API CHANGE: Added PermissionRole and PermissionRoleCode, along with relevant tests for the permission system. (from r85173)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@89187 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sam Minnee 2009-10-15 22:27:56 +00:00
parent 1fed31cb9e
commit dd8120aed7
6 changed files with 143 additions and 2 deletions

View File

@ -28,6 +28,7 @@ class Group extends DataObject {
static $many_many = array(
"Members" => "Member",
"Roles" => "PermissionRole",
);
static $extensions = array(

View File

@ -232,11 +232,20 @@ class Permission extends DataObject {
$groupCSV = implode(", ", $groupList);
// Raw SQL for efficiency
return DB::query("
return array_unique(DB::query("
SELECT \"Code\"
FROM \"Permission\"
WHERE \"Type\" = " . self::GRANT_PERMISSION . " AND \"GroupID\" IN ($groupCSV)
")->column();
UNION
SELECT \"Code\"
FROM \"PermissionRoleCode\" AS PRC
INNER JOIN \"PermissionRole\" AS PR ON PRC.\"RoleID\" = PR.\"ID\"
INNER JOIN \"Group_Roles\" AS GR ON GR.\"PermissionRoleID\" = PR.\"ID\"
WHERE \"GroupID\" IN ($groupCSV)
")->column());
} else {
return array();
}

View File

@ -0,0 +1,21 @@
<?php
/**
* A PermissionRole represents a collection of permission codes that can be applied to groups.
*
* Because permission codes are very granular, this lets website administrators create more
* business-oriented units of access control - Roles - and assign those to groups.
*/
class PermissionRole extends DataObject {
static $db = array(
"Title" => "Varchar",
);
static $has_many = array(
"Codes" => "PermissionRoleCode",
);
static $belongs_many_many = array(
"Groups" => "Group",
);
}

View File

@ -0,0 +1,14 @@
<?php
/**
* A PermissionRoleCode represents a single permission code assigned to a {@link PermissionRole}.
*/
class PermissionRoleCode extends DataObject {
static $db = array(
"Code" => "Varchar",
);
static $has_one = array(
"Role" => "PermissionRole",
);
}

View File

@ -0,0 +1,44 @@
<?php
class PermissionTest extends SapphireTest {
static $fixture_file = 'sapphire/tests/security/PermissionTest.yml';
function testDirectlyAppliedPermissions() {
$member = $this->objFromFixture('Member', 'author');
$this->assertTrue(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
}
function testPermissionAreInheritedFromOneRole() {
$member = $this->objFromFixture('Member', 'author');
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_CMSMain"));
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
$this->assertFalse(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
}
function testPermissionAreInheritedFromMultipleRoles() {
$member = $this->objFromFixture('Member', 'access');
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_CMSMain"));
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
$this->assertTrue(Permission::checkMember($member, "EDIT_PERMISSIONS"));
$this->assertFalse(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
}
function testRolesAndPermissionsFromParentGroupsAreInherited() {
$member = $this->objFromFixture('Member', 'globalauthor');
// Check that permissions applied to the group are there
$this->assertTrue(Permission::checkMember($member, "SITETREE_EDIT_ALL"));
// Check that roles from parent groups are there
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_CMSMain"));
$this->assertTrue(Permission::checkMember($member, "CMS_ACCESS_AssetAdmin"));
// Check that permissions from parent groups are there
$this->assertTrue(Permission::checkMember($member, "SITETREE_VIEW_ALL"));
// Check that a random permission that shouldn't be there isn't
$this->assertFalse(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin"));
}
}

View File

@ -0,0 +1,52 @@
PermissionRole:
author:
Title: Author
access:
Title: Access Administrator
PermissionRoleCode:
author1:
Role: =>PermissionRole.author
Code: CMS_ACCESS_CMSMain
author2:
Role: =>PermissionRole.author
Code: CMS_ACCESS_AssetAdmin
access1:
Role: =>PermissionRole.access
Code: CMS_ACCESS_SecurityAdmin
access2:
Role: =>PermissionRole.access
Code: EDIT_PERMISSIONS
Member:
author:
FirstName: Test
Surname: Author
access:
FirstName: Test
Surname: Access Administrator
globalauthor:
FirstName: Test
Surname: Global Author
Group:
author:
Title: Authors
Members: =>Member.author
Roles: =>PermissionRole.author
access:
Title: Access Administrators + Authors
Members: =>Member.access
Roles: =>PermissionRole.access,=>PermissionRole.author
globalauthor:
Parent: =>Group.author
Title: Global Authors
Members: =>Member.globalauthor
Permission:
extra1:
Code: SITETREE_VIEW_ALL
Group: =>Group.author
globalauthor:
Code: SITETREE_EDIT_ALL
Group: =>Group.globalauthor