Fixed: [calendar] refactor ACL on calendar

2025-09-29 10:05:03 +00:00 · 2022-11-28 12:22:58 +01:00
parent a73dca5efe
commit 74673380aa
6 changed files with 130 additions and 36 deletions
--- a/src/Bundle/ChillCalendarBundle/Security/Voter/CalendarVoter.php
+++ b/src/Bundle/ChillCalendarBundle/Security/Voter/CalendarVoter.php
@@ -20,13 +20,14 @@ namespace Chill\CalendarBundle\Security\Voter;

 use Chill\CalendarBundle\Entity\Calendar;
 use Chill\MainBundle\Security\Authorization\AbstractChillVoter;
+use Chill\MainBundle\Security\Authorization\AuthorizationHelperInterface;
 use Chill\MainBundle\Security\Authorization\VoterHelperFactoryInterface;
 use Chill\MainBundle\Security\Authorization\VoterHelperInterface;
 use Chill\MainBundle\Security\ProvideRoleHierarchyInterface;
+use Chill\MainBundle\Security\Resolver\CenterResolverManagerInterface;
 use Chill\PersonBundle\Entity\AccompanyingPeriod;
 use Chill\PersonBundle\Entity\Person;
 use Chill\PersonBundle\Security\Authorization\AccompanyingPeriodVoter;
-use Chill\PersonBundle\Security\Authorization\PersonVoter;
 use LogicException;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Security;
@@ -41,6 +42,10 @@ class CalendarVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn

    public const SEE = 'CHILL_CALENDAR_CALENDAR_SEE';

+    private AuthorizationHelperInterface $authorizationHelper;
+
+    private CenterResolverManagerInterface $centerResolverManager;
+
    private Security $security;

    private VoterHelperInterface $voterHelper;
@@ -52,8 +57,8 @@ class CalendarVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn
        $this->security = $security;
        $this->voterHelper = $voterHelperFactory
            ->generate(self::class)
-            ->addCheckFor(AccompanyingPeriod::class, [self::SEE])
-            ->addCheckFor(Person::class, [self::SEE])
+            ->addCheckFor(AccompanyingPeriod::class, [self::SEE, self::CREATE])
+            ->addCheckFor(Person::class, [self::SEE, self::CREATE])
            ->addCheckFor(Calendar::class, [self::SEE, self::CREATE, self::EDIT, self::DELETE])
            ->build();
    }
@@ -93,48 +98,37 @@ class CalendarVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn
        if ($subject instanceof AccompanyingPeriod) {
            switch ($attribute) {
                case self::SEE:
+                case self::CREATE:
                    if ($subject->getStep() === AccompanyingPeriod::STEP_DRAFT) {
                        return false;
                    }

                    // we first check here that the user has read access to the period
-                    return $this->security->isGranted(AccompanyingPeriodVoter::SEE, $subject);
+                    if (!$this->security->isGranted(AccompanyingPeriodVoter::SEE, $subject)) {
+                        return false;
+                    }

-                default:
-                    throw new LogicException('subject not implemented');
+                    // There is no scope on Calendar, but there are some on accompanying period
+                    // so, to ignore AccompanyingPeriod's scopes, we create a blank Calendar
+                    // linked with an accompanying period.
+                    return $this->voterHelper->voteOnAttribute($attribute, (new Calendar())->setAccompanyingPeriod($subject), $token);
            }
        } elseif ($subject instanceof Person) {
            switch ($attribute) {
                case self::SEE:
-                    return $this->security->isGranted(PersonVoter::SEE, $subject);
-
-                default:
-                    throw new LogicException('subject not implemented');
+                case self::CREATE:
+                    return $this->voterHelper->voteOnAttribute($attribute, $subject, $token);
            }
        } elseif ($subject instanceof Calendar) {
-            if (null !== $period = $subject->getAccompanyingPeriod()) {
-                switch ($attribute) {
-                    case self::SEE:
-                    case self::EDIT:
-                    case self::CREATE:
-                        return $this->security->isGranted(AccompanyingPeriodVoter::SEE, $period);
-
-                    case self::DELETE:
-                        return $this->security->isGranted(AccompanyingPeriodVoter::EDIT, $period);
-                }
-            } elseif (null !== $person = $subject->getPerson()) {
-                switch ($attribute) {
-                    case self::SEE:
-                    case self::EDIT:
-                    case self::CREATE:
-                        return $this->security->isGranted(PersonVoter::SEE, $person);
-
-                    case self::DELETE:
-                        return $this->security->isGranted(PersonVoter::UPDATE, $person);
-                }
+            switch ($attribute) {
+                case self::SEE:
+                case self::EDIT:
+                case self::CREATE:
+                case self::DELETE:
+                    return $this->voterHelper->voteOnAttribute($attribute, $subject, $token);
            }
        }

-        throw new LogicException('attribute not implemented');
+        throw new LogicException('attribute or not implemented');
    }
 }