Add subshop support for role

Author: godefroy-le-hardi

README.md

@@ -40,6 +40,14 @@ curl -X POST https://your-shop.com/api/login \
   -d '{"username": "user@example.com", "password": "password"}'
 ```
 
+To authenticate against a specific subshop, pass the `shp` query parameter:
+
+```bash
+curl -X POST "https://your-shop.com/api/login?shp=2" \
+  -H "Content-Type: application/json" \
+  -d '{"username": "user@example.com", "password": "password"}'
+```
+
 Response:
 
 ```json

src/Security/User/ApiUserProvider.php

@@ -33,9 +33,10 @@ public function loadUserByIdentifier(string $identifier): UserInterface
             ->from('oxuser')
             ->where('OXUSERNAME = :username')
             ->andWhere('OXACTIVE = 1')
-            ->andWhere('OXSHOPID = :shopId')
+            ->andWhere('(OXSHOPID = :shopId OR OXRIGHTS = :mallAdmin)')
             ->setParameter('username', $identifier)
-            ->setParameter('shopId', $this->context->getCurrentShopId());
+            ->setParameter('shopId', $this->context->getCurrentShopId())
+            ->setParameter('mallAdmin', 'malladmin');
 
         $userData = $queryBuilder->execute()->fetchAssociative();
 

src/Security/User/RoleResolver.php

@@ -9,22 +9,25 @@
 
 namespace OxidEsales\AuthComponent\Security\User;
 
+use OxidEsales\EshopCommunity\Internal\Transition\Utility\ContextInterface;
+
 final readonly class RoleResolver implements RoleResolverInterface
 {
     /**
      * @param array<string, list<string>> $roleMapping Map of rights string to additional roles
      */
     public function __construct(
+        private ContextInterface $context,
         private array $roleMapping = []
     ) {
     }
 
     public function resolveRoles(string $rights): array
     {
-        $roles = ['ROLE_USER'];
+        $roles = array_merge(['ROLE_USER'], $this->roleMapping[$rights] ?? []);
 
-        if (isset($this->roleMapping[$rights])) {
-            $roles = array_merge($roles, $this->roleMapping[$rights]);
+        if ($rights === (string) $this->context->getCurrentShopId()) {
+            $roles[] = 'ROLE_ADMIN';
         }
 
         return $roles;

src/Security/User/services.yaml

@@ -4,7 +4,6 @@ parameters:
       - ROLE_ADMIN
   oxid_jwt_authenticator.role_mapping:
     malladmin: ['ROLE_ADMIN', 'ROLE_ADMIN_MALL']
-    '1': ['ROLE_ADMIN']
 
 services:
   _defaults:

tests/Integration/Security/ApiAuthenticationTest.php

@@ -55,11 +55,10 @@ protected function setUp(): void
         $container = ContainerFactory::getInstance()->getContainer();
         $this->queryBuilderFactory = $container->get(QueryBuilderFactoryInterface::class);
 
-        $roleResolver = new RoleResolver([
+        $context = $container->get(ContextInterface::class);
+        $roleResolver = new RoleResolver($context, [
             'malladmin' => ['ROLE_ADMIN', 'ROLE_ADMIN_MALL'],
-            '1' => ['ROLE_ADMIN'],
         ]);
-        $context = $container->get(ContextInterface::class);
         $this->userProvider = new ApiUserProvider($this->queryBuilderFactory, $roleResolver, $context);
 
         $passwordHasher = new OxidPasswordHasher($container->get(PasswordServiceBridgeInterface::class));

tests/Integration/Security/ApiUserProviderTest.php

@@ -28,6 +28,8 @@ final class ApiUserProviderTest extends TestCase
     private string $testMallAdminUsername;
     private string $testAdminId;
     private string $testAdminUsername;
+    private string $testSubshopAdminId;
+    private string $testSubshopAdminUsername;
 
     protected function setUp(): void
     {
@@ -37,16 +39,16 @@ protected function setUp(): void
         $this->queryBuilderFactory = $container->get(QueryBuilderFactoryInterface::class);
         $context = $container->get(ContextInterface::class);
 
-        $roleResolver = new RoleResolver([
+        $roleResolver = new RoleResolver($context, [
             'malladmin' => ['ROLE_ADMIN', 'ROLE_ADMIN_MALL'],
-            '1' => ['ROLE_ADMIN'],
         ]);
         $this->userProvider = new ApiUserProvider($this->queryBuilderFactory, $roleResolver, $context);
 
         $timestamp = uniqid('', true);
         $this->testUsername = "test-user-provider-{$timestamp}@example.com";
         $this->testMallAdminUsername = "test-malladmin-{$timestamp}@example.com";
         $this->testAdminUsername = "test-admin-{$timestamp}@example.com";
+        $this->testSubshopAdminUsername = "test-subshopadmin-{$timestamp}@example.com";
 
         $this->createTestUsers();
     }
@@ -127,6 +129,62 @@ public function testRefreshUserWithMallAdmin(): void
         $this->assertContains('ROLE_ADMIN_MALL', $refreshedUser->getRoles());
     }
 
+    public function testSubshopAdminDoesNotGetAdminRoleOnDifferentShop(): void
+    {
+        $user = $this->userProvider->loadUserByIdentifier($this->testSubshopAdminUsername);
+
+        $this->assertContains('ROLE_USER', $user->getRoles());
+        $this->assertNotContains('ROLE_ADMIN', $user->getRoles());
+    }
+
+    public function testMallAdminIsFoundRegardlessOfShopId(): void
+    {
+        $connection = $this->queryBuilderFactory->create()->getConnection();
+        $id = uniqid('malladmin_other_', true);
+        $username = "test-malladmin-othershop-{$id}@example.com";
+
+        $connection->insert('oxuser', [
+            'OXID' => $id,
+            'OXUSERNAME' => $username,
+            'OXPASSWORD' => hash('sha512', 'testpassword'),
+            'OXRIGHTS' => 'malladmin',
+            'OXACTIVE' => 1,
+            'OXSHOPID' => 999,
+        ]);
+
+        try {
+            $user = $this->userProvider->loadUserByIdentifier($username);
+
+            $this->assertContains('ROLE_ADMIN', $user->getRoles());
+            $this->assertContains('ROLE_ADMIN_MALL', $user->getRoles());
+        } finally {
+            $connection->delete('oxuser', ['OXID' => $id]);
+        }
+    }
+
+    public function testRegularUserFromDifferentShopIsNotFound(): void
+    {
+        $connection = $this->queryBuilderFactory->create()->getConnection();
+        $id = uniqid('user_other_', true);
+        $username = "test-user-othershop-{$id}@example.com";
+
+        $connection->insert('oxuser', [
+            'OXID' => $id,
+            'OXUSERNAME' => $username,
+            'OXPASSWORD' => hash('sha512', 'testpassword'),
+            'OXRIGHTS' => 'user',
+            'OXACTIVE' => 1,
+            'OXSHOPID' => 999,
+        ]);
+
+        try {
+            $this->expectException(UserNotFoundException::class);
+            $this->userProvider->loadUserByIdentifier($username);
+        } finally {
+            $connection->delete('oxuser', ['OXID' => $id]);
+        }
+    }
+
     public function testRefreshUserWithNumericAdmin(): void
     {
         $originalUser = new ApiUser($this->testAdminId, $this->testAdminUsername, ['ROLE_USER', 'ROLE_ADMIN']);
@@ -169,16 +227,26 @@ private function createTestUsers(): void
             'OXACTIVE' => 1,
             'OXSHOPID' => 1,
         ]);
+
+        $this->testSubshopAdminId = uniqid('subshopadmin_', true);
+        $connection->insert('oxuser', [
+            'OXID' => $this->testSubshopAdminId,
+            'OXUSERNAME' => $this->testSubshopAdminUsername,
+            'OXPASSWORD' => hash('sha512', 'testpassword'),
+            'OXRIGHTS' => '2',
+            'OXACTIVE' => 1,
+            'OXSHOPID' => 1,
+        ]);
     }
 
     private function deleteTestUsers(): void
     {
-        if (isset($this->testUserId, $this->testMallAdminId, $this->testAdminId)) {
+        if (isset($this->testUserId, $this->testMallAdminId, $this->testAdminId, $this->testSubshopAdminId)) {
             $queryBuilder = $this->queryBuilderFactory->create();
             $queryBuilder
                 ->delete('oxuser')
                 ->where('OXID IN (:ids)')
-                ->setParameter('ids', [$this->testUserId, $this->testMallAdminId, $this->testAdminId], \Doctrine\DBAL\Connection::PARAM_STR_ARRAY)
+                ->setParameter('ids', [$this->testUserId, $this->testMallAdminId, $this->testAdminId, $this->testSubshopAdminId], \Doctrine\DBAL\Connection::PARAM_STR_ARRAY)
                 ->execute();
         }
     }

tests/Unit/Security/RoleResolverTest.php

@@ -10,18 +10,28 @@
 namespace OxidEsales\AuthComponent\Tests\Unit\Security;
 
 use OxidEsales\AuthComponent\Security\User\RoleResolver;
+use OxidEsales\EshopCommunity\Internal\Transition\Utility\ContextInterface;
 use PHPUnit\Framework\TestCase;
 
 final class RoleResolverTest extends TestCase
 {
     private array $defaultRoleMapping = [
         'malladmin' => ['ROLE_ADMIN', 'ROLE_ADMIN_MALL'],
-        '1' => ['ROLE_ADMIN'],
     ];
 
+    private ContextInterface $context;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->context = $this->createMock(ContextInterface::class);
+        $this->context->method('getCurrentShopId')->willReturn(1);
+    }
+
     public function testResolveRolesForRegularUser(): void
     {
-        $resolver = new RoleResolver($this->defaultRoleMapping);
+        $resolver = new RoleResolver($this->context, $this->defaultRoleMapping);
         $roles = $resolver->resolveRoles('user');
 
         $this->assertContains('ROLE_USER', $roles);
@@ -31,27 +41,35 @@ public function testResolveRolesForRegularUser(): void
 
     public function testResolveRolesForMallAdmin(): void
     {
-        $resolver = new RoleResolver($this->defaultRoleMapping);
+        $resolver = new RoleResolver($this->context, $this->defaultRoleMapping);
         $roles = $resolver->resolveRoles('malladmin');
 
         $this->assertContains('ROLE_USER', $roles);
         $this->assertContains('ROLE_ADMIN', $roles);
         $this->assertContains('ROLE_ADMIN_MALL', $roles);
     }
 
-    public function testResolveRolesForNumericAdmin(): void
+    public function testResolveRolesForNumericAdminMatchingCurrentShop(): void
     {
-        $resolver = new RoleResolver($this->defaultRoleMapping);
+        $resolver = new RoleResolver($this->context, $this->defaultRoleMapping);
         $roles = $resolver->resolveRoles('1');
 
         $this->assertContains('ROLE_USER', $roles);
         $this->assertContains('ROLE_ADMIN', $roles);
         $this->assertFalse(in_array('ROLE_ADMIN_MALL', $roles, true));
     }
 
+    public function testResolveRolesForNumericAdminNotMatchingCurrentShop(): void
+    {
+        $resolver = new RoleResolver($this->context, $this->defaultRoleMapping);
+        $roles = $resolver->resolveRoles('2');
+
+        $this->assertSame(['ROLE_USER'], $roles);
+    }
+
     public function testResolveRolesForEmptyRights(): void
     {
-        $resolver = new RoleResolver($this->defaultRoleMapping);
+        $resolver = new RoleResolver($this->context, $this->defaultRoleMapping);
         $roles = $resolver->resolveRoles('');
 
         $this->assertContains('ROLE_USER', $roles);
@@ -60,7 +78,7 @@ public function testResolveRolesForEmptyRights(): void
 
     public function testResolveRolesAlwaysContainsRoleUser(): void
     {
-        $resolver = new RoleResolver($this->defaultRoleMapping);
+        $resolver = new RoleResolver($this->context, $this->defaultRoleMapping);
 
         $this->assertContains('ROLE_USER', $resolver->resolveRoles('user'));
         $this->assertContains('ROLE_USER', $resolver->resolveRoles('malladmin'));
@@ -75,7 +93,7 @@ public function testResolveRolesWithCustomMapping(): void
             'superuser' => ['ROLE_SUPER', 'ROLE_ADMIN'],
             'editor' => ['ROLE_EDITOR'],
         ];
-        $resolver = new RoleResolver($customMapping);
+        $resolver = new RoleResolver($this->context, $customMapping);
 
         $superuserRoles = $resolver->resolveRoles('superuser');
         $this->assertContains('ROLE_USER', $superuserRoles);
@@ -90,7 +108,7 @@ public function testResolveRolesWithCustomMapping(): void
 
     public function testResolveRolesWithEmptyMapping(): void
     {
-        $resolver = new RoleResolver([]);
+        $resolver = new RoleResolver($this->context, []);
         $roles = $resolver->resolveRoles('malladmin');
 
         $this->assertSame(['ROLE_USER'], $roles);