diff --git a/.changes/unreleased/Security-20230607-174702.yaml b/.changes/unreleased/Security-20230607-174702.yaml
new file mode 100644
index 000000000..ecdc1d191
--- /dev/null
+++ b/.changes/unreleased/Security-20230607-174702.yaml
@@ -0,0 +1,7 @@
+kind: Security
+body: Rights are checked for display of 'accompanying period' tab in household menu.
+ Rights are also checked for creation of 'accompanying period' from within household
+ context
+time: 2023-06-07T17:47:02.488819553+02:00
+custom:
+ Issue: "105"
diff --git a/src/Bundle/ChillPersonBundle/Menu/HouseholdMenuBuilder.php b/src/Bundle/ChillPersonBundle/Menu/HouseholdMenuBuilder.php
index 074c27027..13291bdd1 100644
--- a/src/Bundle/ChillPersonBundle/Menu/HouseholdMenuBuilder.php
+++ b/src/Bundle/ChillPersonBundle/Menu/HouseholdMenuBuilder.php
@@ -12,7 +12,9 @@ declare(strict_types=1);
namespace Chill\PersonBundle\Menu;
use Chill\MainBundle\Routing\LocalMenuBuilderInterface;
+use Chill\PersonBundle\Security\Authorization\AccompanyingPeriodVoter;
use Knp\Menu\MenuItem;
+use Symfony\Component\Security\Core\Security;
use Symfony\Contracts\Translation\TranslatorInterface;
class HouseholdMenuBuilder implements LocalMenuBuilderInterface
@@ -22,9 +24,12 @@ class HouseholdMenuBuilder implements LocalMenuBuilderInterface
*/
protected $translator;
- public function __construct(TranslatorInterface $translator)
+ private Security $security;
+
+ public function __construct(TranslatorInterface $translator, Security $security)
{
$this->translator = $translator;
+ $this->security = $security;
}
public function buildMenu($menuId, MenuItem $menu, array $parameters): void
@@ -53,12 +58,14 @@ class HouseholdMenuBuilder implements LocalMenuBuilderInterface
], ])
->setExtras(['order' => 17]);
- $menu->addChild($this->translator->trans('household.Accompanying period'), [
- 'route' => 'chill_person_household_accompanying_period',
- 'routeParameters' => [
- 'household_id' => $household->getId(),
- ], ])
- ->setExtras(['order' => 20]);
+ if ($this->security->isGranted(AccompanyingPeriodVoter::SEE, $parameters['household'])) {
+ $menu->addChild($this->translator->trans('household.Accompanying period'), [
+ 'route' => 'chill_person_household_accompanying_period',
+ 'routeParameters' => [
+ 'household_id' => $household->getId(),
+ ],])
+ ->setExtras(['order' => 20]);
+ }
$menu->addChild($this->translator->trans('household.Addresses'), [
'route' => 'chill_person_household_addresses',
diff --git a/src/Bundle/ChillPersonBundle/Resources/views/Household/accompanying_period.html.twig b/src/Bundle/ChillPersonBundle/Resources/views/Household/accompanying_period.html.twig
index acd251735..c734eee8e 100644
--- a/src/Bundle/ChillPersonBundle/Resources/views/Household/accompanying_period.html.twig
+++ b/src/Bundle/ChillPersonBundle/Resources/views/Household/accompanying_period.html.twig
@@ -40,13 +40,14 @@
{{ 'Household summary'|trans }}
- {# TODO: add ACL to check if user is allowed to edit household? #}
-
-
- {{ 'Create an accompanying period'|trans }}
-
-
+ {% if is_granted('CHILL_PERSON_HOUSEHOLD_EDIT', household) %}
+
+
+ {{ 'Create an accompanying period'|trans }}
+
+
+ {% endif %}