|
3 | 3 | use zennit\ABAC\Enums\Operators\ArithmeticOperators; |
4 | 4 | use zennit\ABAC\Enums\Operators\LogicalOperators; |
5 | 5 | use zennit\ABAC\Enums\PolicyMethod; |
| 6 | +use zennit\ABAC\Facades\Abac; |
6 | 7 | use zennit\ABAC\Models\AbacChain; |
7 | 8 | use zennit\ABAC\Models\AbacCheck; |
8 | 9 | use zennit\ABAC\Models\AbacPolicy; |
@@ -54,6 +55,70 @@ function createTitlePolicy(string $value): void |
54 | 55 | $this->actingAs($user)->getJson('/posts/post-one')->assertOk(); |
55 | 56 | }); |
56 | 57 |
|
| 58 | +it('allows access when any OR-linked grant matches', function () { |
| 59 | + config()->set('abac.middleware.resource_patterns', [ |
| 60 | + 'posts/([^/]+)' => Post::class, |
| 61 | + ]); |
| 62 | + |
| 63 | + Abac::addPermission('read', Post::class, ['resource.title' => 'Allowed Title']); |
| 64 | + Abac::addPermission('read', Post::class, ['resource.title' => 'Other Title']); |
| 65 | + |
| 66 | + $user = User::query()->create([ |
| 67 | + '_id' => 'u_or_grants', |
| 68 | + 'slug' => 'or-grants-user', |
| 69 | + 'name' => 'OR Grants User', |
| 70 | + 'role' => 'member', |
| 71 | + ]); |
| 72 | + |
| 73 | + Post::query()->create([ |
| 74 | + '_id' => 'p_or_grants', |
| 75 | + 'slug' => 'or-grants-post', |
| 76 | + 'title' => 'Allowed Title', |
| 77 | + 'owner_id' => 'u_or_grants', |
| 78 | + ]); |
| 79 | + |
| 80 | + $this->actingAs($user)->getJson('/posts/or-grants-post')->assertOk(); |
| 81 | +}); |
| 82 | + |
| 83 | +it('denies show access when requested resource does not match any OR-linked grant', function () { |
| 84 | + config()->set('abac.middleware.resource_patterns', [ |
| 85 | + 'posts/([^/]+)' => Post::class, |
| 86 | + ]); |
| 87 | + |
| 88 | + Abac::addPermission('read', Post::class, ['resource._id' => 'p_allowed_show']); |
| 89 | + Abac::addPermission('read', Post::class, ['resource._id' => 'p_other_allowed_show']); |
| 90 | + |
| 91 | + $user = User::query()->create([ |
| 92 | + '_id' => 'u_show_scope', |
| 93 | + 'slug' => 'show-scope-user', |
| 94 | + 'name' => 'Show Scope User', |
| 95 | + 'role' => 'member', |
| 96 | + ]); |
| 97 | + |
| 98 | + Post::query()->create([ |
| 99 | + '_id' => 'p_allowed_show', |
| 100 | + 'slug' => 'allowed-show-post', |
| 101 | + 'title' => 'Allowed Show Post', |
| 102 | + 'owner_id' => 'u_show_scope', |
| 103 | + ]); |
| 104 | + |
| 105 | + Post::query()->create([ |
| 106 | + '_id' => 'p_other_allowed_show', |
| 107 | + 'slug' => 'other-allowed-show-post', |
| 108 | + 'title' => 'Other Allowed Show Post', |
| 109 | + 'owner_id' => 'u_show_scope', |
| 110 | + ]); |
| 111 | + |
| 112 | + Post::query()->create([ |
| 113 | + '_id' => 'p_denied_show', |
| 114 | + 'slug' => 'denied-show-post', |
| 115 | + 'title' => 'Denied Show Post', |
| 116 | + 'owner_id' => 'u_show_scope', |
| 117 | + ]); |
| 118 | + |
| 119 | + $this->actingAs($user)->getJson('/posts/denied-show-post')->assertUnauthorized(); |
| 120 | +}); |
| 121 | + |
57 | 122 | it('denies access when actor attributes do not satisfy policy checks', function () { |
58 | 123 | config()->set('abac.middleware.resource_patterns', [ |
59 | 124 | 'posts/([^/]+)' => Post::class, |
|
0 commit comments