From 7533cb3a71f863e11d18e66a553ae76cd2d72052 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julien=20Fastr=C3=A9?= Date: Thu, 26 Jun 2025 12:35:53 +0200 Subject: [PATCH] Restrict `SHARE` action in `SavedExportVoter` to require `COMPOSE_EXPORT` permission. --- .../Security/Authorization/SavedExportVoter.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Bundle/ChillMainBundle/Security/Authorization/SavedExportVoter.php b/src/Bundle/ChillMainBundle/Security/Authorization/SavedExportVoter.php index aaf8b8010..1e34fa1fa 100644 --- a/src/Bundle/ChillMainBundle/Security/Authorization/SavedExportVoter.php +++ b/src/Bundle/ChillMainBundle/Security/Authorization/SavedExportVoter.php @@ -55,7 +55,8 @@ final class SavedExportVoter extends Voter } return match ($attribute) { - self::DELETE, self::EDIT, self::SHARE => $subject->getUser() === $token->getUser(), + self::DELETE, self::EDIT => $subject->getUser() === $token->getUser(), + self::SHARE => $subject->getUser() === $token->getUser() && $this->accessDecisionManager->decide($token, [ChillExportVoter::COMPOSE_EXPORT]), self::DUPLICATE => $this->accessDecisionManager->decide($token, [ChillExportVoter::COMPOSE_EXPORT]) && $this->accessDecisionManager->decide($token, [self::EDIT], $subject) , self::GENERATE => $this->canUserGenerate($user, $subject), default => throw new \UnexpectedValueException('attribute not supported: '.$attribute),