Symfony单元测试安全性（ACL - 注释）

I'd like to check a method with access control, e.g. a method is only granted with a specific role. Therefore, I know two ways in Symfony:

我想检查一个带访问控制的方法，例如：方法仅授予特定角色。因此，我在Symfony中了解两种方式：

@Security annotation above the method (SensioFrameworkExtraBundle) OR
方法上方的@Security注释（SensioFrameworkExtraBundle）或
Calling authorization_checker explizit within my method
在我的方法中调用authorization_checker exploizit

When it comes to unit tests (for my case phpspec, but I think phpunit behaviour is the almost the same in that case), I would like to test that only anonymous users should be able to call a method. With number 2. , it's working fine. Here my setup:

当谈到单元测试时（对于我的案例phpspec，但我认为phpunit行为在这种情况下几乎相同），我想测试只有匿名用户应该能够调用方法。数字2，它工作正常。在这里我的设置：

RegistrationHandlerSpec:

RegistrationHandlerSpec：

class RegistrationHandlerSpec extends ObjectBehavior
{     
   function let(Container $container, AuthorizationCheckerInterface $auth) {
     $container->get('security.authorization_checker')->willReturn($auth);
     $this->setContainer($container);
   }

   function it_should_block_authenticated_users(AuthorizationCheckerInterface $auth)
   {
     $auth->isGranted("ROLE_USER")->willReturn(true);
     $this->shouldThrow('Symfony\Component\Security\Core\Exception\AccessDeniedException')->during('process', array());
   }  
}

And within the RegistrationHandler, I have the following method:

在RegistrationHandler中，我有以下方法：

class RegistrationHandler
{
  public function process()
  {
     $authorizationChecker = $this->get('security.authorization_checker');
     if ($authorizationChecker->isGranted('ROLE_USER')) {
         throw new AccessDeniedException();
     }
     // ...
  }
}

Well, this approach is working fine - BUT normally, I would prefer using 1. with Security annotation (Sensio FrameworkExtraBundle), and therefore, it's not working / I don't know why no Exception gets triggered when it's written as an annotation:

好吧，这种方法工作正常 - 但通常情况下，我更喜欢使用1.带有安全注释（Sensio FrameworkExtraBundle），因此，它不起作用/我不知道为什么没有在将它作为注释编写时触发异常：

/**
 * @Security("!has_role('ROLE_USER')")
 */
public function process()
{
   // ...
}

Does anyone know how to get this example to work by using the first approach with @Security annotation, which is way more readable and best practice recommended of symfony?

有没有人知道如何通过使用@Security注释的第一种方法来使这个例子工作，这是更可读和symfony推荐的最佳实践？

1 个解决方案

#1

In both cases you're testing a behaviour that's provided by third party code (the Symfony framework). Following the rule don't mock what you don't own, rather than writing a unit test you should write an integration test. Otherwise you'll be only making assumptions on how the code works with no proof it really works this way.

在这两种情况下，您都在测试由第三方代码（Symfony框架）提供的行为。遵循规则不要模拟你不拥有的东西，而不是编写单元测试，你应该编写集成测试。否则你只会假设代码是如何工作的，没有证明它真正起作用。

In your case your integration test could be a controller test. You'd call the URL with a web test client (provided by the WebTestCase) and verify that in certain conditions you're getting a 401 or 403 response.

在您的情况下，您的集成测试可能是控制器测试。您可以使用Web测试客户端（由WebTestCase提供）调用URL，并验证在某些情况下您获得401或403响应。

PHPSpec is a unit testing tool (a.k.a. a design tool). You need to write integration tests with something else (for example PHPUnit). I usually have at least three testing tools installed in my project:

PHPSpec是一种单元测试工具（也就是设计工具）。您需要使用其他东西编写集成测试（例如PHPUnit）。我的项目通常至少安装了三个测试工具：

PhpSpec for unit testing
PhpSpec用于单元测试
PHPUnit for integration testing
PHPUnit用于集成测试
Behat for acceptance testing (a form of integration testing)
适用于验收测试（一种集成测试）

#1

在您的情况下，您的集成测试可能是控制器测试。您可以使用Web测试客户端（由WebTestCase提供）调用URL，并验证在某些情况下您获得401或403响应。

PHPSpec是一种单元测试工具（也就是设计工具）。您需要使用其他东西编写集成测试（例如PHPUnit）。我的项目通常至少安装了三个测试工具：

PhpSpec for unit testing
PhpSpec用于单元测试
PHPUnit for integration testing
PHPUnit用于集成测试
Behat for acceptance testing (a form of integration testing)
适用于验收测试（一种集成测试）

秒客网

Symfony单元测试安全性（ACL - 注释）

1 个解决方案

#1

#1

相关文章