Fixed: [calendar] refactor ACL on calendar

2025-09-01 20:43:49 +00:00 · 2022-11-28 12:22:58 +01:00
parent a73dca5efe
commit 74673380aa
6 changed files with 130 additions and 36 deletions
--- a/src/Bundle/ChillCalendarBundle/Controller/CalendarController.php
+++ b/src/Bundle/ChillCalendarBundle/Controller/CalendarController.php
@@ -15,6 +15,7 @@ use Chill\CalendarBundle\Entity\Calendar;
 use Chill\CalendarBundle\Form\CalendarType;
 use Chill\CalendarBundle\RemoteCalendar\Connector\RemoteCalendarConnectorInterface;
 use Chill\CalendarBundle\Repository\CalendarACLAwareRepositoryInterface;
+use Chill\CalendarBundle\Security\Voter\CalendarVoter;
 use Chill\DocGeneratorBundle\Repository\DocGeneratorTemplateRepository;
 use Chill\MainBundle\Entity\User;
 use Chill\MainBundle\Pagination\PaginatorFactory;
@@ -146,6 +147,8 @@ class CalendarController extends AbstractController
     */
    public function editAction(Calendar $entity, Request $request): Response
    {
+        $this->denyAccessUnlessGranted(CalendarVoter::EDIT, $entity);
+
        if (!$this->remoteCalendarConnector->isReady()) {
            return $this->remoteCalendarConnector->getMakeReadyResponse($request->getUri());
        }
@@ -207,6 +210,8 @@ class CalendarController extends AbstractController
     */
    public function listActionByCourse(AccompanyingPeriod $accompanyingPeriod): Response
    {
+        $this->denyAccessUnlessGranted(CalendarVoter::SEE, $accompanyingPeriod);
+
        $filterOrder = $this->buildListFilterOrder();
        ['from' => $from, 'to' => $to] = $filterOrder->getDateRangeData('startDate');

@@ -239,6 +244,8 @@ class CalendarController extends AbstractController
     */
    public function listActionByPerson(Person $person): Response
    {
+        $this->denyAccessUnlessGranted(CalendarVoter::SEE, $person);
+
        $filterOrder = $this->buildListFilterOrder();
        ['from' => $from, 'to' => $to] = $filterOrder->getDateRangeData('startDate');

@@ -308,7 +315,7 @@ class CalendarController extends AbstractController
            $view = '@ChillCalendar/Calendar/newByAccompanyingCourse.html.twig';
            $entity->setAccompanyingPeriod($accompanyingPeriod);
            $redirectRoute = $this->generateUrl('chill_calendar_calendar_list_by_period', ['id' => $accompanyingPeriod->getId()]);
-        } elseif ($person) {
+        } elseif (null !== $person) {
            $view = '@ChillCalendar/Calendar/newByPerson.html.twig';
            $entity->setPerson($person)->addPerson($person);
            $redirectRoute = $this->generateUrl('chill_calendar_calendar_list_by_person', ['id' => $person->getId()]);
@@ -318,6 +325,8 @@ class CalendarController extends AbstractController
            $entity->setMainUser($this->userRepository->find($request->query->getInt('mainUser')));
        }

+        $this->denyAccessUnlessGranted(CalendarVoter::CREATE, $entity);
+
        $form = $this->createForm(CalendarType::class, $entity)
            ->add('save', SubmitType::class);

@@ -437,6 +446,8 @@ class CalendarController extends AbstractController
     */
    public function toActivity(Request $request, Calendar $calendar): RedirectResponse
    {
+        $this->denyAccessUnlessGranted(CalendarVoter::SEE, $calendar);
+
        $personsId = array_map(
            static fn (Person $p): int => $p->getId(),
            $calendar->getPersons()->toArray()