upgrade voter and acl for activities and implement autoconfiguration for

ChillProvideRole interface
2025-08-21 15:13:50 +00:00 · 2021-09-20 13:03:59 +02:00
parent b6c58a5c31
commit 120f7d8026
11 changed files with 236 additions and 101 deletions
--- a/src/Bundle/ChillActivityBundle/Security/Authorization/ActivityVoter.php
+++ b/src/Bundle/ChillActivityBundle/Security/Authorization/ActivityVoter.php
@@ -19,6 +19,11 @@

 namespace Chill\ActivityBundle\Security\Authorization;

+use Chill\MainBundle\Security\Authorization\VoterHelperFactoryInterface;
+use Chill\MainBundle\Security\Authorization\VoterHelperInterface;
+use Chill\PersonBundle\Entity\AccompanyingPeriod;
+use Chill\PersonBundle\Security\Authorization\AccompanyingPeriodVoter;
+use Chill\PersonBundle\Security\Authorization\PersonVoter;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;

 use Chill\MainBundle\Security\Authorization\AbstractChillVoter;
@@ -28,11 +33,10 @@ use Chill\MainBundle\Entity\User;
 use Chill\ActivityBundle\Entity\Activity;
 use Chill\PersonBundle\Entity\Person;
 use Symfony\Component\Security\Core\Role\Role;
+use Symfony\Component\Security\Core\Security;

 /**
- *
- *
- * @author Julien Fastré <julien.fastre@champs-libres.coop>
+ * Voter for Activity class
 */
 class ActivityVoter extends AbstractChillVoter implements ProvideRoleHierarchyInterface
 {
@@ -41,30 +45,37 @@ class ActivityVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn
    const SEE_DETAILS = 'CHILL_ACTIVITY_SEE_DETAILS';
    const UPDATE = 'CHILL_ACTIVITY_UPDATE';
    const DELETE = 'CHILL_ACTIVITY_DELETE';
+    const FULL = 'CHILL_ACTIVITY_FULL';

-    /**
-     *
-     * @var AuthorizationHelper
-     */
-    protected $helper;
+    private const ALL = [
+        self::CREATE,
+        self::SEE,
+        self::UPDATE,
+        self::DELETE,
+        self::SEE_DETAILS,
+        self::FULL
+    ];

-    public function __construct(AuthorizationHelper $helper)
-    {
-        $this->helper = $helper;
+    protected VoterHelperInterface $voterHelper;
+
+    protected Security $security;
+
+    public function __construct(
+        Security $security,
+        VoterHelperFactoryInterface $voterHelperFactory
+    ) {
+        $this->security = $security;
+        $this->voterHelper = $voterHelperFactory->generate(self::class)
+            ->addCheckFor(Person::class, [self::SEE, self::CREATE])
+            ->addCheckFor(AccompanyingPeriod::class, [self::SEE, self::CREATE])
+            ->addCheckFor(Activity::class, self::ALL)
+            ->build();
    }


    protected function supports($attribute, $subject)
    {
-        if ($subject instanceof Activity) {
-            return \in_array($attribute, $this->getAttributes());
-        } elseif ($subject instanceof Person) {
-            return $attribute === self::SEE 
-                ||
-                $attribute === self::CREATE;
-        } else {
-            return false;
-        }
+        return $this->voterHelper->supports($attribute, $subject);
    }

    protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
@@ -72,32 +83,34 @@ class ActivityVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn
        if (!$token->getUser() instanceof User) {
            return false;
        }
-        
-        if ($subject instanceof Person) {
-            $centers = $this->helper->getReachableCenters($token->getUser(), new Role($attribute));
-            
-            return \in_array($subject->getCenter(), $centers);
+
+        if ($subject instanceof Activity) {
+            if ($subject->getPerson() instanceof Person) {
+                // the context is person: we must have the right to see the person
+                if (!$this->security->isGranted(PersonVoter::SEE, $subject->getPerson())) {
+                    return false;
+                }
+            } elseif ($subject->getAccompanyingPeriod() instanceof AccompanyingPeriod) {
+                if (!$this->security->isGranted(AccompanyingPeriodVoter::SEE, $subject->getAccompanyingPeriod())) {
+                    return false;
+                }
+            } else {
+                throw new \RuntimeException("could not determine context of activity");
+            }
        }
-        
-        /* @var $subject Activity */
-        return $this->helper->userHasAccess($token->getUser(), $subject, $attribute);
-    }
-    
-    private function getAttributes()
-    {
-        return [ self::CREATE, self::SEE, self::UPDATE, self::DELETE,
-                  self::SEE_DETAILS ];
+
+        return $this->voterHelper->voteOnAttribute($attribute, $subject, $token);
    }


    public function getRoles()
    {
-        return $this->getAttributes();
+        return self::ALL;
    }

    public function getRolesWithoutScope()
    {
-        return array();
+        return [];
    }