From 64a1e337b56fd7050fe61debbfaa6b5a82fe9380 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Pustu=C5=82ka?= <robert.pustulka@gmail.com>
Date: Mon, 21 Aug 2023 13:44:22 +0200
Subject: [PATCH 1/5] Fix type check

---
 src/Controller/Component/AuthorizationComponent.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Controller/Component/AuthorizationComponent.php b/src/Controller/Component/AuthorizationComponent.php
index 0a2adb8f..a9a80e93 100644
--- a/src/Controller/Component/AuthorizationComponent.php
+++ b/src/Controller/Component/AuthorizationComponent.php
@@ -133,7 +133,7 @@ protected function performCheck($resource, ?string $action = null, string $metho
         }
 
         $identity = $this->getIdentity($request);
-        if (empty($identity)) {
+        if ($identity === null) {
             return $this->getService($request)->{$method}(null, $action, $resource);
         }
 

From d3ca112816a8c605e6ad09e6989d0735eb06d19d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Pustu=C5=82ka?= <robert.pustulka@gmail.com>
Date: Mon, 21 Aug 2023 13:55:19 +0200
Subject: [PATCH 2/5] Allow applyScope for missing identity

---
 src/Controller/Component/AuthorizationComponent.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Controller/Component/AuthorizationComponent.php b/src/Controller/Component/AuthorizationComponent.php
index a9a80e93..4c272042 100644
--- a/src/Controller/Component/AuthorizationComponent.php
+++ b/src/Controller/Component/AuthorizationComponent.php
@@ -158,7 +158,7 @@ public function applyScope($resource, ?string $action = null)
         }
         $identity = $this->getIdentity($request);
         if ($identity === null) {
-            throw new MissingIdentityException('Identity must exist for applyScope() call.');
+            return $this->getService($request)->applyScope(null, $action, $resource);
         }
 
         return $identity->applyScope($action, $resource);

From 4a0802270fdc7d287418f41bf05e750ede25efd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Pustu=C5=82ka?= <robert.pustulka@gmail.com>
Date: Mon, 21 Aug 2023 13:58:10 +0200
Subject: [PATCH 3/5] Update policies

---
 tests/test_app/TestApp/Policy/ArticlePolicy.php       | 4 ++++
 tests/test_app/TestApp/Policy/ArticlesTablePolicy.php | 8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/tests/test_app/TestApp/Policy/ArticlePolicy.php b/tests/test_app/TestApp/Policy/ArticlePolicy.php
index a6604814..402ca927 100644
--- a/tests/test_app/TestApp/Policy/ArticlePolicy.php
+++ b/tests/test_app/TestApp/Policy/ArticlePolicy.php
@@ -28,6 +28,10 @@ public function canAdd($user)
      */
     public function canEdit($user, Article $article)
     {
+        if ($user === null) {
+            return false;
+        }
+
         if (in_array($user['role'], ['admin', 'author'])) {
             return true;
         }
diff --git a/tests/test_app/TestApp/Policy/ArticlesTablePolicy.php b/tests/test_app/TestApp/Policy/ArticlesTablePolicy.php
index 447c8898..e72314e3 100644
--- a/tests/test_app/TestApp/Policy/ArticlesTablePolicy.php
+++ b/tests/test_app/TestApp/Policy/ArticlesTablePolicy.php
@@ -23,8 +23,14 @@ public function canModify(IdentityInterface $identity)
         return $identity['can_edit'];
     }
 
-    public function scopeEdit(IdentityInterface $user, QueryInterface $query)
+    public function scopeEdit(?IdentityInterface $user, QueryInterface $query)
     {
+        if ($user === null) {
+            return $query->where([
+                'visibility' => 'public',
+            ]);
+        }
+
         return $query->where([
             'user_id' => $user['id'],
         ]);

From 0163abf91d4847f4c0966c7f86c1ac61e534113e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Pustu=C5=82ka?= <robert.pustulka@gmail.com>
Date: Mon, 21 Aug 2023 13:58:22 +0200
Subject: [PATCH 4/5] Add tests for missing identity

---
 .../Component/AuthorizationComponentTest.php  | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/tests/TestCase/Controller/Component/AuthorizationComponentTest.php b/tests/TestCase/Controller/Component/AuthorizationComponentTest.php
index bbcc7a6c..b7cf93e3 100644
--- a/tests/TestCase/Controller/Component/AuthorizationComponentTest.php
+++ b/tests/TestCase/Controller/Component/AuthorizationComponentTest.php
@@ -253,6 +253,33 @@ public function testApplyScopeImplicitAction()
         $this->assertSame($query, $result);
     }
 
+    public function testApplyScopeNoUser()
+    {
+        $this->request = $this->request
+            ->withoutAttribute('identity');
+
+        $controller = new Controller($this->request);
+        $componentRegistry = new ComponentRegistry($controller);
+        $auth = new AuthorizationComponent($componentRegistry);
+
+        $articles = new ArticlesTable();
+        $query = $this->createMock(QueryInterface::class);
+        $query->method('getRepository')
+            ->willReturn($articles);
+
+        $query->expects($this->once())
+            ->method('where')
+            ->with([
+                'visibility' => 'public',
+            ])
+            ->willReturn($query);
+
+        $result = $auth->applyScope($query);
+
+        $this->assertInstanceOf(QueryInterface::class, $result);
+        $this->assertSame($query, $result);
+    }
+
     public function testApplyScopeMappedAction()
     {
         $articles = new ArticlesTable();
@@ -470,6 +497,20 @@ public function testCan()
         $this->assertFalse($this->Auth->can($article, 'delete'));
     }
 
+    public function testCanWithoutUser()
+    {
+        $this->request = $this->request
+            ->withoutAttribute('identity');
+
+        $controller = new Controller($this->request);
+        $componentRegistry = new ComponentRegistry($controller);
+        $auth = new AuthorizationComponent($componentRegistry);
+
+        $article = new Article(['user_id' => 1, 'visibility' => 'public']);
+        $this->assertFalse($auth->can($article, 'edit'));
+        $this->assertTrue($auth->can($article, 'view'));
+    }
+
     public function testCanWithResult()
     {
         $article = new Article(['user_id' => 1]);

From bd01fa344d8a95d7b47e6963219b0da4019e707e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Pustu=C5=82ka?= <robert.pustulka@gmail.com>
Date: Mon, 21 Aug 2023 14:02:18 +0200
Subject: [PATCH 5/5] CS fix

---
 src/Controller/Component/AuthorizationComponent.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Controller/Component/AuthorizationComponent.php b/src/Controller/Component/AuthorizationComponent.php
index 4c272042..3362a859 100644
--- a/src/Controller/Component/AuthorizationComponent.php
+++ b/src/Controller/Component/AuthorizationComponent.php
@@ -18,7 +18,6 @@
 
 use Authorization\AuthorizationServiceInterface;
 use Authorization\Exception\ForbiddenException;
-use Authorization\Exception\MissingIdentityException;
 use Authorization\IdentityInterface;
 use Authorization\Policy\ResultInterface;
 use Cake\Controller\Component;