Chill-project/chill-bundles
6
0
Fork 0
mirror of https://gitlab.com/Chill-Projet/chill-bundles.git synced 2025-06-13 05:44:24 +00:00
Code Issues Actions Projects Releases Wiki Activity

Fixed: [calendar] refactor ACL on calendar

Browse Source
This commit is contained in:
Julien Fastré 2022-11-28 12:22:58 +01:00
parent a73dca5efe
commit 74673380aa
Signed by: julienfastre
GPG Key ID: BDE2190974723FCB
6 changed files with 130 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/Bundle/ChillCalendarBundle/Controller/CalendarController.php
View File

@ -15,6 +15,7 @@ use Chill\CalendarBundle\Entity\Calendar;
use Chill\CalendarBundle\Form\CalendarType; use Chill\CalendarBundle\Form\CalendarType;
use Chill\CalendarBundle\RemoteCalendar\Connector\RemoteCalendarConnectorInterface; use Chill\CalendarBundle\RemoteCalendar\Connector\RemoteCalendarConnectorInterface;
use Chill\CalendarBundle\Repository\CalendarACLAwareRepositoryInterface; use Chill\CalendarBundle\Repository\CalendarACLAwareRepositoryInterface;
use Chill\CalendarBundle\Security\Voter\CalendarVoter;
use Chill\DocGeneratorBundle\Repository\DocGeneratorTemplateRepository; use Chill\DocGeneratorBundle\Repository\DocGeneratorTemplateRepository;
use Chill\MainBundle\Entity\User; use Chill\MainBundle\Entity\User;
use Chill\MainBundle\Pagination\PaginatorFactory; use Chill\MainBundle\Pagination\PaginatorFactory;
@ -146,6 +147,8 @@ class CalendarController extends AbstractController
*/ */
public function editAction(Calendar $entity, Request $request): Response public function editAction(Calendar $entity, Request $request): Response
{ {
$this->denyAccessUnlessGranted(CalendarVoter::EDIT, $entity);
if (!$this->remoteCalendarConnector->isReady()) { if (!$this->remoteCalendarConnector->isReady()) {
return $this->remoteCalendarConnector->getMakeReadyResponse($request->getUri()); return $this->remoteCalendarConnector->getMakeReadyResponse($request->getUri());
} }
@ -207,6 +210,8 @@ class CalendarController extends AbstractController
*/ */
public function listActionByCourse(AccompanyingPeriod $accompanyingPeriod): Response public function listActionByCourse(AccompanyingPeriod $accompanyingPeriod): Response
{ {
$this->denyAccessUnlessGranted(CalendarVoter::SEE, $accompanyingPeriod);
$filterOrder = $this->buildListFilterOrder(); $filterOrder = $this->buildListFilterOrder();
['from' => $from, 'to' => $to] = $filterOrder->getDateRangeData('startDate'); ['from' => $from, 'to' => $to] = $filterOrder->getDateRangeData('startDate');
@ -239,6 +244,8 @@ class CalendarController extends AbstractController
*/ */
public function listActionByPerson(Person $person): Response public function listActionByPerson(Person $person): Response
{ {
$this->denyAccessUnlessGranted(CalendarVoter::SEE, $person);
$filterOrder = $this->buildListFilterOrder(); $filterOrder = $this->buildListFilterOrder();
['from' => $from, 'to' => $to] = $filterOrder->getDateRangeData('startDate'); ['from' => $from, 'to' => $to] = $filterOrder->getDateRangeData('startDate');
@ -308,7 +315,7 @@ class CalendarController extends AbstractController
$view = '@ChillCalendar/Calendar/newByAccompanyingCourse.html.twig'; $view = '@ChillCalendar/Calendar/newByAccompanyingCourse.html.twig';
$entity->setAccompanyingPeriod($accompanyingPeriod); $entity->setAccompanyingPeriod($accompanyingPeriod);
$redirectRoute = $this->generateUrl('chill_calendar_calendar_list_by_period', ['id' => $accompanyingPeriod->getId()]); $redirectRoute = $this->generateUrl('chill_calendar_calendar_list_by_period', ['id' => $accompanyingPeriod->getId()]);
} elseif ($person) { } elseif (null !== $person) {
$view = '@ChillCalendar/Calendar/newByPerson.html.twig'; $view = '@ChillCalendar/Calendar/newByPerson.html.twig';
$entity->setPerson($person)->addPerson($person); $entity->setPerson($person)->addPerson($person);
$redirectRoute = $this->generateUrl('chill_calendar_calendar_list_by_person', ['id' => $person->getId()]); $redirectRoute = $this->generateUrl('chill_calendar_calendar_list_by_person', ['id' => $person->getId()]);
@ -318,6 +325,8 @@ class CalendarController extends AbstractController
$entity->setMainUser($this->userRepository->find($request->query->getInt('mainUser'))); $entity->setMainUser($this->userRepository->find($request->query->getInt('mainUser')));
} }
$this->denyAccessUnlessGranted(CalendarVoter::CREATE, $entity);
$form = $this->createForm(CalendarType::class, $entity) $form = $this->createForm(CalendarType::class, $entity)
->add('save', SubmitType::class); ->add('save', SubmitType::class);
@ -437,6 +446,8 @@ class CalendarController extends AbstractController
*/ */
public function toActivity(Request $request, Calendar $calendar): RedirectResponse public function toActivity(Request $request, Calendar $calendar): RedirectResponse
{ {
$this->denyAccessUnlessGranted(CalendarVoter::SEE, $calendar);
$personsId = array_map( $personsId = array_map(
static fn (Person $p): int => $p->getId(), static fn (Person $p): int => $p->getId(),
$calendar->getPersons()->toArray() $calendar->getPersons()->toArray()

17
src/Bundle/ChillCalendarBundle/DependencyInjection/ChillCalendarExtension.php
View File

@ -11,6 +11,7 @@ declare(strict_types=1);
namespace Chill\CalendarBundle\DependencyInjection; namespace Chill\CalendarBundle\DependencyInjection;
use Chill\CalendarBundle\Security\Voter\CalendarVoter;
use Symfony\Component\Config\FileLocator; use Symfony\Component\Config\FileLocator;
use Symfony\Component\DependencyInjection\ContainerBuilder; use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface; use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
@ -52,9 +53,10 @@ class ChillCalendarExtension extends Extension implements PrependExtensionInterf
{ {
$this->preprendRoutes($container); $this->preprendRoutes($container);
$this->prependCruds($container); $this->prependCruds($container);
$this->prependRoleHierarchy($container);
} }
protected function prependCruds(ContainerBuilder $container) private function prependCruds(ContainerBuilder $container)
{ {
$container->prependExtensionConfig('chill_main', [ $container->prependExtensionConfig('chill_main', [
'cruds' => [ 'cruds' => [
@ -130,7 +132,18 @@ class ChillCalendarExtension extends Extension implements PrependExtensionInterf
]); ]);
} }
protected function preprendRoutes(ContainerBuilder $container) private function prependRoleHierarchy(ContainerBuilder $container): void
{
$container->prependExtensionConfig('security', [
'role_hierarchy' => [
CalendarVoter::CREATE => [CalendarVoter::SEE],
CalendarVoter::EDIT => [CalendarVoter::SEE],
CalendarVoter::DELETE => [CalendarVoter::SEE],
],
]);
}
private function preprendRoutes(ContainerBuilder $container)
{ {
$container->prependExtensionConfig('chill_main', [ $container->prependExtensionConfig('chill_main', [
'routing' => [ 'routing' => [

17
src/Bundle/ChillCalendarBundle/Entity/Calendar.php
View File

@ -18,6 +18,7 @@ use Chill\MainBundle\Doctrine\Model\TrackUpdateInterface;
use Chill\MainBundle\Doctrine\Model\TrackUpdateTrait; use Chill\MainBundle\Doctrine\Model\TrackUpdateTrait;
use Chill\MainBundle\Entity\Embeddable\CommentEmbeddable; use Chill\MainBundle\Entity\Embeddable\CommentEmbeddable;
use Chill\MainBundle\Entity\Embeddable\PrivateCommentEmbeddable; use Chill\MainBundle\Entity\Embeddable\PrivateCommentEmbeddable;
use Chill\MainBundle\Entity\HasCentersInterface;
use Chill\MainBundle\Entity\Location; use Chill\MainBundle\Entity\Location;
use Chill\MainBundle\Entity\User; use Chill\MainBundle\Entity\User;
use Chill\PersonBundle\Entity\AccompanyingPeriod; use Chill\PersonBundle\Entity\AccompanyingPeriod;
@ -48,7 +49,7 @@ use function in_array;
* "chill_calendar_calendar": Calendar::class * "chill_calendar_calendar": Calendar::class
* }) * })
*/ */
class Calendar implements TrackCreationInterface, TrackUpdateInterface class Calendar implements TrackCreationInterface, TrackUpdateInterface, HasCentersInterface
{ {
use RemoteCalendarTrait; use RemoteCalendarTrait;
@ -312,6 +313,20 @@ class Calendar implements TrackCreationInterface, TrackUpdateInterface
return $this->cancelReason; return $this->cancelReason;
} }
public function getCenters(): ?iterable
{
switch ($this->getContext()) {
case 'person':
return [$this->getPerson()->getCenter()];
case 'accompanying_period':
return $this->getAccompanyingPeriod()->getCenters();
default:
throw new LogicException('context not supported: ' . $this->getContext());
}
}
public function getComment(): CommentEmbeddable public function getComment(): CommentEmbeddable
{ {
return $this->comment; return $this->comment;

61
src/Bundle/ChillCalendarBundle/Security/Voter/CalendarDocVoter.php Normal file
View File

@ -0,0 +1,61 @@
<?php
declare(strict_types=1);
/*
* Chill is a software for social workers
*
* For the full copyright and license information, please view
* the LICENSE file that was distributed with this source code.
*/
namespace Chill\CalendarBundle\Security\Voter;
use Chill\CalendarBundle\Entity\CalendarDoc;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Security;
use UnexpectedValueException;
use function in_array;
class CalendarDocVoter extends Voter
{
public const EDIT = 'CHILL_CALENDAR_DOC_EDIT';
public const SEE = 'CHILL_CALENDAR_DOC_SEE';
private const ALL = [
'CHILL_CALENDAR_DOC_EDIT',
'CHILL_CALENDAR_DOC_SEE',
];
private Security $security;
public function __construct(Security $security)
{
$this->security = $security;
}
protected function supports($attribute, $subject): bool
{
return in_array($attribute, self::ALL, true) && $subject instanceof CalendarDoc;
}
/**
* @param CalendarDoc $subject
* @param mixed $attribute
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
{
switch ($attribute) {
case self::EDIT:
return $this->security->isGranted(CalendarVoter::EDIT, $subject->getCalendar());
case self::SEE:
return $this->security->isGranted(CalendarVoter::SEE, $subject->getCalendar());
default:
throw new UnexpectedValueException('Attribute not supported: ' . $attribute);
}
}
}

56
src/Bundle/ChillCalendarBundle/Security/Voter/CalendarVoter.php
View File

@ -20,13 +20,14 @@ namespace Chill\CalendarBundle\Security\Voter;
use Chill\CalendarBundle\Entity\Calendar; use Chill\CalendarBundle\Entity\Calendar;
use Chill\MainBundle\Security\Authorization\AbstractChillVoter; use Chill\MainBundle\Security\Authorization\AbstractChillVoter;
use Chill\MainBundle\Security\Authorization\AuthorizationHelperInterface;
use Chill\MainBundle\Security\Authorization\VoterHelperFactoryInterface; use Chill\MainBundle\Security\Authorization\VoterHelperFactoryInterface;
use Chill\MainBundle\Security\Authorization\VoterHelperInterface; use Chill\MainBundle\Security\Authorization\VoterHelperInterface;
use Chill\MainBundle\Security\ProvideRoleHierarchyInterface; use Chill\MainBundle\Security\ProvideRoleHierarchyInterface;
use Chill\MainBundle\Security\Resolver\CenterResolverManagerInterface;
use Chill\PersonBundle\Entity\AccompanyingPeriod; use Chill\PersonBundle\Entity\AccompanyingPeriod;
use Chill\PersonBundle\Entity\Person; use Chill\PersonBundle\Entity\Person;
use Chill\PersonBundle\Security\Authorization\AccompanyingPeriodVoter; use Chill\PersonBundle\Security\Authorization\AccompanyingPeriodVoter;
use Chill\PersonBundle\Security\Authorization\PersonVoter;
use LogicException; use LogicException;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Security; use Symfony\Component\Security\Core\Security;
@ -41,6 +42,10 @@ class CalendarVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn
public const SEE = 'CHILL_CALENDAR_CALENDAR_SEE'; public const SEE = 'CHILL_CALENDAR_CALENDAR_SEE';
private AuthorizationHelperInterface $authorizationHelper;
private CenterResolverManagerInterface $centerResolverManager;
private Security $security; private Security $security;
private VoterHelperInterface $voterHelper; private VoterHelperInterface $voterHelper;
@ -52,8 +57,8 @@ class CalendarVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn
$this->security = $security; $this->security = $security;
$this->voterHelper = $voterHelperFactory $this->voterHelper = $voterHelperFactory
->generate(self::class) ->generate(self::class)
->addCheckFor(AccompanyingPeriod::class, [self::SEE]) ->addCheckFor(AccompanyingPeriod::class, [self::SEE, self::CREATE])
->addCheckFor(Person::class, [self::SEE]) ->addCheckFor(Person::class, [self::SEE, self::CREATE])
->addCheckFor(Calendar::class, [self::SEE, self::CREATE, self::EDIT, self::DELETE]) ->addCheckFor(Calendar::class, [self::SEE, self::CREATE, self::EDIT, self::DELETE])
->build(); ->build();
} }
@ -93,48 +98,37 @@ class CalendarVoter extends AbstractChillVoter implements ProvideRoleHierarchyIn
if ($subject instanceof AccompanyingPeriod) { if ($subject instanceof AccompanyingPeriod) {
switch ($attribute) { switch ($attribute) {
case self::SEE: case self::SEE:
case self::CREATE:
if ($subject->getStep() === AccompanyingPeriod::STEP_DRAFT) { if ($subject->getStep() === AccompanyingPeriod::STEP_DRAFT) {
return false; return false;
} }
// we first check here that the user has read access to the period // we first check here that the user has read access to the period
return $this->security->isGranted(AccompanyingPeriodVoter::SEE, $subject); if (!$this->security->isGranted(AccompanyingPeriodVoter::SEE, $subject)) {
return false;
}
default: // There is no scope on Calendar, but there are some on accompanying period
throw new LogicException('subject not implemented'); // so, to ignore AccompanyingPeriod's scopes, we create a blank Calendar
// linked with an accompanying period.
return $this->voterHelper->voteOnAttribute($attribute, (new Calendar())->setAccompanyingPeriod($subject), $token);
} }
} elseif ($subject instanceof Person) { } elseif ($subject instanceof Person) {
switch ($attribute) { switch ($attribute) {
case self::SEE: case self::SEE:
return $this->security->isGranted(PersonVoter::SEE, $subject); case self::CREATE:
return $this->voterHelper->voteOnAttribute($attribute, $subject, $token);
default:
throw new LogicException('subject not implemented');
} }
} elseif ($subject instanceof Calendar) { } elseif ($subject instanceof Calendar) {
if (null !== $period = $subject->getAccompanyingPeriod()) { switch ($attribute) {
switch ($attribute) { case self::SEE:
case self::SEE: case self::EDIT:
case self::EDIT: case self::CREATE:
case self::CREATE: case self::DELETE:
return $this->security->isGranted(AccompanyingPeriodVoter::SEE, $period); return $this->voterHelper->voteOnAttribute($attribute, $subject, $token);
case self::DELETE:
return $this->security->isGranted(AccompanyingPeriodVoter::EDIT, $period);
}
} elseif (null !== $person = $subject->getPerson()) {
switch ($attribute) {
case self::SEE:
case self::EDIT:
case self::CREATE:
return $this->security->isGranted(PersonVoter::SEE, $person);
case self::DELETE:
return $this->security->isGranted(PersonVoter::UPDATE, $person);
}
} }
} }
throw new LogicException('attribute not implemented'); throw new LogicException('attribute or not implemented');
} }
} }

2
src/Bundle/ChillMainBundle/Security/Authorization/AuthorizationHelper.php
View File

@ -309,7 +309,7 @@ class AuthorizationHelper implements AuthorizationHelperInterface
if ($this->isRoleReached($attribute, $roleScope->getRole())) { if ($this->isRoleReached($attribute, $roleScope->getRole())) {
//if yes, we have a right on something... //if yes, we have a right on something...
// perform check on scope if necessary // perform check on scope if necessary
if ($this->scopeResolverDispatcher->isConcerned($entity)) { if ($this->scopeResolverDispatcher->isConcerned($entity)) {// here, we should also check that the role need a scope
$scope = $this->scopeResolverDispatcher->resolveScope($entity); $scope = $this->scopeResolverDispatcher->resolveScope($entity);
if (null === $scope) { if (null === $scope) {