IMPLEMENTED YET] Ensures that assertions on privileges work properly
|
337
|
+
# def test_privilege_assert
|
338
|
+
# @acl.allow!(nil, nil, 'some_privilege', Rend::Acl::Mock_assertion.new(true))
|
339
|
+
# assert_equal true, @acl.allowed?(nil, nil, 'some_privilege')
|
340
|
+
# @acl.allow!(nil, nil, 'some_privilege', Rend::Acl::Mock_assertion.new(false))
|
341
|
+
# assert_equal false, @acl.allowed?(nil, nil, 'some_privilege')
|
342
|
+
# end
|
343
|
+
|
344
|
+
# Ensures that by default, Zend_Acl denies access to everything for a particular Role
|
345
|
+
def test_role_default_deny
|
346
|
+
role_guest = Rend::Acl::Role.new('guest')
|
347
|
+
@acl.add_role!(role_guest)
|
348
|
+
assert_equal false, @acl.allowed?(role_guest)
|
349
|
+
end
|
350
|
+
|
351
|
+
# Ensures that ACL-wide rules (all Resources and privileges) work properly for a particular Role
|
352
|
+
def test_role_default_rule_set
|
353
|
+
role_guest = Rend::Acl::Role.new('guest')
|
354
|
+
@acl.add_role!(role_guest)
|
355
|
+
@acl.allow!(role_guest)
|
356
|
+
assert_equal true, @acl.allowed?(role_guest)
|
357
|
+
@acl.deny!(role_guest)
|
358
|
+
assert_equal false, @acl.allowed?(role_guest)
|
359
|
+
end
|
360
|
+
|
361
|
+
# Ensures that by default, Zend_Acl denies access to a privilege on anything for a particular Role
|
362
|
+
def test_role_default_privilege_deny
|
363
|
+
role_guest = Rend::Acl::Role.new('guest')
|
364
|
+
@acl.add_role!(role_guest)
|
365
|
+
assert_equal false, @acl.allowed?(role_guest, nil, 'some_privilege')
|
366
|
+
end
|
367
|
+
|
368
|
+
# Ensures that ACL-wide rules apply to privileges for a particular Role
|
369
|
+
def test_role_default_rule_set_privilege
|
370
|
+
role_guest = Rend::Acl::Role.new('guest')
|
371
|
+
@acl.add_role!(role_guest)
|
372
|
+
@acl.allow!(role_guest)
|
373
|
+
assert_equal true, @acl.allowed?(role_guest, nil, 'some_privilege')
|
374
|
+
@acl.deny!(role_guest)
|
375
|
+
assert_equal false, @acl.allowed?(role_guest, nil, 'some_privilege')
|
376
|
+
end
|
377
|
+
|
378
|
+
# Ensures that a privilege allowed for a particular Role upon all Resources works properly
|
379
|
+
def test_role_privilege_allow
|
380
|
+
role_guest = Rend::Acl::Role.new('guest')
|
381
|
+
@acl.add_role!(role_guest)
|
382
|
+
@acl.allow!(role_guest, nil, 'some_privilege')
|
383
|
+
assert_equal true, @acl.allowed?(role_guest, nil, 'some_privilege')
|
384
|
+
end
|
385
|
+
|
386
|
+
# Ensures that a privilege denied for a particular Role upon all Resources works properly
|
387
|
+
def test_role_privilege_deny
|
388
|
+
role_guest = Rend::Acl::Role.new('guest')
|
389
|
+
@acl.add_role!(role_guest)
|
390
|
+
@acl.allow!(role_guest)
|
391
|
+
@acl.deny!(role_guest, nil, 'some_privilege')
|
392
|
+
assert_equal false, @acl.allowed?(role_guest, nil, 'some_privilege')
|
393
|
+
end
|
394
|
+
|
395
|
+
# Ensures that multiple privileges work properly for a particular Role
|
396
|
+
def test_role_privileges
|
397
|
+
role_guest = Rend::Acl::Role.new('guest')
|
398
|
+
@acl.add_role!(role_guest)
|
399
|
+
@acl.allow!(role_guest, nil, ['p1', 'p2', 'p3'])
|
400
|
+
assert_equal true, @acl.allowed?(role_guest, nil, 'p1')
|
401
|
+
assert_equal true, @acl.allowed?(role_guest, nil, 'p2')
|
402
|
+
assert_equal true, @acl.allowed?(role_guest, nil, 'p3')
|
403
|
+
assert_equal false, @acl.allowed?(role_guest, nil, 'p4')
|
404
|
+
@acl.deny!(role_guest, nil, 'p1')
|
405
|
+
assert_equal false, @acl.allowed?(role_guest, nil, 'p1')
|
406
|
+
@acl.deny!(role_guest, nil, ['p2', 'p3'])
|
407
|
+
assert_equal false, @acl.allowed?(role_guest, nil, 'p2')
|
408
|
+
assert_equal false, @acl.allowed?(role_guest, nil, 'p3')
|
409
|
+
end
|
410
|
+
|
411
|
+
# Ensures that removing the default deny rule results in default deny rule
|
412
|
+
def test_remove_default_deny
|
413
|
+
assert_equal false, @acl.allowed?
|
414
|
+
@acl.remove_deny!
|
415
|
+
assert_equal false, @acl.allowed?
|
416
|
+
end
|
417
|
+
|
418
|
+
|
419
|
+
# Ensures that removing the default allow rule results in default deny rule being assigned
|
420
|
+
def test_remove_default_allow
|
421
|
+
@acl.allow!
|
422
|
+
assert_equal true, @acl.allowed?
|
423
|
+
@acl.remove_allow!
|
424
|
+
assert_equal false, @acl.allowed?
|
425
|
+
end
|
426
|
+
|
427
|
+
# Ensures that removing non-existent default allow rule does nothing
|
428
|
+
def test_remove_default_allow_non_existent
|
429
|
+
@acl.remove_allow!
|
430
|
+
assert_equal false, @acl.allowed?
|
431
|
+
end
|
432
|
+
|
433
|
+
# Ensures that removing non-existent default deny rule does nothing
|
434
|
+
def test_remove_default_deny_non_existent
|
435
|
+
@acl.allow!
|
436
|
+
@acl.remove_deny!
|
437
|
+
assert_equal true, @acl.allowed?
|
438
|
+
end
|
439
|
+
|
440
|
+
# # Ensure that basic rule removal works
|
441
|
+
def test_rules_remove
|
442
|
+
@acl.allow!(nil, nil, ['privilege1', 'privilege2'])
|
443
|
+
assert_equal false, @acl.allowed?
|
444
|
+
assert_equal true, @acl.allowed?(nil, nil, 'privilege1')
|
445
|
+
assert_equal true, @acl.allowed?(nil, nil, 'privilege2')
|
446
|
+
|
447
|
+
@acl.remove_allow!(nil, nil, 'privilege1')
|
448
|
+
assert_equal false, @acl.allowed?(nil, nil, 'privilege1')
|
449
|
+
assert_equal true, @acl.allowed?(nil, nil, 'privilege2')
|
450
|
+
end
|
451
|
+
|
452
|
+
# # Ensures that removal of a Role results in its rules being removed
|
453
|
+
def test_rule_role_remove
|
454
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'))
|
455
|
+
@acl.allow!('guest')
|
456
|
+
assert_equal true, @acl.allowed?('guest')
|
457
|
+
|
458
|
+
@acl.remove_role!('guest')
|
459
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
460
|
+
@acl.allowed?('guest')
|
461
|
+
flunk('Expected Rend::Acl::Role::Registry::Exception not thrown upon is_allowed on non-existent Role')
|
462
|
+
end
|
463
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'))
|
464
|
+
assert_equal false, @acl.allowed?('guest')
|
465
|
+
end
|
466
|
+
|
467
|
+
# Ensures that removal of all Roles results in Role-specific rules being removed
|
468
|
+
def test_rule_role_remove_all
|
469
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'))
|
470
|
+
@acl.allow!('guest')
|
471
|
+
assert_equal true, @acl.allowed?('guest')
|
472
|
+
@acl.remove_role_all!
|
473
|
+
assert_raises Rend::Acl::Role::Registry::Exception do
|
474
|
+
@acl.allowed?('guest')
|
475
|
+
flunk('Expected Rend::Acl::Role::Registry::Exception not thrown upon is_allowed on non-existent Role')
|
476
|
+
end
|
477
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'))
|
478
|
+
assert_equal false, @acl.allowed?('guest')
|
479
|
+
end
|
480
|
+
|
481
|
+
# Ensures that removal of a Resource results in its rules being removed
|
482
|
+
def test_rules_resource_remove
|
483
|
+
@acl.add_resource!(Rend::Acl::Resource.new('area'))
|
484
|
+
@acl.allow!(nil, 'area')
|
485
|
+
assert_equal true, @acl.allowed?(nil, 'area')
|
486
|
+
@acl.remove_resource!('area')
|
487
|
+
assert_raises Rend::Acl::Exception do
|
488
|
+
@acl.allowed?(nil, 'area')
|
489
|
+
flunk('Expected Rend::Acl::Exception not thrown upon is_allowed on non-existent Resource')
|
490
|
+
end
|
491
|
+
@acl.add_resource!(Rend::Acl::Resource.new('area'))
|
492
|
+
assert_equal false, @acl.allowed?(nil, 'area')
|
493
|
+
end
|
494
|
+
|
495
|
+
# Ensures that removal of all Resources results in Resource-specific rules being removed
|
496
|
+
def test_rules_resource_remove_all
|
497
|
+
@acl.add_resource!(Rend::Acl::Resource.new('area'))
|
498
|
+
@acl.allow!(nil, 'area')
|
499
|
+
assert_equal true, @acl.allowed?(nil, 'area')
|
500
|
+
@acl.remove_resource_all!
|
501
|
+
assert_raises Rend::Acl::Exception do
|
502
|
+
@acl.allowed?(nil, 'area')
|
503
|
+
flunk('Expected Rend::Acl::Exception not thrown upon is_allowed on non-existent Resource')
|
504
|
+
end
|
505
|
+
@acl.add_resource!(Rend::Acl::Resource.new('area'))
|
506
|
+
assert_equal false, @acl.allowed?(nil, 'area')
|
507
|
+
end
|
508
|
+
|
509
|
+
# Ensures that an example for a content management system is operable
|
510
|
+
def test_cms_example
|
511
|
+
# Add some roles to the Role registry
|
512
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'))
|
513
|
+
@acl.add_role!(Rend::Acl::Role.new('staff'), 'guest') # staff inherits permissions from guest
|
514
|
+
@acl.add_role!(Rend::Acl::Role.new('editor'), 'staff') # editor inherits permissions from staff
|
515
|
+
@acl.add_role!(Rend::Acl::Role.new('administrator'))
|
151
516
|
|
152
517
|
# Guest may only view content
|
153
|
-
@acl.allow!
|
518
|
+
@acl.allow!('guest', nil, 'view')
|
154
519
|
|
155
|
-
# Staff inherits view privilege from guest, but also needs additional
|
156
|
-
|
157
|
-
@acl.allow! 'staff', nil, %w[edit submit revise]
|
520
|
+
# Staff inherits view privilege from guest, but also needs additional privileges
|
521
|
+
@acl.allow!('staff', nil, ['edit', 'submit', 'revise'])
|
158
522
|
|
159
|
-
# Editor inherits view, edit, submit, and revise privileges
|
160
|
-
|
161
|
-
@acl.allow! 'editor', nil, %w[publish archive delete]
|
523
|
+
# Editor inherits view, edit, submit, and revise privileges, but also needs additional privileges
|
524
|
+
@acl.allow!('editor', nil, ['publish', 'archive', 'delete'])
|
162
525
|
|
163
|
-
# Administrator inherits nothing
|
164
|
-
@acl.allow!
|
526
|
+
# Administrator inherits nothing but is allowed all privileges
|
527
|
+
@acl.allow!('administrator')
|
165
528
|
|
166
|
-
#
|
529
|
+
# Access control checks based on above permission sets
|
530
|
+
assert_equal true, @acl.allowed?('guest', nil, 'view')
|
531
|
+
assert_equal false, @acl.allowed?('guest', nil, 'edit')
|
532
|
+
assert_equal false, @acl.allowed?('guest', nil, 'submit')
|
533
|
+
assert_equal false, @acl.allowed?('guest', nil, 'revise')
|
534
|
+
assert_equal false, @acl.allowed?('guest', nil, 'publish')
|
535
|
+
assert_equal false, @acl.allowed?('guest', nil, 'archive')
|
536
|
+
assert_equal false, @acl.allowed?('guest', nil, 'delete')
|
537
|
+
assert_equal false, @acl.allowed?('guest', nil, 'unknown')
|
538
|
+
assert_equal false, @acl.allowed?('guest')
|
539
|
+
|
540
|
+
assert_equal true, @acl.allowed?('staff', nil, 'view')
|
541
|
+
assert_equal true, @acl.allowed?('staff', nil, 'edit')
|
542
|
+
assert_equal true, @acl.allowed?('staff', nil, 'submit')
|
543
|
+
assert_equal true, @acl.allowed?('staff', nil, 'revise')
|
544
|
+
assert_equal false, @acl.allowed?('staff', nil, 'publish')
|
545
|
+
assert_equal false, @acl.allowed?('staff', nil, 'archive')
|
546
|
+
assert_equal false, @acl.allowed?('staff', nil, 'delete')
|
547
|
+
assert_equal false, @acl.allowed?('staff', nil, 'unknown')
|
548
|
+
assert_equal false, @acl.allowed?('staff')
|
549
|
+
|
550
|
+
assert_equal true, @acl.allowed?('editor', nil, 'view')
|
551
|
+
assert_equal true, @acl.allowed?('editor', nil, 'edit')
|
552
|
+
assert_equal true, @acl.allowed?('editor', nil, 'submit')
|
553
|
+
assert_equal true, @acl.allowed?('editor', nil, 'revise')
|
554
|
+
assert_equal true, @acl.allowed?('editor', nil, 'publish')
|
555
|
+
assert_equal true, @acl.allowed?('editor', nil, 'archive')
|
556
|
+
assert_equal true, @acl.allowed?('editor', nil, 'delete')
|
557
|
+
assert_equal false, @acl.allowed?('editor', nil, 'unknown')
|
558
|
+
assert_equal false, @acl.allowed?('editor')
|
559
|
+
|
560
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'view')
|
561
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'edit')
|
562
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'submit')
|
563
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'revise')
|
564
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'publish')
|
565
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'archive')
|
566
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'delete')
|
567
|
+
assert_equal true, @acl.allowed?('administrator', nil, 'unknown')
|
568
|
+
assert_equal true, @acl.allowed?('administrator')
|
569
|
+
|
570
|
+
# Some checks on specific areas, which inherit access controls from the root ACL node
|
571
|
+
@acl.add_resource!(Rend::Acl::Resource.new('newsletter'))
|
572
|
+
@acl.add_resource!(Rend::Acl::Resource.new('pending'), 'newsletter')
|
573
|
+
@acl.add_resource!(Rend::Acl::Resource.new('gallery'))
|
574
|
+
@acl.add_resource!(Rend::Acl::Resource.new('profiles'), 'gallery')
|
575
|
+
@acl.add_resource!(Rend::Acl::Resource.new('config'))
|
576
|
+
@acl.add_resource!(Rend::Acl::Resource.new('hosts'), 'config')
|
577
|
+
|
578
|
+
assert_equal true, @acl.allowed?('guest', 'pending', 'view')
|
579
|
+
assert_equal true, @acl.allowed?('staff', 'profiles', 'revise')
|
580
|
+
assert_equal true, @acl.allowed?('staff', 'pending', 'view')
|
581
|
+
assert_equal true, @acl.allowed?('staff', 'pending', 'edit')
|
582
|
+
assert_equal false, @acl.allowed?('staff', 'pending', 'publish')
|
583
|
+
assert_equal false, @acl.allowed?('staff', 'pending')
|
584
|
+
assert_equal false, @acl.allowed?('editor', 'hosts', 'unknown')
|
585
|
+
assert_equal true, @acl.allowed?('administrator', 'pending')
|
586
|
+
|
587
|
+
# Add a new group, marketing, which bases its permissions on staff
|
167
588
|
@acl.add_role!(Rend::Acl::Role.new('marketing'), 'staff')
|
168
589
|
|
169
|
-
#
|
590
|
+
# Refine the privilege sets for more specific needs
|
170
591
|
|
171
|
-
#
|
172
|
-
@acl.
|
592
|
+
# Allow marketing to publish and archive newsletters
|
593
|
+
@acl.allow!('marketing', 'newsletter', ['publish', 'archive'])
|
173
594
|
|
174
|
-
# news
|
595
|
+
# Allow marketing to publish and archive latest news
|
175
596
|
@acl.add_resource!(Rend::Acl::Resource.new('news'))
|
176
|
-
|
177
|
-
# latest news
|
178
597
|
@acl.add_resource!(Rend::Acl::Resource.new('latest'), 'news')
|
598
|
+
@acl.allow!('marketing', 'latest', ['publish', 'archive'])
|
599
|
+
|
600
|
+
# Deny staff (and marketing, by inheritance) rights to revise latest news
|
601
|
+
@acl.deny!('staff', 'latest', 'revise')
|
179
602
|
|
180
|
-
#
|
603
|
+
# Deny everyone access to archive news announcements
|
181
604
|
@acl.add_resource!(Rend::Acl::Resource.new('announcement'), 'news')
|
605
|
+
@acl.deny!(nil, 'announcement', 'archive')
|
606
|
+
|
607
|
+
# Access control checks for the above refined permission sets
|
608
|
+
assert_equal true, @acl.allowed?('marketing', nil, 'view')
|
609
|
+
assert_equal true, @acl.allowed?('marketing', nil, 'edit')
|
610
|
+
assert_equal true, @acl.allowed?('marketing', nil, 'submit')
|
611
|
+
assert_equal true, @acl.allowed?('marketing', nil, 'revise')
|
612
|
+
assert_equal false, @acl.allowed?('marketing', nil, 'publish')
|
613
|
+
assert_equal false, @acl.allowed?('marketing', nil, 'archive')
|
614
|
+
assert_equal false, @acl.allowed?('marketing', nil, 'delete')
|
615
|
+
assert_equal false, @acl.allowed?('marketing', nil, 'unknown')
|
616
|
+
assert_equal false, @acl.allowed?('marketing')
|
617
|
+
|
618
|
+
assert_equal true, @acl.allowed?('marketing', 'newsletter', 'publish')
|
619
|
+
assert_equal false, @acl.allowed?('staff', 'pending', 'publish')
|
620
|
+
assert_equal true, @acl.allowed?('marketing', 'pending', 'publish')
|
621
|
+
assert_equal true, @acl.allowed?('marketing', 'newsletter', 'archive')
|
622
|
+
assert_equal false, @acl.allowed?('marketing', 'newsletter', 'delete')
|
623
|
+
assert_equal false, @acl.allowed?('marketing', 'newsletter')
|
624
|
+
|
625
|
+
assert_equal true, @acl.allowed?('marketing', 'latest', 'publish')
|
626
|
+
assert_equal true, @acl.allowed?('marketing', 'latest', 'archive')
|
627
|
+
assert_equal false, @acl.allowed?('marketing', 'latest', 'delete')
|
628
|
+
assert_equal false, @acl.allowed?('marketing', 'latest', 'revise')
|
629
|
+
assert_equal false, @acl.allowed?('marketing', 'latest')
|
630
|
+
|
631
|
+
assert_equal false, @acl.allowed?('marketing', 'announcement', 'archive')
|
632
|
+
assert_equal false, @acl.allowed?('staff', 'announcement', 'archive')
|
633
|
+
assert_equal false, @acl.allowed?('administrator', 'announcement', 'archive')
|
634
|
+
|
635
|
+
assert_equal false, @acl.allowed?('staff', 'latest', 'publish')
|
636
|
+
assert_equal false, @acl.allowed?('editor', 'announcement', 'archive')
|
637
|
+
|
638
|
+
# Remove some previous permission specifications
|
639
|
+
|
640
|
+
# Marketing can no longer publish and archive newsletters
|
641
|
+
@acl.remove_allow!('marketing', 'newsletter', ['publish', 'archive'])
|
642
|
+
|
643
|
+
# Marketing can no longer archive the latest news
|
644
|
+
@acl.remove_allow!('marketing', 'latest', 'archive')
|
645
|
+
|
646
|
+
# Now staff (and marketing, by inheritance) may revise latest news
|
647
|
+
@acl.remove_deny!('staff', 'latest', 'revise')
|
648
|
+
|
649
|
+
# Access control checks for the above refinements
|
650
|
+
|
651
|
+
assert_equal false, @acl.allowed?('marketing', 'newsletter', 'publish')
|
652
|
+
assert_equal false, @acl.allowed?('marketing', 'newsletter', 'archive')
|
653
|
+
assert_equal false, @acl.allowed?('marketing', 'latest', 'archive')
|
654
|
+
assert_equal true, @acl.allowed?('staff', 'latest', 'revise')
|
655
|
+
assert_equal true, @acl.allowed?('marketing', 'latest', 'revise')
|
656
|
+
|
657
|
+
# Grant marketing all permissions on the latest news
|
658
|
+
@acl.allow!('marketing', 'latest')
|
659
|
+
|
660
|
+
# Access control checks for the above refinement
|
661
|
+
assert_equal true, @acl.allowed?('marketing', 'latest', 'archive')
|
662
|
+
assert_equal true, @acl.allowed?('marketing', 'latest', 'publish')
|
663
|
+
assert_equal true, @acl.allowed?('marketing', 'latest', 'edit')
|
664
|
+
assert_equal true, @acl.allowed?('marketing', 'latest')
|
665
|
+
|
666
|
+
end
|
667
|
+
|
668
|
+
# [NOT IMPLEMENTED YET] Ensures that the default rule obeys its assertion
|
669
|
+
# def test_default_assert
|
670
|
+
# @acl.deny!(nil, nil, nil, Rend::Acl::Mock_assertion.new(false))
|
671
|
+
# assert_equal true, @acl.allowed?
|
672
|
+
# assert_equal true, @acl.allowed?(nil, nil, 'some_privilege')
|
673
|
+
# end
|
674
|
+
|
675
|
+
# Ensures that the only_parents argument to inherits_role? works
|
676
|
+
# @group ZF-2502
|
677
|
+
def test_role_inheritance_supports_checking_only_parents
|
678
|
+
@acl.add_role!(Rend::Acl::Role.new('grandparent'))
|
679
|
+
@acl.add_role!(Rend::Acl::Role.new('parent'), 'grandparent')
|
680
|
+
@acl.add_role!(Rend::Acl::Role.new('child'), 'parent')
|
681
|
+
assert_equal false, @acl.inherits_role?('child', 'grandparent', true)
|
682
|
+
end
|
683
|
+
|
684
|
+
# Returns an array of registered roles
|
685
|
+
# @expected_exception PHPUnit_Framework_Error
|
686
|
+
# @group ZF-5638
|
687
|
+
# Porter Note: Seems like an odd test... investigate more
|
688
|
+
def test_get_registered_roles
|
689
|
+
@acl.add_role!('developer')
|
690
|
+
|
691
|
+
roles = @acl.roles
|
692
|
+
assert_kind_of Array, roles
|
693
|
+
assert_equal false, roles.empty?
|
694
|
+
end
|
695
|
+
|
696
|
+
# Confirm that deleting a role after allowing access to all roles
|
697
|
+
# raise undefined index error
|
698
|
+
# @group ZF-5700
|
699
|
+
# Porter Note: Seems like an odd test... investigate more
|
700
|
+
def test_removing_role_after_it_was_allowed_access_to_all_resources_gives_error
|
701
|
+
@acl.add_role!(Rend::Acl::Role.new('test0'))
|
702
|
+
@acl.add_role!(Rend::Acl::Role.new('test1'))
|
703
|
+
@acl.add_role!(Rend::Acl::Role.new('test2'))
|
704
|
+
@acl.add_resource!(Rend::Acl::Resource.new('Test'))
|
705
|
+
|
706
|
+
@acl.allow!(nil,'Test','xxx')
|
707
|
+
|
708
|
+
# error test
|
709
|
+
@acl.remove_role!('test0')
|
710
|
+
|
711
|
+
# Check after fix
|
712
|
+
assert_equal false, @acl.has_role?('test0')
|
713
|
+
end
|
714
|
+
|
715
|
+
# @group ZF-8039
|
716
|
+
# Meant to test for the (in)existance of this notice:
|
717
|
+
# "Notice: Undefined index: all_privileges in lib/Zend/Acl.php on line 682"
|
718
|
+
# Porter Note: Seems like an odd test... investigate more
|
719
|
+
def test_method_remove_allow_does_not_throw_notice
|
720
|
+
acl = Rend::Acl.new
|
721
|
+
acl.add_role!('admin')
|
722
|
+
acl.add_resource!('blog')
|
723
|
+
acl.allow!('admin', 'blog', 'read')
|
724
|
+
acl.remove_allow!(['admin'], ['blog'], nil)
|
725
|
+
end
|
726
|
+
|
727
|
+
def test_role_object_implements_to_string
|
728
|
+
role = Rend::Acl::Role.new('_foo_bar_')
|
729
|
+
assert_equal '_foo_bar_', role.to_s
|
730
|
+
end
|
731
|
+
|
732
|
+
def test_resource_object_implements_to_string
|
733
|
+
resource = Rend::Acl::Resource.new('_foo_bar_')
|
734
|
+
assert_equal '_foo_bar_', resource.to_s
|
735
|
+
end
|
736
|
+
|
737
|
+
|
738
|
+
# @group ZF-8468
|
739
|
+
def test_roles
|
740
|
+
assert_equal [], @acl.roles
|
741
|
+
|
742
|
+
role_guest = Rend::Acl::Role.new('guest')
|
743
|
+
@acl.add_role!(role_guest)
|
744
|
+
@acl.add_role!(Rend::Acl::Role.new('staff'), role_guest)
|
745
|
+
@acl.add_role!(Rend::Acl::Role.new('editor'), 'staff')
|
746
|
+
@acl.add_role!(Rend::Acl::Role.new('administrator'))
|
747
|
+
|
748
|
+
expected = %w[guest staff editor administrator]
|
749
|
+
assert_equal expected, @acl.roles
|
750
|
+
end
|
751
|
+
|
752
|
+
# @group ZF-8468
|
753
|
+
def test_resources
|
754
|
+
assert_equal [], @acl.resources
|
755
|
+
|
756
|
+
@acl.add_resource!(Rend::Acl::Resource.new('some_resource'))
|
757
|
+
@acl.add_resource!(Rend::Acl::Resource.new('some_other_resource'))
|
758
|
+
|
759
|
+
expected = ['some_resource', 'some_other_resource']
|
760
|
+
assert_equal expected, @acl.resources
|
761
|
+
end
|
762
|
+
|
763
|
+
# @group ZF-9643
|
764
|
+
def test_remove_allow_with_nil_resource_after_resource_specific_rules_applies_to_all_resources
|
765
|
+
@acl.add_role!('guest')
|
766
|
+
@acl.add_resource!('blogpost')
|
767
|
+
@acl.add_resource!('newsletter')
|
768
|
+
@acl.allow!('guest', 'blogpost', 'read')
|
769
|
+
@acl.allow!('guest', 'newsletter', 'read')
|
770
|
+
assert_equal true, @acl.allowed?('guest', 'blogpost', 'read')
|
771
|
+
assert_equal true, @acl.allowed?('guest', 'newsletter', 'read')
|
772
|
+
|
773
|
+
@acl.remove_allow!('guest', 'newsletter', 'read')
|
774
|
+
assert_equal true, @acl.allowed?('guest', 'blogpost', 'read')
|
775
|
+
assert_equal false, @acl.allowed?('guest', 'newsletter', 'read')
|
776
|
+
|
777
|
+
@acl.remove_allow!('guest', nil, 'read')
|
778
|
+
assert_equal false, @acl.allowed?('guest', 'blogpost', 'read')
|
779
|
+
assert_equal false, @acl.allowed?('guest', 'newsletter', 'read')
|
780
|
+
|
781
|
+
# ensure allow nil/all resoures works
|
782
|
+
@acl.allow!('guest', nil, 'read')
|
783
|
+
assert_equal true, @acl.allowed?('guest', 'blogpost', 'read')
|
784
|
+
assert_equal true, @acl.allowed?('guest', 'newsletter', 'read')
|
785
|
+
end
|
786
|
+
|
787
|
+
# @group ZF-9643
|
788
|
+
def test_remove_deny_with_nil_resource_after_resource_specific_rules_applies_to_all_resources
|
789
|
+
@acl.add_role!('guest')
|
790
|
+
@acl.add_resource!('blogpost')
|
791
|
+
@acl.add_resource!('newsletter')
|
792
|
+
|
793
|
+
@acl.allow!
|
794
|
+
@acl.deny!('guest', 'blogpost', 'read')
|
795
|
+
@acl.deny!('guest', 'newsletter', 'read')
|
796
|
+
assert_equal false, @acl.allowed?('guest', 'blogpost', 'read')
|
797
|
+
assert_equal false, @acl.allowed?('guest', 'newsletter', 'read')
|
798
|
+
|
799
|
+
@acl.remove_deny!('guest', 'newsletter', 'read')
|
800
|
+
assert_equal false, @acl.allowed?('guest', 'blogpost', 'read')
|
801
|
+
assert_equal true, @acl.allowed?('guest', 'newsletter', 'read')
|
802
|
+
|
803
|
+
@acl.remove_deny!('guest', nil, 'read')
|
804
|
+
assert_equal true, @acl.allowed?('guest', 'blogpost', 'read')
|
805
|
+
assert_equal true, @acl.allowed?('guest', 'newsletter', 'read')
|
806
|
+
|
807
|
+
# ensure deny nil/all resources works
|
808
|
+
@acl.deny!('guest', nil, 'read')
|
809
|
+
assert_equal false, @acl.allowed?('guest', 'blogpost', 'read')
|
810
|
+
assert_equal false, @acl.allowed?('guest', 'newsletter', 'read')
|
811
|
+
end
|
812
|
+
|
813
|
+
# Ensures that for a particular Role, a deny rule on a specific Resource is honored before an allow rule on the entire ACL
|
814
|
+
def test_role_default_allow_rule_with_resource_deny_rule
|
815
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'))
|
816
|
+
@acl.add_role!(Rend::Acl::Role.new('staff'), 'guest')
|
817
|
+
@acl.add_resource!(Rend::Acl::Resource.new('area1'))
|
818
|
+
@acl.add_resource!(Rend::Acl::Resource.new('area2'))
|
819
|
+
@acl.deny!
|
820
|
+
@acl.allow!('staff')
|
821
|
+
@acl.deny!('staff', ['area1', 'area2'])
|
822
|
+
assert_equal false, @acl.allowed?('staff', 'area1')
|
823
|
+
end
|
824
|
+
|
825
|
+
# Ensures that for a particular Role, a deny rule on a specific privilege is honored before an allow rule on the entire ACL
|
826
|
+
def test_role_default_allow_rule_with_privilege_deny_rule
|
827
|
+
@acl.add_role!(Rend::Acl::Role.new('guest'))
|
828
|
+
@acl.add_role!(Rend::Acl::Role.new('staff'), 'guest')
|
829
|
+
@acl.deny!
|
830
|
+
@acl.allow!('staff')
|
831
|
+
@acl.deny!('staff', nil, ['privilege1', 'privilege2'])
|
832
|
+
assert_equal false, @acl.allowed?('staff', nil, 'privilege1')
|
833
|
+
end
|
834
|
+
|
835
|
+
# @group ZF-10649
|
836
|
+
def test_allow_and_deny_with_nil_for_resources_will_apply_to_all_resources
|
837
|
+
@acl.add_role!('guest')
|
838
|
+
@acl.add_resource!('blogpost')
|
839
|
+
|
840
|
+
@acl.allow!('guest')
|
841
|
+
assert_equal true, @acl.allowed?('guest')
|
842
|
+
assert_equal true, @acl.allowed?('guest', 'blogpost')
|
843
|
+
assert_equal true, @acl.allowed?('guest', 'blogpost', 'read')
|
844
|
+
|
845
|
+
@acl.deny!('guest')
|
846
|
+
assert_equal false, @acl.allowed?('guest')
|
847
|
+
assert_equal false, @acl.allowed?('guest', 'blogpost')
|
848
|
+
assert_equal false, @acl.allowed?('guest', 'blogpost', 'read')
|
849
|
+
end
|
850
|
+
|
851
|
+
#### [TESTS TO BE IMPLEMENTED LATER] ####
|
852
|
+
|
853
|
+
# # Ensures that assertions on privileges work properly for a particular Role
|
854
|
+
# def test_role_privilege_assert
|
855
|
+
# role_guest = Rend::Acl::Role.new('guest')
|
856
|
+
# @acl.add_role!(role_guest)
|
857
|
+
# .allow!(role_guest, nil, 'some_privilege', Rend::Acl::Mock_assertion.new(true))
|
858
|
+
# assert_equal true, @acl.allowed?(role_guest, nil, 'some_privilege')
|
859
|
+
# @acl.allow!(role_guest, nil, 'some_privilege', Rend::Acl::Mock_assertion.new(false))
|
860
|
+
# assert_equal false, @acl.allowed?(role_guest, nil, 'some_privilege')
|
861
|
+
# end
|
862
|
+
|
863
|
+
# # Ensures that removing the default deny rule results in assertion method being removed
|
864
|
+
# def test_remove_default_deny_assert
|
865
|
+
# @acl.deny!(nil, nil, nil, Rend::Acl::Mock_assertion.new(false))
|
866
|
+
# assert_equal true, @acl.allowed?
|
867
|
+
# @acl.remove_deny
|
868
|
+
# assert_equal false, @acl.allowed?
|
869
|
+
# end
|
870
|
+
|
871
|
+
|
872
|
+
# # @group ZF-1721
|
873
|
+
# def test_acl_assertions_get_proper_role_when_inheritence_is_used
|
874
|
+
# acl = this._load_use_case1
|
875
|
+
|
876
|
+
# user = Rend::Acl::Role.new('publisher')
|
877
|
+
# blog_post = Rend::Acl::Resource.new('blog_post')
|
878
|
+
|
879
|
+
# # @var Zend_Acl_Use_case1_User_is_blog_post_owner_assertion
|
880
|
+
# assertion = acl.custom_assertion
|
881
|
+
|
882
|
+
# assert_equal true, acl.is_allowed(user, blog_post, 'modify')
|
883
|
+
|
884
|
+
# assert_equal 'publisher', assertion.last_assert_role.id
|
885
|
+
|
886
|
+
# end
|
887
|
+
|
888
|
+
# # @group ZF-1722
|
889
|
+
# def test_acl_assertions_get_original_is_allowed_objects
|
890
|
+
# acl = this._load_use_case1
|
891
|
+
|
892
|
+
# user = Rend::Acl_Use_case1::User.new
|
893
|
+
# blog_post = Rend::Acl_Use_case1::Blog_post.new
|
894
|
+
|
895
|
+
# assert_equal true, acl.is_allowed(user, blog_post, 'view')
|
896
|
+
|
897
|
+
# /**
|
898
|
+
# * @var Zend_Acl_Use_case1_User_is_blog_post_owner_assertion
|
899
|
+
# */
|
900
|
+
# assertion = acl.custom_assertion
|
901
|
+
|
902
|
+
# assertion.assert_return_value = true
|
903
|
+
# user.role = 'contributor'
|
904
|
+
# assert_equal true, acl.is_allowed(user, blog_post, 'modify'), 'Assertion should return true'
|
905
|
+
# assertion.assert_return_value = false
|
906
|
+
# assert_equal false, acl.is_allowed(user, blog_post, 'modify'), 'Assertion should return false'
|
907
|
+
|
908
|
+
# # check to see if the last assertion has the proper objets
|
909
|
+
# assert_kind_of Zend_Acl_Use_case1_User, assertion.last_assert_role, 'Assertion did not recieve proper role object'
|
910
|
+
# assert_kind_of Zend_Acl_Use_case1_Blog_post, assertion.last_assert_resource, 'Assertion did not recieve proper resource object'
|
911
|
+
|
912
|
+
# end
|
913
|
+
|
914
|
+
# # @group ZF-7973
|
915
|
+
# def test_acl_passes_privilege_to_assert_class {
|
916
|
+
# require_once dirname(__FILE__) . '/_files/Assertion_z_f7973.php'
|
917
|
+
# assertion = Rend::Acl_Acl_test::Assertion_z_f7973.new
|
918
|
+
|
919
|
+
# acl = Rend::Acl.new
|
920
|
+
# acl.add_role!('role')
|
921
|
+
# acl.add_resource!('resource')
|
922
|
+
# acl.allow!('role',nil,nil,assertion)
|
923
|
+
# allowed = acl.is_allowed('role','resource','privilege',assertion)
|
924
|
+
|
925
|
+
# assert_equal true, allowed
|
926
|
+
# end
|
927
|
+
|
928
|
+
|
929
|
+
protected
|
930
|
+
|
931
|
+
# def use_case_2
|
932
|
+
# @acl.add_role!('guest')
|
933
|
+
# @acl.add_role!('contributor', 'guest')
|
934
|
+
# @acl.add_role!('publisher', 'contributor')
|
935
|
+
# @acl.add_role!('admin')
|
936
|
+
# @acl.add_resource!('blogPost')
|
937
|
+
# @acl.allow!('guest', 'blogPost', 'view')
|
938
|
+
# @acl.allow!('contributor', 'blogPost', 'contribute')
|
939
|
+
# @acl.allow!('contributor', 'blogPost', 'modify', @acl.customAssertion)
|
940
|
+
# @acl.allow!('publisher', 'blogPost', 'publish')
|
941
|
+
# end
|
942
|
+
|
943
|
+
# http:#framework.zend.com/manual/1.12/en/zend.acl.introduction.html#zend.acl.introduction.role_registry
|
944
|
+
def use_case_1
|
945
|
+
acl = Rend::Acl.new
|
946
|
+
|
947
|
+
guest_role = Rend::Acl::Role.new('guest')
|
948
|
+
|
949
|
+
acl.add_role! guest_role
|
950
|
+
acl.add_role! Rend::Acl::Role.new('staff'), guest_role
|
951
|
+
acl.add_role! Rend::Acl::Role.new('editor'), 'staff'
|
952
|
+
acl.add_role! Rend::Acl::Role.new('administrator')
|
953
|
+
|
954
|
+
# Guest may only view content
|
955
|
+
acl.allow! guest_role, nil, 'view'
|
956
|
+
|
957
|
+
# Staff inherits view privilege from guest, but also needs additional privileges
|
958
|
+
acl.allow! 'staff', nil, %w[edit submit revise]
|
959
|
+
|
960
|
+
# Editor inherits view, edit, submit, and revise privileges from staff, but also needs additional privileges
|
961
|
+
acl.allow! 'editor', nil, %w[publish archive delete]
|
962
|
+
|
963
|
+
# Administrator inherits nothing, but is allowed all privileges
|
964
|
+
acl.allow! 'administrator'
|
965
|
+
|
966
|
+
# Add new marketing group that inherits permissions from staff
|
967
|
+
acl.add_role!(Rend::Acl::Role.new('marketing'), 'staff')
|
968
|
+
|
969
|
+
# == Create Resources for the rules ===
|
970
|
+
|
971
|
+
acl.add_resource!(Rend::Acl::Resource.new('newsletter'))
|
972
|
+
acl.add_resource!(Rend::Acl::Resource.new('news'))
|
973
|
+
acl.add_resource!(Rend::Acl::Resource.new('latest'), 'news')
|
974
|
+
acl.add_resource!(Rend::Acl::Resource.new('announcement'), 'news')
|
182
975
|
|
183
976
|
# === Setting up access ====
|
184
977
|
|
185
978
|
# Marketing must be able to publish and archive newsletters and the latest news
|
186
|
-
|
979
|
+
acl.allow!('marketing', ['newsletter', 'latest'], ['publish', 'archive'])
|
187
980
|
|
188
981
|
# Staff (and marketing, by inheritance), are denied permission to revise the latest news
|
189
|
-
|
982
|
+
acl.deny!('staff', 'latest', 'revise')
|
190
983
|
|
191
984
|
# Everyone (including administrators) are denied permission to archive news announcements
|
192
|
-
|
985
|
+
acl.deny!(nil, 'announcement', 'archive')
|
193
986
|
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
# === Testing ===
|
198
|
-
|
199
|
-
assert_equal false, decoded_acl.allowed?('staff' , 'newsletter' , 'publish') # denied
|
200
|
-
assert_equal true, decoded_acl.allowed?('marketing' , 'newsletter' , 'publish') # allowed
|
201
|
-
assert_equal false, decoded_acl.allowed?('staff' , 'latest' , 'publish') # denied
|
202
|
-
assert_equal true, decoded_acl.allowed?('marketing' , 'latest' , 'publish') # allowed
|
203
|
-
assert_equal true, decoded_acl.allowed?('marketing' , 'latest' , 'archive') # allowed
|
204
|
-
assert_equal false, decoded_acl.allowed?('marketing' , 'latest' , 'revise') # denied
|
205
|
-
assert_equal false, decoded_acl.allowed?('editor' , 'announcement' , 'archive') # denied
|
206
|
-
assert_equal false, decoded_acl.allowed?('administrator' , 'announcement' , 'archive') # denied
|
987
|
+
acl
|
988
|
+
end
|
207
989
|
|
990
|
+
def assert_use_case_1(acl)
|
991
|
+
assert_equal false, acl.allowed?('staff' , 'newsletter' , 'publish') # denied
|
992
|
+
assert_equal true, acl.allowed?('marketing' , 'newsletter' , 'publish') # allowed
|
993
|
+
assert_equal false, acl.allowed?('staff' , 'latest' , 'publish') # denied
|
994
|
+
assert_equal true, acl.allowed?('marketing' , 'latest' , 'publish') # allowed
|
995
|
+
assert_equal true, acl.allowed?('marketing' , 'latest' , 'archive') # allowed
|
996
|
+
assert_equal false, acl.allowed?('marketing' , 'latest' , 'revise') # denied
|
997
|
+
assert_equal false, acl.allowed?('editor' , 'announcement' , 'archive') # denied
|
998
|
+
assert_equal false, acl.allowed?('administrator' , 'announcement' , 'archive') # denied
|
208
999
|
end
|
209
1000
|
end
|