Login

06-25-2008, 09:44 AM

[eluser]sophistry[/eluser]

Code:
function testacl()

    {

        // This is what we want to restrict access to

        $this->khacl->aco->create('Website');

        $this->khacl->aco->create('Database', 'Website');

        $this->khacl->aco->create('Email', 'Website');

        // create tree root group and nested sub-groups

        $this->khacl->aro->create('Company');

        // all users are part of company

        $this->khacl->aro->create('User', 'Company');

        // admin and guest are both users so inherit user permissions

        $this->khacl->aro->create('Admin', 'User');

        $this->khacl->aro->create('Guest', 'User');

        // create some users belonging to the nested groups

        // first the overall group

        $this->khacl->aro->create('Bob','Company');

        // now the next level down

        $this->khacl->aro->create('David','User');

        // finally the lowest levels where 

        // the axos get detailed

        $this->khacl->aro->create('Jim', 'Admin');

        $this->khacl->aro->create('Bernice', 'Guest');

        // These are the actions axos

        // View is generic action we will use 

        // several times applied to different acos

        $this->khacl->axo->create('View');

        // these will be restricted to admins

        $this->khacl->axo->create('Add');

        $this->khacl->axo->create('Edit');

        $this->khacl->axo->create('Delete');

        // OK lets first deny all users everything

        // (company is the root group)

        $this->khacl->deny('Company','Website');

            // test this to see if it worked to deny access

            // at this point, a specific user should not 

            // be able to view any part of the website

            $this->_can('Bob', 'Website', 'View', FALSE);

        // allow anyone in company to view 

        // anything in entire website

        $this->khacl->allow('Company','Website','View'); 

        // deny Guest all access to Email and Database

        // guests can't do anything to email or database

        // they can't even view, but the rest of the 

        // website remains fully open to guests

        $this->khacl->deny('Guest','Email');

        $this->khacl->deny('Guest','Database');

        // allow admin group to administrate any part of

        // the website including the email and database

        $this->khacl->allow('Admin','Website','Add');   

        $this->khacl->allow('Admin','Website','Edit');

        $this->khacl->allow('Admin','Website','Delete');

        // now test the settings

        echo 'these should be true<hr>';

        // any admin should be able to edit email

        $this->_can('Admin', 'Website', 'Edit', TRUE);

        // specific admin should be able to view any part of website

        $this->_can('Jim', 'Website', 'View', TRUE);

        // specific admin should be able to delete any part of website

        $this->_can('Jim', 'Website', 'Delete', TRUE);

        // specific admin should be able to delete any part of database

        $this->_can('Jim', 'Database', 'Delete', TRUE);

        // specific user should be able to view any part of the website

        $this->_can('Bob', 'Website', 'View', TRUE);

        // specific user should be able to view any part of the database

        $this->_can('Bob', 'Database', 'View', TRUE);

        // specific user should be able to view any part of the database

        $this->_can('David', 'Database', 'View', TRUE);

        echo '<br>these should be false<hr>';

        // specific user should not be able to edit any part of the website

        $this->_can('Bob', 'Website', 'Edit', FALSE);

        // specific user should not be able to edit any part of the website

        $this->_can('David', 'Website', 'Edit', FALSE);

        // specific user should not be able to edit any part of the database

        $this->_can('Bob', 'Database', 'Edit', FALSE);

        // guest should not be allowed to view any email

        $this->_can('Guest', 'Email', 'View', FALSE);

        // guest should not be allowed to view any database

        $this->_can('Guest', 'Database', 'View', FALSE);

        // specific guest user should not be allowed to view any email

        $this->_can('Bernice', 'Email', 'View', FALSE);

        // specific user should not be able to edit any part of the Email

        $this->_can('Bob', 'Email', 'Edit', FALSE);

        // guest should not be able to edit any part of the Email

        $this->_can('Guest', 'Email', 'Edit', FALSE);

        // specific guest user should not be allowed to edit any email

        $this->_can('Bernice', 'Email', 'Edit', FALSE);

        // the khhaos_acl system returns FALSE if indeterminate

        echo '<br>these should confuse the system and give indeterminate answers<hr>';

        // only admin should be able to edit email, 

        // system should not allow generic user, but answer is ambiguous

        $this->_can('User', 'Email', 'Edit', 'UNKNOWN');

        // generic user should not be able to edit any part of 

        // the website, only admin in the next level down can

        $this->_can('User', 'Website', 'Edit', 'UNKNOWN');

    }

    // utility to wrap the kh_acl_check() method

    // and allow printing of results to browser

    function _can($aro, $aco, $axo, $expected)

    {

        $can = kh_acl_check($aro, $aco, $axo);

        print_r(var_export($can, TRUE) . '='. var_export($expected, TRUE) .'<br>');

        return $can;

    }