Add ACL Management

- Add Access Controller interface
- Add Access Controller Manager with tests
- Add Capability enum
- Add All Access Controller implementation

Author: zackkatz

src/ACL/AccessControlManager.php

@@ -0,0 +1,84 @@
+<?php
+
+namespace DataKit\DataViews\ACL;
+
+use SplStack;
+
+/**
+ * Manages the current and previously set Access Controllers.
+ *
+ * By default, the manager will return a {@see ReadOnlyAccessController}.
+ *
+ * @since $ver$
+ */
+final class AccessControlManager {
+	/**
+	 * The current stack of Access Control Managers.
+	 *
+	 * @since $ver$
+	 *
+	 * @var SplStack<AccessController>
+	 */
+	private static \SplStack $access_controllers;
+
+	/**
+	 * Prevent creating multiple instances of the manager.
+	 *
+	 * @since $ver$
+	 */
+	private function __construct() {
+	}
+
+	/**
+	 * Lazily initializes the Access Control Manager.
+	 *
+	 * @since $ver$
+	 *
+	 * @return void
+	 */
+	private static function initialize(): void {
+		if ( ! isset( self::$access_controllers ) ) {
+			self::$access_controllers = new \SplStack();
+			self::set( new ReadOnlyAccessController() );
+		}
+	}
+
+	/**
+	 * Sets the current AccessController.
+	 *
+	 * @since $ver$
+	 *
+	 * @param AccessController $access_controller The access controller.
+	 */
+	public static function set( AccessController $access_controller ): void {
+		self::initialize();
+
+		self::$access_controllers->push( $access_controller );
+	}
+
+	/**
+	 * Returns the current Access Controller.
+	 *
+	 * @since $ver$
+	 *
+	 * @return AccessController The current AccessController.
+	 */
+	public static function current(): AccessController {
+		self::initialize();
+
+		return self::$access_controllers->top();
+	}
+
+	/**
+	 * Resets the current Access Controller to the previous.
+	 *
+	 * @since $ver$
+	 */
+	public static function reset(): void {
+		self::initialize();
+
+		if ( self::$access_controllers->count() > 1 ) {
+			self::$access_controllers->pop();
+		}
+	}
+}

src/ACL/AccessController.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace DataKit\DataViews\ACL;
+
+use DataKit\DataViews\DataView\DataView;
+use DataKit\DataViews\Field\Field;
+
+/**
+ * Manages the access the current user has on {@see DataView} and {@see Field} objects.
+ *
+ * @since $ver$
+ */
+interface AccessController {
+	/**
+	 * Returns whether the user has the provided capability.
+	 *
+	 * @since $ver$
+	 *
+	 * @param Capability $capability The capability to test.
+	 * @param mixed      ...$context The available context for the test.
+	 *
+	 * @return bool Whether the user has the capability.
+	 */
+	public function can( Capability $capability, ...$context ): bool;
+}

src/ACL/Capability.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace DataKit\DataViews\ACL;
+
+use DataKit\DataViews\EnumObject;
+
+/**
+ * Represents a capability a user can have.
+ *
+ * @since $ver$
+ *
+ * @method static self view_dataview() Whether the user can view a DataView.
+ * @method static self edit_dataview() Whether the user can edit a DataView.
+ * @method static self view_dataview_field() Whether the user can view a DataView field.
+ */
+final class Capability extends EnumObject {
+	/**
+	 * {@inheritDoc}
+	 *
+	 * @since $ver$
+	 */
+	protected static function cases(): array {
+		return [
+			'view_dataview'       => 'view_dataview',
+			'edit_dataview'       => 'edit_dataview',
+			'view_dataview_field' => 'view_dataview_field',
+		];
+	}
+}

src/ACL/ReadOnlyAccessController.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace DataKit\DataViews\ACL;
+
+/**
+ * AccessControlManager that allows full access to anyone.
+ *
+ * @since $ver$
+ */
+final class ReadOnlyAccessController implements AccessController {
+	/**
+	 * {@inheritDoc}
+	 *
+	 * @since $ver$
+	 */
+	public function can( Capability $capability, ...$context ): bool {
+		return strpos( $capability->as_string(), 'view_' ) === 0;
+	}
+}

src/DataView/DataView.php

@@ -2,6 +2,8 @@
 
 namespace DataKit\DataViews\DataView;
 
+use DataKit\DataViews\ACL\AccessControlManager;
+use DataKit\DataViews\ACL\Capability;
 use DataKit\DataViews\Data\DataSource;
 use DataKit\DataViews\Data\Exception\DataSourceException;
 use DataKit\DataViews\Data\MutableDataSource;
@@ -336,7 +338,7 @@ public function get_data( ?DataSource $data_source = null, ?Pagination $paginati
 			 */
 			$data = $data_source->get_data_by_id( $data_id );
 
-			foreach ( $this->directory_fields as $field ) {
+			foreach ( $this->allowed_fields( $this->directory_fields ) as $field ) {
 				$data[ $field->uuid() ] = $field->get_value( $data );
 			}
 
@@ -359,31 +361,32 @@ public function get_data( ?DataSource $data_source = null, ?Pagination $paginati
 	 * @throws DataSourceException When the data source encounters an issue.
 	 */
 	public function get_view_data_item( string $data_id ): DataItem {
-		$data = $this->data_source()->get_data_by_id( $data_id );
+		$data   = $this->data_source()->get_data_by_id( $data_id );
+		$fields = $this->allowed_fields( $this->view_fields );
 
-		foreach ( $this->view_fields as $field ) {
+		foreach ( $fields as $field ) {
 			$data[ $field->uuid() ] = $field->get_value( $data );
 		}
 
 		return DataItem::from_array(
 			[
-				'fields' => $this->view_fields,
+				'fields' => $fields,
 				'data'   => $data,
 			],
 		);
 	}
 
 	/**
-	 * Returns all the fields for the dictionary view.
+	 * Returns all the fields for the directory view.
 	 *
 	 * @since $ver$
 	 *
 	 * @return array[] The fields as arrays.
 	 */
-	private function dictionary_fields(): array {
+	private function directory_fields_for_json(): array {
 		$fields = [];
 
-		foreach ( $this->directory_fields as $field ) {
+		foreach ( $this->allowed_fields( $this->directory_fields ) as $field ) {
 			$fields[] = array_filter(
 				$field->to_array(),
 				static fn( $value ) => ! is_null( $value ),
@@ -426,7 +429,7 @@ private function default_layouts(): array {
 	private function get_field_ids( ?callable $filter = null ): array {
 		$hidden_fields = [];
 
-		foreach ( $this->directory_fields as $field ) {
+		foreach ( $this->allowed_fields( $this->directory_fields ) as $field ) {
 			if ( $filter && ! $filter( $field ) ) {
 				continue;
 			}
@@ -520,7 +523,7 @@ public function to_array(): array {
 			'defaultLayouts' => $this->default_layouts(),
 			'paginationInfo' => $this->pagination->info( $this->data_source() ),
 			'view'           => $this->view(),
-			'fields'         => $this->dictionary_fields(),
+			'fields'         => $this->directory_fields_for_json(),
 			'data'           => $this->get_data(),
 			'actions'        => $this->actions ? $this->actions->to_array() : [],
 		];
@@ -660,4 +663,22 @@ private function layout( View $view ): array {
 
 		return array_filter( $output );
 	}
+
+	/**
+	 * Filters out the fields the current user cannot view.
+	 *
+	 * @since $ver$
+	 *
+	 * @return Field[] The fields.
+	 */
+	private function allowed_fields( array $fields ): array {
+		return array_filter(
+			$fields,
+			fn( Field $field ) => AccessControlManager::current()->can(
+				Capability::view_dataview_field(),
+				$this,
+				$field
+			)
+		);
+	}
 }

tests/ACL/AccessControlManagerTest.php

@@ -0,0 +1,57 @@
+<?php
+
+namespace DataKit\DataViews\Tests\ACL;
+
+use DataKit\DataViews\ACL\AccessController;
+use DataKit\DataViews\ACL\AccessControlManager;
+use DataKit\DataViews\ACL\Capability;
+use DataKit\DataViews\ACL\ReadOnlyAccessController;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Unit tests for {@see AccessControlManager}
+ *
+ * @since $ver$
+ */
+final class AccessControlManagerTest extends TestCase {
+	/**
+	 * Creates an in-memory access controller instance.
+	 *
+	 * @since $ver$
+	 *
+	 * @return AccessController
+	 */
+	private static function create_access_controller(): AccessController {
+		return new class implements AccessController {
+			public function can( Capability $capability, ...$context ): bool {
+				return false;
+			}
+		};
+	}
+
+	/**
+	 * Test case for
+	 *
+	 * @since $ver$
+	 */
+	public function test_manager(): void {
+		self::assertInstanceOf( ReadOnlyAccessController::class, AccessControlManager::current() );
+
+		$fake   = self::create_access_controller();
+		$fake_2 = self::create_access_controller();
+
+		AccessControlManager::set( $fake );
+		AccessControlManager::set( $fake_2 );
+
+		self::assertNotInstanceOf( ReadOnlyAccessController::class, AccessControlManager::current() );
+		self::assertSame( $fake_2, AccessControlManager::current() );
+
+		AccessControlManager::reset();
+		self::assertSame( $fake, AccessControlManager::current() );
+
+		AccessControlManager::reset();
+		AccessControlManager::reset(); // Can't reset beyond all access.
+
+		self::assertInstanceOf( ReadOnlyAccessController::class, AccessControlManager::current() );
+	}
+}

tests/ACL/ReadOnlyAccessControllerTest.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace DataKit\DataViews\Tests\ACL;
+
+use DataKit\DataViews\ACL\Capability;
+use DataKit\DataViews\ACL\ReadOnlyAccessController;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Unit tests for {@see ReadOnlyAccessController}
+ *
+ * @since $ver$
+ */
+final class ReadOnlyAccessControllerTest extends TestCase {
+	/**
+	 * Test case for
+	 *
+	 * @since $ver$
+	 */
+	public function test_controller(): void {
+		$controller = new ReadOnlyAccessController();
+
+		self::assertTrue( $controller->can( Capability::view_dataview() ) );
+		self::assertTrue( $controller->can( Capability::view_dataview_field() ) );
+		self::assertFalse( $controller->can( Capability::edit_dataview() ) );
+	}
+}