Added ability to set multiple assertions and their condition for permissions #320
Conversation
|
I like the idea. What about bringing a new "AssertionSet" class that would contain the two constants, and abstract the logic of checking all the assertions and returning a boolean, so the |
|
That actually sounds good. I'll work on it within next few days. |
|
This is a very good idea! It would help us keep things better organized. |
|
@DavidHavl I like this idea! Now work on V3 is progressing it would be bring this feature there too. |
|
Thanks @basz, I have been extremely busy with work past few months but I should have more time now for this. |
|
Is there still progress on this? |
… permissions to use new AssertionSet.
1 similar comment
1 similar comment
| @@ -122,19 +122,15 @@ public function getIdentity() | |||
| public function isGranted($permission, $context = null) | |||
| { | |||
| $roles = $this->roleService->getIdentityRoles(); | |||
|
|
|||
There was a problem hiding this comment.
no need to remove these empty lines
|
Also coverage decreased, can you add some more tests, please? |
|
@basz that was my initial idea behind this but it was not accepted. |
|
Ok, remember why? Perhaps was it for good reason that I am unfamiliar with? |
1 similar comment
1 similar comment
1 similar comment
|
|
||
| // move assertion definition under a key 'assertions'. | ||
| if (!isset($assertion['assertions'])) { | ||
| $assertion['assertions'] = (array)$assertion; | ||
| } else if (!is_array($assertion['assertions'])) { | ||
| } elseif (!is_array($assertion['assertions'])) { |
There was a problem hiding this comment.
remove else, should be:
if (!is_array($assertion['assertions'])) {| * @param mixed $context | ||
| * @return bool | ||
| */ | ||
| public function assert(AuthorizationService $authorizationService, $context = null) |
There was a problem hiding this comment.
maybe not logical but it's possible to have zero assertions here then maybe return true by default or throw exception?
There was a problem hiding this comment.
An empty assertion is not logical indeed and should either return FALSE or an exception.
Better to have defensive defaults.
| // move assertion definition under a key 'assertions'. | ||
| if (!isset($assertion['assertions'])) { | ||
| $assertion['assertions'] = (array)$assertion; | ||
| } elseif (!is_array($assertion['assertions'])) { |
There was a problem hiding this comment.
remove else, this should be:
if (!is_array($assertion['assertions'])) {| * @licence MIT | ||
| */ | ||
|
|
||
| class AssertionSet implements AssertionInterface, \IteratorAggregate |
There was a problem hiding this comment.
I think most of the setters/getters are not required and/or can be private or removed only assert() method is required by interface so why expose those while we can build AssertionSet thought constructor?
There was a problem hiding this comment.
They are not required but I think it may be a good idea to have them, in case people want to use the class their way (see docs).
There was a problem hiding this comment.
Of course not after it is added to AuthorizationService, but when specifying assertion map. See my other comment bellow.
| * | ||
| * @return bool true if the assertion is defined, false otherwise | ||
| */ | ||
| public function hasAssertion($name) |
There was a problem hiding this comment.
not sure but do we use this somewhere outside this class?
There was a problem hiding this comment.
Yes people can when they use the class directly (see docs).
There was a problem hiding this comment.
okey maybe they could but still not convinced. Even if they want to modify it what is bad I think they could create new one instead. because reusing same set on different permissions and randomly modify them at the same time can lead to big problems. And if users would want those evil methods they could extend the class anyway no? so why add those we don't want to maintain +6 methods for just in case users would need them.
but again @basz @prolic @bakura10 @danizord what you think?
There was a problem hiding this comment.
Not sure you understand. This is to be used for example when creating assertion map. I was imagining usage of it for example like this:
Creating a factory where one can do anything they want
use Interop\Container\ContainerInterface;
use Zend\ServiceManager\FactoryInterface;
use Zend\ServiceManager\ServiceLocatorInterface;
use ZfcRbac\Assertion\AssertionSet;
class MyAssertionSetFactory implements FactoryInterface
{
/**
* {@inheritDoc}
*
* @return AssertionSet
*/
public function __invoke(ContainerInterface $container, $name, array $options = null)
{
$assertionManager = $container->get('ZfcRbac\Assertion\AssertionPluginManager');
$assertion1 = $assertionManager->get('myAssertion1');
$assertion2 = $assertionManager->get('myAssertion2');
// create instance, set condition and add assertions
$assertionSet = new AssertionSet();
$assertionSet->setCondition(AssertionSet::CONDITION_OR);
$assertionSet->setAssertions([$assertion1, $assertion2]);
return $assertionSet;
}
/**
* {@inheritDoc}
*
* For use with zend-servicemanager v2; proxies to __invoke().
*
* @param ServiceLocatorInterface $container
* @return \ZfcRbac\Assertion\AssertionSet
*/
public function createService(ServiceLocatorInterface $container)
{
// Retrieve the parent container when under zend-servicemanager v2
if (method_exists($container, 'getServiceLocator')) {
$container = $container->getServiceLocator() ?: $container;
}
return $this($container, AssertionSet::class);
}
}
And then add it to assertion manager and assertion map config:
return [
'zfc_rbac' => [
'assertion_manager' => [
'factories' => [
'myAssertionSet' => MyAssertionSetFactory::class
]
],
'assertion_map' => [
'myPermission' => 'myAssertion', // single assertion
'myPermission2' => 'myAssertionSet' // multiple assertions in set
]
]
];There was a problem hiding this comment.
you could do the same without those methods:
$assertionManager = $container->get('ZfcRbac\Assertion\AssertionPluginManager');
$assertion1 = $assertionManager->get('myAssertion1');
$assertion2 = $assertionManager->get('myAssertion2');
// create instance, set condition and add assertions
$assertionSet = new AssertionSet([
'assertions' => [$assertion1, $assertion2],
'condition' => AssertionSet::CONDITION_OR
]);and this would prevent from changing later.
There was a problem hiding this comment.
+1 for immutable approach. That makes unit testing way easier and confident since you don't need to test a lot of possible different states.
There was a problem hiding this comment.
Fair enough. That is a good point.
Will rewrite.
Thanks.
There was a problem hiding this comment.
I said but will repeat: not good that we can't do this:
$assertionSet = new AssertionSet([
'assertions' => ['myAssertion1', 'myAssertion2'],
'condition' => AssertionSet::CONDITION_OR
]);There was a problem hiding this comment.
@svycka great, I am working on it.
| // retrieve an actual instance from assertion plugin manager if necessary | ||
| foreach ($assertion['assertions'] as $key => $value) { | ||
| if (is_string($value)) { | ||
| $assertion['assertions'][$key] = $this->assertionPluginManager->get($value); |
There was a problem hiding this comment.
fetching assertions would be better when they are really needed in assert() method in this case AssertionSet::assert()
| @@ -88,7 +112,10 @@ public function setAssertion($permission, $assertion) | |||
| */ | |||
| public function setAssertions(array $assertions) | |||
| { | |||
| $this->assertions = $assertions; | |||
There was a problem hiding this comment.
don't know if this is good creating assertions while setting them. Maybe we could create AssertionSet only if we need in assert() method?
| } elseif (is_string($assertion)) { | ||
| $assertion = $this->assertionPluginManager->get($assertion); | ||
|
|
||
| return $assertion->assert($this, $context); | ||
| } |
There was a problem hiding this comment.
maybe add this:
elseif (is_array($assertion)) {
$assertionSet = new AssertionSet($assertion, $this->assertionPluginManager);
return $assertionSet->assert($this, $context);
}see my above comments why
| */ | ||
| public function assert(AuthorizationService $authorizationService, $context = null) | ||
| { | ||
| if (self::CONDITION_AND === $this->condition) { |
There was a problem hiding this comment.
if this class not a final then maybe AssertionSet::CONDITION_AND
| return true; | ||
| } | ||
|
|
||
| if (self::CONDITION_OR === $this->condition) { |
There was a problem hiding this comment.
if this class not a final then maybe AssertionSet::CONDITION_OR
| /** | ||
| * @var $condition string | ||
| */ | ||
| protected $condition = 'AND'; |
There was a problem hiding this comment.
AssertionSet::CONDITION_AND instead of AND
1 similar comment
| return false; | ||
| } | ||
|
|
||
| throw new InvalidArgumentException(sprintf( |
There was a problem hiding this comment.
Should probably be checked at construction time
| * Retrieve an external iterator | ||
| * @return \ArrayIterator | ||
| */ | ||
| public function getIterator() |
There was a problem hiding this comment.
I think there's no reason to expose this method and other getters?
| // if is name of the assertion, retrieve an actual instance from assertion plugin manager | ||
| if (is_string($assertion)) { | ||
| $assertion = $this->assertionPluginManager->get($assertion); | ||
| } elseif (is_array($assertion)) { // else if multiple assertion definition, create assertion set. |
There was a problem hiding this comment.
What about the following approach?
assertion_mapconfig key accepts onlystring => string(permission name => assertion name)- Another config key for
assertion_setsthat acceptsstring => array(assertion name => assertion config) - A default
AssertionSetFactoryimplementation that reads theassertion_setsconfig key and buildsAssertionSet AuthorizationServicealways fetch assertions fromAssertionPluginManager
… assert method of AuthorizationService.
1 similar comment
|
@danizord the approach you describe is interesting, but I have a concern from usability point of view. I mean, I think it may be more confusing and less intuitive for people wanting to use the module to have yet another separate config for sets. Plus I am not sure about performance implications either. |
| * @param mixed $context | ||
| * @return bool | ||
| */ | ||
| public function assert(AuthorizationService $authorizationService, $context = null) |
| @@ -150,10 +177,6 @@ protected function assert($assertion, $context = null) | |||
| return $assertion($this, $context); | |||
| } elseif ($assertion instanceof AssertionInterface) { | |||
| return $assertion->assert($this, $context); | |||
| } elseif (is_string($assertion)) { | |||
There was a problem hiding this comment.
This is now back, you are right, it makes it more performant to have the retrieval only when it's called/needed.
|
First yes you moved I don't like that And I still would like to change protected function assert($assertion, $context = null)
{
$assertion = new AssertionSet($assertion, $this->assertionPluginManager);
return $assertion->assert($this, $context);
}this is also return [
'zfc_rbac' => [
'assertion_map' => [
// single assertion
'myPermission' => 'myAssertion',
// assertion set with default condition `and`
'myPermission2' => [
'myAssertion',
'myAssertion2',
]
]
]
];or if you don't like adding public function getAssertion(string $assertion)
{
return $this->assertionPluginManager->get($assertion);
} |
|
@svycka I see your point in case of |
|
It is not just or condition with and this also valid if first fail all On Oct 31, 2016 02:32, "David Havl" [email protected] wrote:
|
|
Hey guys, I don't think I will have enough time to do more changes on this in next few months (got an urgent project that doesn't use this), so feel free to do a pull |
| * @author David Havl | ||
| * @licence MIT | ||
| */ | ||
| class AssertionSet implements AssertionInterface |
|
the author expressed he didn't have time to continue it. We now have this functionality in the develop branch and #379 could be backported to master if anyone needs it. (hence the label change) |
|
Great, thanks for finishing it up @basz ! I indeed was not able to work on it as much as I would like to any more and it was good enough for the project I was working on at that time. |
An update to V2 to allow set multiple assertions as well as their condition for permissions.