Skip to content

Commit

Permalink
Merge pull request #253 from CakeDC/feature/prefixes-for-3.0
Browse files Browse the repository at this point in the history 
refs #prefixes add prefix matcher for RBAC permission rules
  • Loading branch information
@steinkel
steinkel committed Oct 8, 2015
2 parents ba3fa41 + 3c94ef3 commit 78bc90e
Show file tree
Hide file tree
Showing 4 changed files with 113 additions and 10 deletions.
11 changes: 6 additions & 5 deletions Docs/Documentation/SimpleRbacAuthorize.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,12 @@ Permission rules syntax
* Each rule is defined:
```php
[
'role' => 'REQUIRED_NAME_OF_THE_ROLE_OR_*',
'plugin' => 'OPTIONAL_NAME_OF_THE_PLUGIN_OR_*_DEFAULT_NULL',
'controller' => 'REQUIRED_NAME_OF_THE_CONTROLLER_OR_*'
'action' => 'REQUIRED_NAME_OF_ACTION_OR_*',
'allowed' => 'OPTIONAL_BOOLEAN_DEFAULT_TRUE_OR_CALLABLE'
'role' => 'REQUIRED_NAME_OF_THE_ROLE_OR_[]_OR_*',
'prefix' => 'OPTIONAL_PREFIX_USED_OR_[]_OR_*_DEFAULT_NULL',
'plugin' => 'OPTIONAL_NAME_OF_THE_PLUGIN_OR_[]_OR_*_DEFAULT_NULL',
'controller' => 'REQUIRED_NAME_OF_THE_CONTROLLER_OR_[]_OR_*'
'action' => 'REQUIRED_NAME_OF_ACTION_OR_[]_OR_*',
'allowed' => 'OPTIONAL_BOOLEAN_OR_CALLABLE_DEFAULT_TRUE'
]
```
* If no rule allowed = true is matched for a given user role and url, default return value will be false
Expand Down
11 changes: 6 additions & 5 deletions config/permissions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,13 @@
* This is a quick roles-permissions implementation
* Rules are evaluated top-down, first matching rule will apply
* Each line define
* 'role-name' =>
* [
* 'plugin', (default = null)
* 'controller',
* 'action',
* 'allowed' (default = true)
* 'role' => 'role' | ['roles'] | '*'
* 'prefix' => 'Prefix' | , (default = null)
* 'plugin' => 'Plugin' | , (default = null)
* 'controller' => 'Controller' | ['Controllers'] | '*',
* 'action' => 'action' | ['actions'] | '*',
* 'allowed' => true | false | callback (default = true)
* ]
* You could use '*' to match anything
* 'allowed' will be considered true if not defined. It allows a callable to manage complex
Expand Down
6 changes: 6 additions & 0 deletions src/Auth/SimpleRbacAuthorize.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ class SimpleRbacAuthorize extends BaseAuthorize
* [
* 'role' => 'admin',
* 'plugin', (optional, default = null)
* 'prefix', (optional, default = null)
* 'controller',
* 'action',
* 'allowed' (optional, default = true)
Expand Down Expand Up @@ -195,7 +196,12 @@ protected function _matchRule($permission, $user, $role, $request)
$plugin = $request->plugin;
$controller = $request->controller;
$action = $request->action;
$prefix = null;
if (!empty($request->params['prefix'])) {
$prefix = $request->params['prefix'];
}
if ($this->_matchOrAsterisk($permission, 'role', $role) &&
$this->_matchOrAsterisk($permission, 'prefix', $prefix, true) &&
$this->_matchOrAsterisk($permission, 'plugin', $plugin, true) &&
$this->_matchOrAsterisk($permission, 'controller', $controller) &&
$this->_matchOrAsterisk($permission, 'action', $action)) {
Expand Down
95 changes: 95 additions & 0 deletions tests/TestCase/Auth/SimpleRbacAuthorizeTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,10 @@ public function testAuthorize($permissions, $user, $requestParams, $expected, $m
$request->plugin = Hash::get($requestParams, 'plugin');
$request->controller = $requestParams['controller'];
$request->action = $requestParams['action'];
$prefix = Hash::get($requestParams, 'prefix');
if ($prefix) {
$request->params = ['prefix' => $prefix];
}

$result = $this->simpleRbacAuthorize->authorize($user, $request);
$this->assertSame($expected, $result, $msg);
Expand Down Expand Up @@ -560,6 +564,97 @@ public function providerAuthorize()
//expected
false
],
'happy-prefix' => [
//permissions
[[
'role' => ['test'],
'prefix' => ['admin'],
'controller' => ['Tests'],
'action' => ['one', 'two'],
]],
//user
[
'id' => 1,
'username' => 'luke',
'role' => 'test',
],
//request
[
'prefix' => 'admin',
'controller' => 'Tests',
'action' => 'one'
],
//expected
true
],
'deny-prefix' => [
//permissions
[[
'role' => ['test'],
'prefix' => ['admin'],
'controller' => ['Tests'],
'action' => ['one', 'two'],
]],
//user
[
'id' => 1,
'username' => 'luke',
'role' => 'test',
],
//request
[
'controller' => 'Tests',
'action' => 'one'
],
//expected
false
],
'star-prefix' => [
//permissions
[[
'role' => ['test'],
'prefix' => '*',
'controller' => ['Tests'],
'action' => ['one', 'two'],
]],
//user
[
'id' => 1,
'username' => 'luke',
'role' => 'test',
],
//request
[
'prefix' => 'admin',
'controller' => 'Tests',
'action' => 'one'
],
//expected
true
],
'array-prefix' => [
//permissions
[[
'role' => ['test'],
'prefix' => ['one', 'admin'],
'controller' => '*',
'action' => '*',
]],
//user
[
'id' => 1,
'username' => 'luke',
'role' => 'test',
],
//request
[
'prefix' => 'admin',
'controller' => 'Tests',
'action' => 'one'
],
//expected
true
],
];
}
}

0 comments on commit 78bc90e

Please sign in to comment.