Adjust logic for removing the hold on a workflow only by user who owns the hold and when a transition is applied on the workflow

2025-09-05 22:35:01 +00:00 · 2024-08-30 12:59:08 +02:00
parent 41ffc470a0
commit 745a29f742
5 changed files with 48 additions and 26 deletions
--- a/src/Bundle/ChillMainBundle/Controller/WorkflowController.php
+++ b/src/Bundle/ChillMainBundle/Controller/WorkflowController.php
@@ -298,7 +298,7 @@ class WorkflowController extends AbstractController
        $workflow = $this->registry->get($entityWorkflow, $entityWorkflow->getWorkflowName());
        $errors = [];
        $signatures = $entityWorkflow->getCurrentStep()->getSignatures();
-        $holdOnStepByUser = $this->entityWorkflowStepHoldRepository->findOneByStepAndUser($entityWorkflow->getCurrentStep(), $this->security->getUser());
+        $onHoldStep = $this->entityWorkflowStepHoldRepository->findByWorkflow($entityWorkflow);

        if (\count($workflow->getEnabledTransitions($entityWorkflow)) > 0) {
            // possible transition
@@ -343,6 +343,10 @@ class WorkflowController extends AbstractController

                $this->entityManager->flush();

+                if ($onHoldStep) {
+                    $this->entityManager->remove($onHoldStep);
+                }
+
                return $this->redirectToRoute('chill_main_workflow_show', ['id' => $entityWorkflow->getId()]);
            }

@@ -361,7 +365,7 @@ class WorkflowController extends AbstractController
                'entity_workflow' => $entityWorkflow,
                'transition_form_errors' => $errors,
                'signatures' => $signatures,
-                'holdOnStepByUser' => $holdOnStepByUser,
+                'onHoldStep' => $onHoldStep,
            ]
        );
    }
--- a/src/Bundle/ChillMainBundle/Controller/WorkflowOnHoldController.php
+++ b/src/Bundle/ChillMainBundle/Controller/WorkflowOnHoldController.php
@@ -4,6 +4,7 @@ namespace Chill\MainBundle\Controller;

 use Chill\MainBundle\Entity\Workflow\EntityWorkflow;
 use Chill\MainBundle\Entity\Workflow\EntityWorkflowStepHold;
+use Chill\MainBundle\Repository\Workflow\EntityWorkflowRepository;
 use Chill\MainBundle\Repository\Workflow\EntityWorkflowStepHoldRepository;
 use Chill\MainBundle\Security\ChillSecurity;
 use Doctrine\ORM\EntityManagerInterface;
@@ -20,32 +21,23 @@ class WorkflowOnHoldController extends AbstractController
        private readonly EntityManagerInterface $entityManager,
        private readonly Security $security,
        private readonly Registry $registry,
-        private readonly EntityWorkflowStepHoldRepository $entityWorkflowStepHoldRepository
+        private readonly EntityWorkflowStepHoldRepository $entityWorkflowStepHoldRepository,
+        private readonly EntityWorkflowRepository $entityWorkflowRepository
    ) {}

    #[Route(path: '/{_locale}/main/workflow/{id}/hold', name: 'chill_main_workflow_on_hold')]
    public function putOnHold(EntityWorkflow $entityWorkflow, Request $request): Response
    {
+        $entityWorkflow = $this->entityWorkflowRepository->find($entityWorkflow);
+
        $currentStep = $entityWorkflow->getCurrentStep();
        $currentUser = $this->security->getUser();

        $workflow = $this->registry->get($entityWorkflow, $entityWorkflow->getWorkflowName());
-
        $enabledTransitions = $workflow->getEnabledTransitions($entityWorkflow);
-        if (\count($enabledTransitions) === 0) {
-            throw $this->createAccessDeniedException('No transitions are available for the current workflow state.');
-        }

-        $isTransitionAllowed = false;
-        foreach ($enabledTransitions as $transition) {
-            if ($workflow->can($entityWorkflow, $transition->getName())) {
-                $isTransitionAllowed = true;
-                break;
-            }
-        }
-
-        if (!$isTransitionAllowed) {
-            throw $this->createAccessDeniedException('You are not allowed to apply any transitions to this workflow, therefore you cannot put it on hold.');
+        if (!count($enabledTransitions) > 0) {
+            throw $this->createAccessDeniedException('You are not allowed to apply any transitions to this workflow, therefore you cannot toggle the hold status.');
        }

        $stepHold = new EntityWorkflowStepHold($currentStep, $currentUser);
@@ -61,10 +53,16 @@ class WorkflowOnHoldController extends AbstractController
    {
        $hold = $this->entityWorkflowStepHoldRepository->findById($holdId);
        $entityWorkflow = $hold->getStep()->getEntityWorkflow();
+        $currentUser = $this->security->getUser();
+
+        if ($hold->getByUser() !== $currentUser) {
+            throw $this->createAccessDeniedException('You are not allowed to remove the hold status.');
+        }

        $this->entityManager->remove($hold);
        $this->entityManager->flush();

        return $this->redirectToRoute('chill_main_workflow_show', ['id' => $entityWorkflow->getId()]);
    }
+
 }