adaptations for acl with tasks

2025-08-29 11:03:50 +00:00 · 2021-10-26 18:05:06 +02:00
parent bae06fcc9c
commit 965ea528e3
22 changed files with 371 additions and 298 deletions
--- a/src/Bundle/ChillTaskBundle/Security/Authorization/TaskVoter.php
+++ b/src/Bundle/ChillTaskBundle/Security/Authorization/TaskVoter.php
@@ -65,7 +65,9 @@ final class TaskVoter extends AbstractChillVoter implements ProvideRoleHierarchy

    protected VoterHelperInterface $voter;

+
    public function __construct(
+        VoterHelperFactoryInterface $voterHelperFactory,
        AccessDecisionManagerInterface $accessDecisionManager,
        AuthorizationHelper $authorizationHelper,
        EventDispatcherInterface $eventDispatcher,
@@ -82,7 +84,8 @@ final class TaskVoter extends AbstractChillVoter implements ProvideRoleHierarchy
        $this->voter = $voterFactory
            ->generate(AbstractTask::class)
            ->addCheckFor(AbstractTask::class, self::ROLES)
-            ->addCheckFor(Person::class, [self::SHOW])
+            ->addCheckFor(Person::class, [self::SHOW, self::CREATE])
+            ->addCheckFor(AccompanyingPeriod::class, [self::SHOW, self::CREATE])
            ->addCheckFor(null, [self::SHOW])
            ->build()
            ;
@@ -91,14 +94,6 @@ final class TaskVoter extends AbstractChillVoter implements ProvideRoleHierarchy
    public function supports($attribute, $subject)
    {
        return $this->voter->supports($attribute, $subject);
-       /*
-        return ($subject instanceof AbstractTask && in_array($attribute, self::ROLES))
-            ||
-            ($subject instanceof Person && \in_array($attribute, [ self::CREATE, self::SHOW ]))
-            ||
-            (NULL === $subject && $attribute === self::SHOW )
-            ;
-       */
    }

    /**
@@ -134,19 +129,26 @@ final class TaskVoter extends AbstractChillVoter implements ProvideRoleHierarchy
        // do pre-flight check, relying on other decision manager
        // those pre-flight check concern associated entities
        if ($subject instanceof AbstractTask) {
+            // a user can always see his own tasks
+            if ($subject->getAssignee() === $token->getUser()) {
+                return true;
+            }
+
            if (NULL !== $person = $subject->getPerson()) {
                if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $person)) {
                    return false;
                }
-            } elseif (false) {
-                // here will come the test if the task is associated to an accompanying course
+            } elseif (NULL !== $period = $subject->getCourse()) {
+                if (!$this->accessDecisionManager->decide($token, [AccompanyingPeriodVoter::SEE], $period)) {
+                    return false;
+                }
            }
        }

        // do regular check.
        return $this->voter->voteOnAttribute($attribute, $subject, $token);

-       
+
        if ($subject instanceof AbstractTask) {
            $associated = $subject->getPerson() ?? $subject->getCourse();
            if ($associated === null) {
@@ -179,7 +181,7 @@ final class TaskVoter extends AbstractChillVoter implements ProvideRoleHierarchy
            $subject,
            $attribute
            );
-       
+
    }

    public function getRoles()