mirror of
https://github.com/phpbb/phpbb.git
synced 2025-02-16 14:04:40 +01:00
Merge pull request #6312 from rxu/ticket/16895
[ticket/16895] Fix role removal for migrator permission tool
This commit is contained in:
commit
c1b88de806
phpBB
tests/dbal
@ -77,5 +77,6 @@ $lang = array_merge($lang, array(
|
||||
'PARENT_MODULE_FIND_ERROR' => 'Unable to determine the parent module identifier: %s',
|
||||
'PERMISSION_NOT_EXIST' => 'The permission setting "%s" unexpectedly does not exist.',
|
||||
|
||||
'ROLE_ASSIGNED_NOT_EXIST' => 'The permission role assigned to group "%1$s" unexpectedly does not exist. Role id: "%2$s"',
|
||||
'ROLE_NOT_EXIST' => 'The permission role "%s" unexpectedly does not exist.',
|
||||
));
|
||||
|
74
phpBB/phpbb/db/migration/data/v33x/remove_orphaned_roles.php
Normal file
74
phpBB/phpbb/db/migration/data/v33x/remove_orphaned_roles.php
Normal file
@ -0,0 +1,74 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* This file is part of the phpBB Forum Software package.
|
||||
*
|
||||
* @copyright (c) phpBB Limited <https://www.phpbb.com>
|
||||
* @license GNU General Public License, version 2 (GPL-2.0)
|
||||
*
|
||||
* For full copyright and license information, please see
|
||||
* the docs/CREDITS.txt file.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\db\migration\data\v33x;
|
||||
|
||||
class remove_orphaned_roles extends \phpbb\db\migration\migration
|
||||
{
|
||||
static public function depends_on()
|
||||
{
|
||||
return ['\phpbb\db\migration\data\v33x\v335'];
|
||||
}
|
||||
|
||||
public function update_data()
|
||||
{
|
||||
return [
|
||||
['custom', [[$this, 'acl_remove_orphaned_roles']]],
|
||||
];
|
||||
}
|
||||
|
||||
public function acl_remove_orphaned_roles()
|
||||
{
|
||||
$role_ids = [];
|
||||
|
||||
$sql = 'SELECT auth_role_id
|
||||
FROM ' . ACL_GROUPS_TABLE . '
|
||||
WHERE auth_role_id <> 0
|
||||
AND forum_id = 0';
|
||||
$result = $this->db->sql_query($sql);
|
||||
$auth_role_ids = array_keys($this->db->sql_fetchrowset($result));
|
||||
$this->db->sql_freeresult($result);
|
||||
|
||||
if (count($auth_role_ids))
|
||||
{
|
||||
$sql = 'SELECT role_id
|
||||
FROM ' . ACL_ROLES_TABLE . '
|
||||
WHERE ' . $this->db->sql_in_set('role_id', $auth_role_ids);
|
||||
$result = $this->db->sql_query($sql);
|
||||
$role_ids = array_keys($this->db->sql_fetchrowset($result));
|
||||
$this->db->sql_freeresult($result);
|
||||
}
|
||||
|
||||
$non_existent_role_ids = array_diff($auth_role_ids, $role_ids);
|
||||
|
||||
// Nothing to do, there are no non-existent roles assigned to groups
|
||||
if (empty($non_existent_role_ids))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
// Remove assigned non-existent roles from users and groups
|
||||
$sql = 'DELETE FROM ' . ACL_USERS_TABLE . '
|
||||
WHERE ' . $this->db->sql_in_set('auth_role_id', $non_existent_role_ids);
|
||||
$this->db->sql_query($sql);
|
||||
|
||||
$sql = 'DELETE FROM ' . ACL_GROUPS_TABLE . '
|
||||
WHERE ' . $this->db->sql_in_set('auth_role_id', $non_existent_role_ids);
|
||||
$this->db->sql_query($sql);
|
||||
|
||||
$auth = new \phpbb\auth\auth();
|
||||
$auth->acl_clear_prefetch();
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
@ -21,6 +21,9 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
/** @var \phpbb\auth\auth */
|
||||
protected $auth;
|
||||
|
||||
/** @var \includes\acp\auth\auth_admin */
|
||||
protected $auth_admin;
|
||||
|
||||
/** @var \phpbb\cache\service */
|
||||
protected $cache;
|
||||
|
||||
@ -49,6 +52,12 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
$this->auth = $auth;
|
||||
$this->phpbb_root_path = $phpbb_root_path;
|
||||
$this->php_ext = $php_ext;
|
||||
|
||||
if (!class_exists('auth_admin'))
|
||||
{
|
||||
include($this->phpbb_root_path . 'includes/acp/auth.' . $this->php_ext);
|
||||
}
|
||||
$this->auth_admin = new \auth_admin();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -118,12 +127,6 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
// We've added permissions, so set to true to notify the user.
|
||||
$this->permissions_added = true;
|
||||
|
||||
if (!class_exists('auth_admin'))
|
||||
{
|
||||
include($this->phpbb_root_path . 'includes/acp/auth.' . $this->php_ext);
|
||||
}
|
||||
$auth_admin = new \auth_admin();
|
||||
|
||||
// We have to add a check to see if the !$global (if global, local, and if local, global) permission already exists. If it does, acl_add_option currently has a bug which would break the ACL system, so we are having a work-around here.
|
||||
if ($this->exists($auth_option, !$global))
|
||||
{
|
||||
@ -140,19 +143,19 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
{
|
||||
if ($global)
|
||||
{
|
||||
$auth_admin->acl_add_option(array('global' => array($auth_option)));
|
||||
$this->auth_admin->acl_add_option(array('global' => array($auth_option)));
|
||||
}
|
||||
else
|
||||
{
|
||||
$auth_admin->acl_add_option(array('local' => array($auth_option)));
|
||||
$this->auth_admin->acl_add_option(array('local' => array($auth_option)));
|
||||
}
|
||||
}
|
||||
|
||||
// The permission has been added, now we can copy it if needed
|
||||
if ($copy_from && isset($auth_admin->acl_options['id'][$copy_from]))
|
||||
if ($copy_from && isset($this->auth_admin->acl_options['id'][$copy_from]))
|
||||
{
|
||||
$old_id = $auth_admin->acl_options['id'][$copy_from];
|
||||
$new_id = $auth_admin->acl_options['id'][$auth_option];
|
||||
$old_id = $this->auth_admin->acl_options['id'][$copy_from];
|
||||
$new_id = $this->auth_admin->acl_options['id'][$auth_option];
|
||||
|
||||
$tables = array(ACL_GROUPS_TABLE, ACL_ROLES_DATA_TABLE, ACL_USERS_TABLE);
|
||||
|
||||
@ -177,7 +180,7 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
}
|
||||
}
|
||||
|
||||
$auth_admin->acl_clear_prefetch();
|
||||
$this->auth_admin->acl_clear_prefetch();
|
||||
}
|
||||
}
|
||||
|
||||
@ -291,6 +294,8 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
|
||||
$sql = 'INSERT INTO ' . ACL_ROLES_TABLE . ' ' . $this->db->sql_build_array('INSERT', $sql_ary);
|
||||
$this->db->sql_query($sql);
|
||||
|
||||
return $this->db->sql_nextid();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -327,6 +332,66 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
return;
|
||||
}
|
||||
|
||||
// Get the role type
|
||||
$sql = 'SELECT role_type
|
||||
FROM ' . ACL_ROLES_TABLE . '
|
||||
WHERE role_id = ' . (int) $role_id;
|
||||
$result = $this->db->sql_query($sql);
|
||||
$role_type = $this->db->sql_fetchfield('role_type');
|
||||
$this->db->sql_freeresult($result);
|
||||
|
||||
// Get complete auth array
|
||||
$sql = 'SELECT auth_option, auth_option_id
|
||||
FROM ' . ACL_OPTIONS_TABLE . "
|
||||
WHERE auth_option " . $this->db->sql_like_expression($role_type . $this->db->get_any_char());
|
||||
$result = $this->db->sql_query($sql);
|
||||
|
||||
$auth_settings = [];
|
||||
while ($row = $this->db->sql_fetchrow($result))
|
||||
{
|
||||
$auth_settings[$row['auth_option']] = ACL_NO;
|
||||
}
|
||||
$this->db->sql_freeresult($result);
|
||||
|
||||
// Get the role auth settings we need to re-set...
|
||||
$sql = 'SELECT o.auth_option, r.auth_setting
|
||||
FROM ' . ACL_ROLES_DATA_TABLE . ' r, ' . ACL_OPTIONS_TABLE . ' o
|
||||
WHERE o.auth_option_id = r.auth_option_id
|
||||
AND r.role_id = ' . (int) $role_id;
|
||||
$result = $this->db->sql_query($sql);
|
||||
|
||||
while ($row = $this->db->sql_fetchrow($result))
|
||||
{
|
||||
$auth_settings[$row['auth_option']] = $row['auth_setting'];
|
||||
}
|
||||
$this->db->sql_freeresult($result);
|
||||
|
||||
// Get role assignments
|
||||
$hold_ary = $this->auth_admin->get_role_mask($role_id);
|
||||
|
||||
// Re-assign permissions
|
||||
foreach ($hold_ary as $forum_id => $forum_ary)
|
||||
{
|
||||
if (isset($forum_ary['users']))
|
||||
{
|
||||
$this->auth_admin->acl_set('user', $forum_id, $forum_ary['users'], $auth_settings, 0, false);
|
||||
}
|
||||
|
||||
if (isset($forum_ary['groups']))
|
||||
{
|
||||
$this->auth_admin->acl_set('group', $forum_id, $forum_ary['groups'], $auth_settings, 0, false);
|
||||
}
|
||||
}
|
||||
|
||||
// Remove role from users and groups just to be sure (happens through acl_set)
|
||||
$sql = 'DELETE FROM ' . ACL_USERS_TABLE . '
|
||||
WHERE auth_role_id = ' . $role_id;
|
||||
$this->db->sql_query($sql);
|
||||
|
||||
$sql = 'DELETE FROM ' . ACL_GROUPS_TABLE . '
|
||||
WHERE auth_role_id = ' . $role_id;
|
||||
$this->db->sql_query($sql);
|
||||
|
||||
$sql = 'DELETE FROM ' . ACL_ROLES_DATA_TABLE . '
|
||||
WHERE role_id = ' . $role_id;
|
||||
$this->db->sql_query($sql);
|
||||
@ -425,6 +490,11 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
WHERE role_id = ' . $role_id;
|
||||
$this->db->sql_query($sql);
|
||||
$role_data = $this->db->sql_fetchrow();
|
||||
if (!$role_data)
|
||||
{
|
||||
throw new \phpbb\db\migration\exception('ROLE_ASSIGNED_NOT_EXIST', $name, $role_id);
|
||||
}
|
||||
|
||||
$role_name = $role_data['role_name'];
|
||||
$role_type = $role_data['role_type'];
|
||||
|
||||
@ -571,6 +641,10 @@ class permission implements \phpbb\db\migration\tool\tool_interface
|
||||
WHERE role_id = ' . $role_id;
|
||||
$this->db->sql_query($sql);
|
||||
$role_name = $this->db->sql_fetchfield('role_name');
|
||||
if (!$role_name)
|
||||
{
|
||||
throw new \phpbb\db\migration\exception('ROLE_ASSIGNED_NOT_EXIST', $name, $role_id);
|
||||
}
|
||||
|
||||
return $this->permission_unset($role_name, $auth_option, 'role');
|
||||
}
|
||||
|
198
tests/dbal/migrator_tool_permission_role_test.php
Normal file
198
tests/dbal/migrator_tool_permission_role_test.php
Normal file
@ -0,0 +1,198 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* This file is part of the phpBB Forum Software package.
|
||||
*
|
||||
* @copyright (c) phpBB Limited <https://www.phpbb.com>
|
||||
* @license GNU General Public License, version 2 (GPL-2.0)
|
||||
*
|
||||
* For full copyright and license information, please see
|
||||
* the docs/CREDITS.txt file.
|
||||
*
|
||||
*/
|
||||
|
||||
class phpbb_dbal_migrator_tool_permission_role_test extends phpbb_database_test_case
|
||||
{
|
||||
/** @var \phpbb\auth\auth */
|
||||
protected $auth;
|
||||
|
||||
/** @var \includes\acp\auth\auth_admin */
|
||||
protected $auth_admin;
|
||||
|
||||
/** @var \phpbb\db\migration\tool\permission */
|
||||
protected $tool;
|
||||
|
||||
public $group_ids = [
|
||||
'REGISTERED' => 2,
|
||||
'GLOBAL_MODERATORS' => 4,
|
||||
'ADMINISTRATORS' => 5,
|
||||
];
|
||||
|
||||
public $new_roles = [
|
||||
[
|
||||
'ROLE_ADMIN_NEW',
|
||||
'a_',
|
||||
'A new admin role',
|
||||
'a_new',
|
||||
],
|
||||
[
|
||||
'ROLE_MODERATOR_NEW',
|
||||
'm_',
|
||||
'A new mod role',
|
||||
'm_new',
|
||||
],
|
||||
[
|
||||
'ROLE_USER_NEW',
|
||||
'u_',
|
||||
'A new user role',
|
||||
'u_new',
|
||||
],
|
||||
];
|
||||
|
||||
public $new_role_ids = [];
|
||||
|
||||
public function getDataSet()
|
||||
{
|
||||
return $this->createXMLDataSet(__DIR__.'/fixtures/migrator_permission.xml');
|
||||
}
|
||||
|
||||
protected function setUp(): void
|
||||
{
|
||||
// Global $db and $cache are needed in acp/auth.php constructor
|
||||
global $phpbb_root_path, $phpEx, $db, $cache;
|
||||
|
||||
parent::setup();
|
||||
|
||||
$db = $this->db = $this->new_dbal();
|
||||
$cache = $this->cache = new \phpbb\cache\service(new \phpbb\cache\driver\dummy(), new \phpbb\config\config(array()), $this->db, $phpbb_root_path, $phpEx);
|
||||
$this->auth = new \phpbb\auth\auth();
|
||||
|
||||
// Initialize this auth_admin instance later after adding new auth options via this->tool->add()
|
||||
if (!class_exists('auth_admin'))
|
||||
{
|
||||
include($phpbb_root_path . 'includes/acp/auth.' . $phpEx);
|
||||
}
|
||||
|
||||
$this->tool = new \phpbb\db\migration\tool\permission($this->db, $this->cache, $this->auth, $phpbb_root_path, $phpEx);
|
||||
|
||||
$this->new_roles_add();
|
||||
}
|
||||
|
||||
public function new_roles_add()
|
||||
{
|
||||
foreach ($this->new_roles as $new_role_data)
|
||||
{
|
||||
$role_name = $new_role_data[0];
|
||||
$role_type = $new_role_data[1];
|
||||
$role_description = $new_role_data[2];
|
||||
$role_auth_option = $new_role_data[3];
|
||||
|
||||
$this->tool->add($role_auth_option);
|
||||
$this->new_role_ids[$role_name] = $this->tool->role_add($role_name, $role_type, $role_description);
|
||||
}
|
||||
|
||||
// Initialize external auth_admin instance here to keep acl_options array in sync with the one from the permission tool
|
||||
$this->auth_admin = new \auth_admin();
|
||||
}
|
||||
|
||||
public function data_test_new_role_exists()
|
||||
{
|
||||
return [
|
||||
['ROLE_ADMIN_NEW', true],
|
||||
['ROLE_MODERATOR_NEW', true],
|
||||
['ROLE_USER_NEW', true],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_test_new_role_exists
|
||||
*/
|
||||
public function test_permission_new_role_exists($role_name, $expected)
|
||||
{
|
||||
$this->assertEquals($expected, (bool) $this->tool->role_exists($role_name));
|
||||
}
|
||||
|
||||
public function data_test_permission_assign_new_roles()
|
||||
{
|
||||
return [
|
||||
[
|
||||
'group',
|
||||
0,
|
||||
'ADMINISTRATORS',
|
||||
['a_new' => true],
|
||||
'ROLE_ADMIN_NEW',
|
||||
],
|
||||
[
|
||||
'group',
|
||||
0,
|
||||
'GLOBAL_MODERATORS',
|
||||
['m_new' => true],
|
||||
'ROLE_MODERATOR_NEW',
|
||||
],
|
||||
[
|
||||
'group',
|
||||
0,
|
||||
'REGISTERED',
|
||||
['u_new' => true],
|
||||
'ROLE_USER_NEW',
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_test_permission_assign_new_roles
|
||||
*/
|
||||
public function test_permission_assign_new_roles($ug_type, $forum_id, $group_name, $auth, $role_name, $clear_prefetch = true)
|
||||
{
|
||||
$auth_option = key($auth);
|
||||
$group_id = (int) $this->group_ids[$group_name];
|
||||
$role_id = (int) $this->new_role_ids[$role_name];
|
||||
$expected = current($auth);
|
||||
|
||||
// Set auth options for each role
|
||||
$this->tool->permission_set($role_name, $auth_option, 'role', true);
|
||||
|
||||
// Assign roles to groups
|
||||
$this->auth_admin->acl_set($ug_type, $forum_id, $group_id, $auth, $role_id, $clear_prefetch);
|
||||
|
||||
// Test if role based group permissions assigned correctly
|
||||
$new_perm_state = $this->auth->acl_group_raw_data($group_id, $auth_option);
|
||||
$this->assertEquals($expected, !empty($new_perm_state), "$auth_option is " . ($expected ? 'empty' : 'not empty') . " for $group_name");
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_test_permission_assign_new_roles
|
||||
* @depends test_permission_new_role_exists
|
||||
* @depends test_permission_assign_new_roles
|
||||
*/
|
||||
public function test_permission_new_role_remove($ug_type, $forum_id, $group_name, $auth, $role_name)
|
||||
{
|
||||
$auth_option = key($auth);
|
||||
$group_id = (int) $this->group_ids[$group_name];
|
||||
$role_id = (int) $this->new_role_ids[$role_name];
|
||||
|
||||
$sql = 'SELECT agt.auth_role_id
|
||||
FROM ' . ACL_GROUPS_TABLE . ' agt, ' . ACL_ROLES_TABLE . ' art
|
||||
WHERE agt.auth_role_id = art.role_id
|
||||
AND art.role_id = ' . $role_id;
|
||||
|
||||
// Set auth options for each role
|
||||
$this->tool->permission_set($role_name, $auth_option, 'role', true);
|
||||
|
||||
// Assign roles to groups
|
||||
$this->auth_admin->acl_set($ug_type, $forum_id, $group_id, $auth, $role_id);
|
||||
|
||||
// Check if the role is assigned to the group
|
||||
$result = $this->db->sql_query($sql);
|
||||
$this->assertEquals($role_id, $this->db->sql_fetchfield('auth_role_id'));
|
||||
$this->db->sql_freeresult($result);
|
||||
|
||||
$this->tool->role_remove($role_name);
|
||||
$this->assertFalse((bool) $this->tool->role_exists($role_name));
|
||||
|
||||
// Check if the role is unassigned
|
||||
$result = $this->db->sql_query($sql);
|
||||
$this->assertFalse($this->db->sql_fetchfield('auth_role_id'));
|
||||
$this->db->sql_freeresult($result);
|
||||
}
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user