From 4ef48216ed48f7a0bfb6d3db0d28849d2fe19206 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Fastr=C3=A9?= Date: Mon, 11 Jul 2022 13:54:12 +0200 Subject: [PATCH] fixed: do not allow to create a course or see a houshold from the search result, if the user does not have any rights to do it --- .../Resources/views/Person/list_with_period.html.twig | 10 ++++++---- .../Security/Authorization/AccompanyingPeriodVoter.php | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/Bundle/ChillPersonBundle/Resources/views/Person/list_with_period.html.twig b/src/Bundle/ChillPersonBundle/Resources/views/Person/list_with_period.html.twig index c407b6c57..886fa791b 100644 --- a/src/Bundle/ChillPersonBundle/Resources/views/Person/list_with_period.html.twig +++ b/src/Bundle/ChillPersonBundle/Resources/views/Person/list_with_period.html.twig @@ -1,13 +1,15 @@ {% macro button_person_after(person) %} {% set household = person.getCurrentHousehold %} - {% if household is not null %} + {% if household is not null and is_granted('CHILL_PERSON_HOUSEHOLD_SEE', household) %}
    • {% endif %} -
  • - -
    • + {% if is_granted('CHILL_PERSON_ACCOMPANYING_PERIOD_CREATE', person) %} +
  • + +
    • + {% endif %} {% endmacro %} {% macro accompanying_period(acp, person) %} diff --git a/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php b/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php index 0859ba7bd..c6a06a663 100644 --- a/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php +++ b/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php @@ -113,7 +113,7 @@ class AccompanyingPeriodVoter extends AbstractChillVoter implements ProvideRoleH ->generate(self::class) ->addCheckFor(null, [self::CREATE, self::REASSIGN_BULK]) ->addCheckFor(AccompanyingPeriod::class, [self::TOGGLE_CONFIDENTIAL, ...self::ALL]) - ->addCheckFor(Person::class, [self::SEE]) + ->addCheckFor(Person::class, [self::SEE, self::CREATE]) ->build(); }