diff --git a/src/AuthManager.php b/src/AuthManager.php index 2cd2fe6..8397d98 100644 --- a/src/AuthManager.php +++ b/src/AuthManager.php @@ -53,8 +53,8 @@ public function checkAccess($userId, $permission, $params = []) if (isset($user->username)) { $userId = $user->username; } - if (isset($user->type)) { - $this->setAssignment($user->type, $userId); + if (isset($user->roles)) { + $this->setAssignments($user->roles, $userId); } } diff --git a/src/Initer.php b/src/Initer.php index abd3301..d29e100 100644 --- a/src/Initer.php +++ b/src/Initer.php @@ -20,70 +20,59 @@ class Initer { public static function init(AuthManager $auth) { - $auth->setRole('client'); - $auth->setRole('support'); - $auth->setRole('admin'); - $auth->setRole('manager'); - $auth->setRole('reseller'); - $auth->setRole('owner'); - $auth->setRole('freezer'); - $auth->setRole('billCreator'); - $auth->setRole('billDeleter'); - $auth->setRole('billManager'); + $auth->setRole('role:client'); + $auth->setRole('role:support'); + $auth->setRole('role:admin'); + $auth->setRole('role:manager'); + $auth->setRole('role:reseller'); + $auth->setRole('role:owner'); + + $auth->setRole('role:domain.freezer'); + $auth->setRole('role:bill.manager'); $auth->setPermission('restore-password'); $auth->setPermission('deposit'); - $auth->setPermission('do-support'); + $auth->setPermission('support'); $auth->setPermission('manage'); - $auth->setPermission('administrate'); + $auth->setPermission('admin'); $auth->setPermission('resell'); $auth->setPermission('own'); - $auth->setPermission('freeze'); - $auth->setPermission('unfreeze'); - $auth->setPermission('create-bills'); - $auth->setPermission('update-bills'); - $auth->setPermission('delete-bills'); - - $auth->setChild('client', 'restore-password'); - $auth->setChild('client', 'deposit'); - - $auth->setChild('support', 'do-support'); - - $auth->setChild('admin', 'support'); - $auth->setChild('admin', 'administrate'); + $auth->setPermission('domain.freeze'); + $auth->setPermission('domain.unfreeze'); + $auth->setPermission('domain.set-contacts'); - $auth->setChild('manager', 'support'); - $auth->setChild('manager', 'manage'); + $auth->setPermission('bill.create'); + $auth->setPermission('bill.update'); + $auth->setPermission('bill.delete'); - $auth->setChild('reseller', 'billManager'); - $auth->setChild('reseller', 'resell'); - $auth->setChild('reseller', 'deposit'); + $auth->setChild('role:client', 'restore-password'); + $auth->setChild('role:client', 'deposit'); - $auth->setChild('owner', 'billManager'); - $auth->setChild('owner', 'resell'); - $auth->setChild('owner', 'own'); + $auth->setChild('role:support', 'support'); - $auth->setChild('freezer', 'freeze'); - $auth->setChild('freezer', 'unfreeze'); + $auth->setChild('role:admin', 'role:support'); + $auth->setChild('role:admin', 'admin'); - $auth->setChild('billCreator', 'create-bills'); - $auth->setChild('billDeleter', 'delete-bills'); + $auth->setChild('role:manager', 'role:support'); + $auth->setChild('role:manager', 'manage'); - $auth->setChild('billManager', 'manager'); - $auth->setChild('billManager', 'create-bills'); - $auth->setChild('billManager', 'update-bills'); - $auth->setChild('billManager', 'delete-bills'); + $auth->setChild('role:reseller', 'role:manager'); + $auth->setChild('role:reseller', 'role:bill.manager'); + $auth->setChild('role:reseller', 'resell'); + $auth->setChild('role:reseller', 'deposit'); - $auth->setAssignment('freezer', 'sol'); - $auth->setAssignment('freezer', 'andre'); + $auth->setChild('role:owner', 'role:manager'); + $auth->setChild('role:owner', 'role:bill.manager'); + $auth->setChild('role:owner', 'resell'); + $auth->setChild('role:owner', 'own'); - $auth->setAssignment('billManager', 'sol'); - $auth->setAssignment('billManager', 'margo'); - $auth->setAssignment('billManager', 'dsr'); - $auth->setAssignment('billManager', 'olgadsr'); + $auth->setChild('role:domain.freezer', 'domain.freeze'); + $auth->setChild('role:domain.freezer', 'domain.unfreeze'); - $auth->persistAssignments(); + $auth->setChild('role:bill.manager', 'bill.create'); + $auth->setChild('role:bill.manager', 'bill.update'); + $auth->setChild('role:bill.manager', 'bill.delete'); } public static function reinit(AuthManager $auth) diff --git a/src/SetterTrait.php b/src/SetterTrait.php index 3cf4c93..c332831 100644 --- a/src/SetterTrait.php +++ b/src/SetterTrait.php @@ -85,26 +85,38 @@ public function setChild($parent, $child) } /** - * Assigns a role to a user. - * @param string|Role $role + * Assigns an item (role or permission) to a user. + * @param string|Item $item * @param string|integer $userId the user ID (see [[\yii\web\User::id]]) - * @throws \Exception when given wrong role name or the role has already been assigned to the user - * @return Assignment the role assignment information + * @throws \Exception when given wrong item name + * @return Assignment the assignment object */ - public function setAssignment($role, $userId) + public function setAssignment($item, $userId) { - if (is_string($role)) { - $name = $role; - $role = $this->getRole($role); - if (is_null($role)) { - throw new InvalidParamException("Unknown role:$name at setAssignment"); + if (is_string($item)) { + $name = $item; + $item = $this->getItem($item); + if (is_null($item)) { + throw new InvalidParamException("Unknown item:$name at setAssignment"); } } - if (isset($this->assignments[$userId][$role->name])) { - return false; + if (isset($this->assignments[$userId][$item->name])) { + return $this->assignments[$userId][$item->name]; } - return $this->assign($role, $userId); + return $this->assign($item, $userId); + } + + /** + * Assigns items to a user. + * @param array $items + * @param string|integer $userId + */ + public function setAssignments(array $items, $userId) + { + foreach ($items as $item) { + $this->setAssignment($item, $userId); + } } /** @@ -115,4 +127,13 @@ public function getAllAssignments() { return $this->assignments; } + + /** + * Returns all items in the system. + * @return array + */ + public function getAllItems() + { + return $this->items; + } } diff --git a/src/files/assignments.php b/src/files/assignments.php index aad7e57..881ab67 100644 --- a/src/files/assignments.php +++ b/src/files/assignments.php @@ -1,19 +1,2 @@ [ - 'freezer', - 'billManager', - ], - 'andre' => [ - 'freezer', - ], - 'margo' => [ - 'billManager', - ], - 'dsr' => [ - 'billManager', - ], - 'olgadsr' => [ - 'billManager', - ], -]; +return []; diff --git a/src/files/items.php b/src/files/items.php index 3a4b3e1..3b302d6 100644 --- a/src/files/items.php +++ b/src/files/items.php @@ -1,74 +1,63 @@ [ + 'role:client' => [ 'type' => 1, 'children' => [ 'restore-password', 'deposit', ], ], - 'support' => [ + 'role:support' => [ 'type' => 1, 'children' => [ - 'do-support', + 'support', ], ], - 'admin' => [ + 'role:admin' => [ 'type' => 1, 'children' => [ - 'support', - 'administrate', + 'role:support', + 'admin', ], ], - 'manager' => [ + 'role:manager' => [ 'type' => 1, 'children' => [ - 'support', + 'role:support', 'manage', ], ], - 'reseller' => [ + 'role:reseller' => [ 'type' => 1, 'children' => [ - 'billManager', + 'role:manager', + 'role:bill.manager', 'resell', 'deposit', ], ], - 'owner' => [ + 'role:owner' => [ 'type' => 1, 'children' => [ - 'billManager', + 'role:manager', + 'role:bill.manager', 'resell', 'own', ], ], - 'freezer' => [ - 'type' => 1, - 'children' => [ - 'freeze', - 'unfreeze', - ], - ], - 'billCreator' => [ + 'role:domain.freezer' => [ 'type' => 1, 'children' => [ - 'create-bills', + 'domain.freeze', + 'domain.unfreeze', ], ], - 'billDeleter' => [ + 'role:bill.manager' => [ 'type' => 1, 'children' => [ - 'delete-bills', - ], - ], - 'billManager' => [ - 'type' => 1, - 'children' => [ - 'manager', - 'create-bills', - 'update-bills', - 'delete-bills', + 'bill.create', + 'bill.update', + 'bill.delete', ], ], 'restore-password' => [ @@ -77,13 +66,13 @@ 'deposit' => [ 'type' => 2, ], - 'do-support' => [ + 'support' => [ 'type' => 2, ], 'manage' => [ 'type' => 2, ], - 'administrate' => [ + 'admin' => [ 'type' => 2, ], 'resell' => [ @@ -92,19 +81,22 @@ 'own' => [ 'type' => 2, ], - 'freeze' => [ + 'domain.freeze' => [ + 'type' => 2, + ], + 'domain.unfreeze' => [ 'type' => 2, ], - 'unfreeze' => [ + 'domain.set-contacts' => [ 'type' => 2, ], - 'create-bills' => [ + 'bill.create' => [ 'type' => 2, ], - 'update-bills' => [ + 'bill.update' => [ 'type' => 2, ], - 'delete-bills' => [ + 'bill.delete' => [ 'type' => 2, ], ]; diff --git a/tests/unit/CheckAccessTrait.php b/tests/unit/CheckAccessTrait.php index 0981898..aa05a97 100644 --- a/tests/unit/CheckAccessTrait.php +++ b/tests/unit/CheckAccessTrait.php @@ -15,76 +15,81 @@ trait CheckAccessTrait { public function setAssignments() { - $this->auth->setAssignment('admin', 'sol'); - - foreach ($this->auth->getRoles() as $role) { - $this->auth->setAssignment($role->name, $role->name); + foreach ($this->auth->getAllItems() as $item) { + $this->auth->setAssignment($item->name, $item->name); } } public function testClient() { - $this->assertTrue($this->auth->checkAccess('client', 'deposit')); - $this->assertTrue($this->auth->checkAccess('client', 'restore-password')); + $this->assertTrue ($this->auth->checkAccess('role:client', 'deposit')); + $this->assertTrue ($this->auth->checkAccess('role:client', 'restore-password')); - $this->assertFalse($this->auth->checkAccess('client', 'do-support')); - $this->assertFalse($this->auth->checkAccess('client', 'manage')); - $this->assertFalse($this->auth->checkAccess('client', 'freeze')); - $this->assertFalse($this->auth->checkAccess('client', 'unfreeze')); - $this->assertFalse($this->auth->checkAccess('client', 'administrate')); - $this->assertFalse($this->auth->checkAccess('client', 'resell')); - $this->assertFalse($this->auth->checkAccess('client', 'owner')); - $this->assertFalse($this->auth->checkAccess('client', 'own')); + $this->assertFalse($this->auth->checkAccess('role:client', 'support')); + $this->assertFalse($this->auth->checkAccess('role:client', 'manage')); + $this->assertFalse($this->auth->checkAccess('role:client', 'domain.freeze')); + $this->assertFalse($this->auth->checkAccess('role:client', 'domain.unfreeze')); + $this->assertFalse($this->auth->checkAccess('role:client', 'admin')); + $this->assertFalse($this->auth->checkAccess('role:client', 'resell')); + $this->assertFalse($this->auth->checkAccess('role:client', 'own')); } public function testSupport() { - $this->assertTrue($this->auth->checkAccess('support', 'do-support')); + $this->assertTrue ($this->auth->checkAccess('role:support', 'support')); - $this->assertFalse($this->auth->checkAccess('support', 'deposit')); - $this->assertFalse($this->auth->checkAccess('support', 'restore-password')); - $this->assertFalse($this->auth->checkAccess('support', 'manage')); - $this->assertFalse($this->auth->checkAccess('support', 'freeze')); - $this->assertFalse($this->auth->checkAccess('support', 'unfreeze')); - $this->assertFalse($this->auth->checkAccess('support', 'administrate')); - $this->assertFalse($this->auth->checkAccess('support', 'resell')); - $this->assertFalse($this->auth->checkAccess('support', 'owner')); - $this->assertFalse($this->auth->checkAccess('support', 'own')); + $this->assertFalse($this->auth->checkAccess('role:support', 'deposit')); + $this->assertFalse($this->auth->checkAccess('role:support', 'restore-password')); + $this->assertFalse($this->auth->checkAccess('role:support', 'manage')); + $this->assertFalse($this->auth->checkAccess('role:support', 'domain.freeze')); + $this->assertFalse($this->auth->checkAccess('role:support', 'domain.unfreeze')); + $this->assertFalse($this->auth->checkAccess('role:support', 'admin')); + $this->assertFalse($this->auth->checkAccess('role:support', 'resell')); + $this->assertFalse($this->auth->checkAccess('role:support', 'own')); } public function testManager() { - $this->assertTrue($this->auth->checkAccess('manager', 'do-support')); - $this->assertTrue($this->auth->checkAccess('manager', 'manage')); + $this->assertTrue ($this->auth->checkAccess('role:manager', 'support')); + $this->assertTrue ($this->auth->checkAccess('role:manager', 'manage')); + + $this->assertFalse($this->auth->checkAccess('role:manager', 'deposit')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'restore-password')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'admin')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'resell')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'own')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'domain.freeze')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'domain.unfreeze')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'bill.create')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'bill.update')); + $this->assertFalse($this->auth->checkAccess('role:manager', 'bill.delete')); + } - $this->assertFalse($this->auth->checkAccess('manager', 'deposit')); - $this->assertFalse($this->auth->checkAccess('manager', 'restore-password')); - $this->assertFalse($this->auth->checkAccess('manager', 'administrate')); - $this->assertFalse($this->auth->checkAccess('manager', 'resell')); - $this->assertFalse($this->auth->checkAccess('manager', 'owner')); - $this->assertFalse($this->auth->checkAccess('manager', 'own')); - $this->assertFalse($this->auth->checkAccess('manager', 'freeze')); - $this->assertFalse($this->auth->checkAccess('manager', 'unfreeze')); - $this->assertFalse($this->auth->checkAccess('manager', 'create-bills')); - $this->assertFalse($this->auth->checkAccess('manager', 'update-bills')); - $this->assertFalse($this->auth->checkAccess('manager', 'delete-bills')); + public function testPermission() + { + foreach ($this->auth->getPermissions() as $user) { + foreach ($this->auth->getPermissions() as $perm) { + $this->assertSame($user->name == $perm->name, $this->auth->checkAccess($user->name, $perm->name)); + } + } } - public function testSol() + public function testMighty() { - $this->assertTrue($this->auth->checkAccess('sol', 'do-support')); - $this->assertTrue($this->auth->checkAccess('sol', 'manage')); - $this->assertTrue($this->auth->checkAccess('sol', 'freeze')); - $this->assertTrue($this->auth->checkAccess('sol', 'unfreeze')); - $this->assertTrue($this->auth->checkAccess('sol', 'administrate')); - $this->assertTrue($this->auth->checkAccess('sol', 'create-bills')); - $this->assertTrue($this->auth->checkAccess('sol', 'update-bills')); - $this->assertTrue($this->auth->checkAccess('sol', 'delete-bills')); + $this->auth->setAssignments(['role:admin', 'role:manager', 'bill.create', 'domain.freeze'], 'user:mighty'); + + $this->assertTrue ($this->auth->checkAccess('user:mighty', 'support')); + $this->assertTrue ($this->auth->checkAccess('user:mighty', 'manage')); + $this->assertTrue ($this->auth->checkAccess('user:mighty', 'domain.freeze')); + $this->assertTrue ($this->auth->checkAccess('user:mighty', 'admin')); + $this->assertTrue ($this->auth->checkAccess('user:mighty', 'bill.create')); - $this->assertFalse($this->auth->checkAccess('sol', 'deposit')); - $this->assertFalse($this->auth->checkAccess('sol', 'restore-password')); - $this->assertFalse($this->auth->checkAccess('sol', 'resell')); - $this->assertFalse($this->auth->checkAccess('sol', 'owner')); - $this->assertFalse($this->auth->checkAccess('sol', 'own')); + $this->assertFalse($this->auth->checkAccess('user:mighty', 'deposit')); + $this->assertFalse($this->auth->checkAccess('user:mighty', 'restore-password')); + $this->assertFalse($this->auth->checkAccess('user:mighty', 'resell')); + $this->assertFalse($this->auth->checkAccess('user:mighty', 'own')); + $this->assertFalse($this->auth->checkAccess('user:mighty', 'bill.update')); + $this->assertFalse($this->auth->checkAccess('user:mighty', 'bill.delete')); + $this->assertFalse($this->auth->checkAccess('user:mighty', 'domain.unfreeze')); } }