Correctly log rbac permission check and renamed property reason to logReason to avoid confusion with Policy\Result::reason

Author: rochamarcelo

src/Policy/Result/SuperuserResult.php

@@ -4,7 +4,6 @@
 namespace CakeDC\Auth\Policy\Result;
 
 use Authorization\Policy\ResultInterface;
-use Psr\Http\Message\ServerRequestInterface;
 
 class SuperuserResult implements ResultInterface
 {

src/Rbac/PermissionMatchResult.php

@@ -25,13 +25,13 @@ class PermissionMatchResult
      * PermissionMatchResult constructor.
      *
      * @param bool $allowed rule was matched, allowed value
-     * @param string $reason reason to either allow or deny
+     * @param string $logReason reason to either allow or deny
      * @param array|null $resource The resource url to check if allowed
      * @param array|null $permission The matching permission
      */
     public function __construct(
         protected bool $allowed = false,
-        protected string $reason = '',
+        protected string $logReason = '',
         protected ?array $resource = null,
         protected ?array $permission = null
     ) {
@@ -59,21 +59,21 @@ public function isAllowed(): bool
     }
 
     /**
-     * @param string $reason reason
+     * @param string $logReason reason
      */
-    public function setReason(string $reason): PermissionMatchResult
+    public function setLogReason(string $logReason): PermissionMatchResult
     {
-        $this->reason = $reason;
+        $this->logReason = $logReason;
 
         return $this;
     }
 
     /**
      * @return string
      */
-    public function getReason(): string
+    public function getLogReason(): string
     {
-        return $this->reason;
+        return $this->logReason;
     }
 
     /**

src/Rbac/Rbac.php

@@ -121,19 +121,20 @@ public function checkPermissions(array|ArrayAccess $user, ServerRequestInterface
         foreach ($this->permissions as $permission) {
             $matchResult = $this->_matchPermission($permission, $user, $role, $request);
             if ($matchResult !== null) {
-                if ($this->getConfig('log')) {
-                    $this->log($matchResult->getReason(), LogLevel::DEBUG);
-                }
+                $this->logResult($matchResult);
 
                 return $matchResult;
             }
         }
-
-        return new PermissionMatchResult(
+        $resource = $this->parseSource($request, $role);
+        $result = new PermissionMatchResult(
             false,
-            'No permission matching',
-            $this->parseSource($request, $role)
+            sprintf('No permission matching resource: %s', json_encode($resource)),
+            $resource
         );
+        $this->logResult($result);
+
+        return $result;
     }
 
     /**
@@ -266,4 +267,15 @@ protected function parseSource(ServerRequestInterface $request, mixed $role): ar
             'role' => $role,
         ];
     }
+
+    /**
+     * @param \CakeDC\Auth\Rbac\PermissionMatchResult $matchResult
+     * @return void
+     */
+    protected function logResult(PermissionMatchResult $matchResult): void
+    {
+        if ($this->getConfig('log')) {
+            $this->log($matchResult->getLogReason(), LogLevel::DEBUG);
+        }
+    }
 }

tests/TestCase/Auth/Rbac/PermissionMatchResultTest.php

@@ -48,18 +48,18 @@ public function testConstruct()
     {
         $permissionMatchResult = new PermissionMatchResult();
         $this->assertFalse($permissionMatchResult->isAllowed());
-        $this->assertSame('', $permissionMatchResult->getReason());
+        $this->assertSame('', $permissionMatchResult->getLogReason());
 
         $permissionMatchResult = new PermissionMatchResult(true, 'bazinga');
         $this->assertTrue($permissionMatchResult->isAllowed());
-        $this->assertSame('bazinga', $permissionMatchResult->getReason());
+        $this->assertSame('bazinga', $permissionMatchResult->getLogReason());
     }
 
     public function testSetGet()
     {
         $this->assertTrue($this->permissionMatchResult->setAllowed(true)->isAllowed());
         $this->assertFalse($this->permissionMatchResult->setAllowed(false)->isAllowed());
-        $this->assertNotSame('bazinga', $this->permissionMatchResult->setReason('another-reason')->getReason());
-        $this->assertSame('bazinga', $this->permissionMatchResult->setReason('bazinga')->getReason());
+        $this->assertNotSame('bazinga', $this->permissionMatchResult->setLogReason('another-reason')->getLogReason());
+        $this->assertSame('bazinga', $this->permissionMatchResult->setLogReason('bazinga')->getLogReason());
     }
 }