diff --git a/src/Bundle/ChillAsideActivityBundle/src/Tests/Chill/DocStoreBundle/Tests/Security/Guard/DavTokenAuthenticationEventSubscriberTest.php b/src/Bundle/ChillAsideActivityBundle/src/Tests/Chill/DocStoreBundle/Tests/Security/Guard/DavTokenAuthenticationEventSubscriberTest.php
new file mode 100644
index 000000000..03cea7d29
--- /dev/null
+++ b/src/Bundle/ChillAsideActivityBundle/src/Tests/Chill/DocStoreBundle/Tests/Security/Guard/DavTokenAuthenticationEventSubscriberTest.php
@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Tests\Security\Guard;
+
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+use Chill\DocStoreBundle\Security\Guard\DavTokenAuthenticationEventSubscriber;
+use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTAuthenticatedEvent;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
+
+/**
+ * @internal
+ * @coversNothing
+ */
+class DavTokenAuthenticationEventSubscriberTest extends TestCase
+{
+    public function testOnJWTAuthenticatedWithDavDataInPayload(): void
+    {
+        $eventSubscriber = new DavTokenAuthenticationEventSubscriber();
+        $token = new class () extends AbstractToken {
+            public function getCredentials()
+            {
+                return null;
+            }
+        };
+        $event = new JWTAuthenticatedEvent([
+            'dav' => 1,
+            'so' => '1234',
+            'e' => 1,
+        ], $token);
+
+        $eventSubscriber->onJWTAuthenticated($event);
+
+        self::assertTrue($token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT));
+        self::assertTrue($token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS));
+        self::assertEquals('1234', $token->getAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT));
+        self::assertEquals(StoredObjectRoleEnum::EDIT, $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS));
+    }
+
+    public function testOnJWTAuthenticatedWithDavNoDataInPayload(): void
+    {
+        $eventSubscriber = new DavTokenAuthenticationEventSubscriber();
+        $token = new class () extends AbstractToken {
+            public function getCredentials()
+            {
+                return null;
+            }
+        };
+        $event = new JWTAuthenticatedEvent([], $token);
+
+        $eventSubscriber->onJWTAuthenticated($event);
+
+        self::assertFalse($token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT));
+        self::assertFalse($token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS));
+    }
+}
diff --git a/src/Bundle/ChillDocStoreBundle/Controller/WebdavController.php b/src/Bundle/ChillDocStoreBundle/Controller/WebdavController.php
index 8ef4ee71a..471aec99f 100644
--- a/src/Bundle/ChillDocStoreBundle/Controller/WebdavController.php
+++ b/src/Bundle/ChillDocStoreBundle/Controller/WebdavController.php
@@ -14,15 +14,16 @@ namespace Chill\DocStoreBundle\Controller;
 use Chill\DocStoreBundle\Dav\Request\PropfindRequestAnalyzer;
 use Chill\DocStoreBundle\Dav\Response\DavResponse;
 use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+use Chill\DocStoreBundle\Security\Guard\JWTDavTokenProviderInterface;
 use Chill\DocStoreBundle\Service\StoredObjectManagerInterface;
 use DateTimeInterface;
-use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Security\Core\Security;
-use Symfony\Component\Templating\EngineInterface;
 
 final readonly class WebdavController
 {
@@ -31,8 +32,8 @@ final readonly class WebdavController
     public function __construct(
         private \Twig\Environment $engine,
         private StoredObjectManagerInterface $storedObjectManager,
-        private Security $security,
-        private ?JWTTokenManagerInterface $JWTTokenManager = null,
+        private Security  $security,
+        private ?JWTDavTokenProviderInterface $davTokenProvider = null,
     ) {
         $this->requestAnalyzer = new PropfindRequestAnalyzer();
     }
@@ -42,12 +43,7 @@ final readonly class WebdavController
      */
     public function open(StoredObject $storedObject): Response
     {
-        $accessToken = $this->JWTTokenManager?->createFromPayload($this->security->getUser(), [
-            'UserCanWrite' => true,
-            'UserCanAttend' => true,
-            'UserCanPresent' => true,
-            'fileId' => $storedObject->getUuid(),
-        ]);
+        $accessToken = $this->davTokenProvider?->createToken($storedObject, StoredObjectRoleEnum::EDIT);
 
         return new DavResponse($this->engine->render('@ChillDocStore/Webdav/open_in_browser.html.twig', [
             'stored_object' => $storedObject, 'access_token' => $accessToken,
@@ -59,6 +55,10 @@ final readonly class WebdavController
      */
     public function getDirectory(StoredObject $storedObject, string $access_token): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         return new DavResponse(
             $this->engine->render('@ChillDocStore/Webdav/directory.html.twig', [
                 'stored_object' => $storedObject,
@@ -72,11 +72,16 @@ final readonly class WebdavController
      */
     public function optionsDirectory(StoredObject $storedObject): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         $response = (new DavResponse(""))
             ->setEtag($this->storedObjectManager->etag($storedObject))
         ;
 
-        $response->headers->add(['Allow' =>  'OPTIONS,GET,HEAD,DELETE,PROPFIND,PUT,PROPPATCH,COPY,MOVE,REPORT,PATCH,POST,TRACE']);
+        //$response->headers->add(['Allow' =>  'OPTIONS,GET,HEAD,DELETE,PROPFIND,PUT,PROPPATCH,COPY,MOVE,REPORT,PATCH,POST,TRACE']);
+        $response->headers->add(['Allow' =>  'OPTIONS,GET,HEAD,DELETE,PROPFIND,PUT']);
 
         return $response;
     }
@@ -86,6 +91,10 @@ final readonly class WebdavController
      */
     public function propfindDirectory(StoredObject $storedObject, string $access_token, Request $request): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         $depth = $request->headers->get('depth');
 
         if ("0" !== $depth && "1" !== $depth) {
@@ -119,6 +128,10 @@ final readonly class WebdavController
      */
     public function getDocument(StoredObject $storedObject): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         return (new DavResponse($this->storedObjectManager->read($storedObject)))
             ->setEtag($this->storedObjectManager->etag($storedObject));
     }
@@ -128,6 +141,10 @@ final readonly class WebdavController
      */
     public function headDocument(StoredObject $storedObject): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         $response = new DavResponse("");
 
         $response->headers->add(
@@ -146,19 +163,15 @@ final readonly class WebdavController
      */
     public function optionsDocument(StoredObject $storedObject): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         $response = (new DavResponse(""))
             ->setEtag($this->storedObjectManager->etag($storedObject))
         ;
 
-        $response->headers->add(['Allow' =>  /*sprintf(
-            '%s, %s, %s, %s, %s',
-            Request::METHOD_OPTIONS,
-            Request::METHOD_GET,
-            Request::METHOD_HEAD,
-            Request::METHOD_PUT,
-            'PROPFIND'
-        ) */ 'OPTIONS,GET,HEAD,DELETE,PROPFIND,PUT,PROPPATCH,COPY,MOVE,REPORT,PATCH,POST,TRACE'
-        ]);
+        $response->headers->add(['Allow' =>  'OPTIONS,GET,HEAD,DELETE,PROPFIND,PUT']);
 
         return $response;
     }
@@ -168,6 +181,10 @@ final readonly class WebdavController
      */
     public function propfindDocument(StoredObject $storedObject, string $access_token, Request $request): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         [$properties, $lastModified, $etag, $length] = $this->parseDavRequest($request->getContent(), $storedObject);
 
         $response = new DavResponse(
@@ -198,6 +215,10 @@ final readonly class WebdavController
      */
     public function putDocument(StoredObject $storedObject, Request $request): Response
     {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::EDIT->value, $storedObject)) {
+            throw new AccessDeniedHttpException();
+        }
+
         $this->storedObjectManager->write($storedObject, $request->getContent());
 
         return (new DavResponse("", Response::HTTP_NO_CONTENT));
diff --git a/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectRoleEnum.php b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectRoleEnum.php
new file mode 100644
index 000000000..6a5a22da0
--- /dev/null
+++ b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectRoleEnum.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Authorization;
+
+enum StoredObjectRoleEnum: string
+{
+    case SEE = 'SEE';
+
+    case EDIT = 'SEE_AND_EDIT';
+}
diff --git a/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php
new file mode 100644
index 000000000..55c9b3ca1
--- /dev/null
+++ b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php
@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Authorization;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Guard\DavTokenAuthenticationEventSubscriber;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+class StoredObjectVoter extends Voter
+{
+    protected function supports($attribute, $subject): bool
+    {
+        return StoredObjectRoleEnum::tryFrom($attribute) instanceof StoredObjectRoleEnum
+            && $subject instanceof StoredObject;
+    }
+
+    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
+    {
+        /** @var StoredObject $subject */
+        if (
+            !$token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
+            ||
+            $subject->getUuid()->toString() !== $token->getAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
+        ) {
+            return false;
+        }
+
+        if (!$token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)) {
+            return false;
+        }
+
+        $askedRole = StoredObjectRoleEnum::from($attribute);
+        $tokenRoleAuthorization =
+            $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS);
+
+        return match ($askedRole) {
+            StoredObjectRoleEnum::SEE =>
+                $tokenRoleAuthorization === StoredObjectRoleEnum::EDIT || $tokenRoleAuthorization === StoredObjectRoleEnum::SEE,
+            StoredObjectRoleEnum::EDIT => $tokenRoleAuthorization === StoredObjectRoleEnum::EDIT
+        };
+    }
+}
diff --git a/src/Bundle/ChillDocStoreBundle/Security/Guard/DavTokenAuthenticationEventSubscriber.php b/src/Bundle/ChillDocStoreBundle/Security/Guard/DavTokenAuthenticationEventSubscriber.php
new file mode 100644
index 000000000..3c1b3e2a9
--- /dev/null
+++ b/src/Bundle/ChillDocStoreBundle/Security/Guard/DavTokenAuthenticationEventSubscriber.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTAuthenticatedEvent;
+use Lexik\Bundle\JWTAuthenticationBundle\Events;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+class DavTokenAuthenticationEventSubscriber implements EventSubscriberInterface
+{
+    final public const STORED_OBJECT = 'stored_object';
+    final public const ACTIONS = 'stored_objects_actions';
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            Events::JWT_AUTHENTICATED => ['onJWTAuthenticated', 0],
+        ];
+    }
+
+    public function onJWTAuthenticated(JWTAuthenticatedEvent $event): void
+    {
+        $payload = $event->getPayload();
+
+        if (!(array_key_exists('dav', $payload) && 1 === $payload['dav'])) {
+            return;
+        }
+
+        $token = $event->getToken();
+        $token->setAttribute(self::ACTIONS, match ($payload['e']) {
+            0 => StoredObjectRoleEnum::SEE,
+            1 => StoredObjectRoleEnum::EDIT,
+            default => throw new \UnexpectedValueException("unsupported value for e parameter")
+        });
+
+        $token->setAttribute(self::STORED_OBJECT, $payload['so']);
+    }
+
+
+}
diff --git a/src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProvider.php b/src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProvider.php
new file mode 100644
index 000000000..30b25dd0b
--- /dev/null
+++ b/src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProvider.php
@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
+use Symfony\Component\Security\Core\Security;
+
+/**
+ * Provide a JWT Token which will be valid for viewing or editing a document
+ */
+final readonly class JWTDavTokenProvider implements JWTDavTokenProviderInterface
+{
+    public function __construct(
+        private JWTTokenManagerInterface $JWTTokenManager,
+        private Security $security,
+    ) {}
+
+    public function createToken(StoredObject $storedObject, StoredObjectRoleEnum $roleEnum): string
+    {
+        return $this->JWTTokenManager->createFromPayload($this->security->getUser(), [
+            'dav' => 1,
+            'e' => match ($roleEnum) {
+                StoredObjectRoleEnum::SEE => 0,
+                StoredObjectRoleEnum::EDIT => 1,
+            },
+            'so' => $storedObject->getUuid(),
+        ]);
+    }
+
+}
diff --git a/src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProviderInterface.php b/src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProviderInterface.php
new file mode 100644
index 000000000..6be91a39c
--- /dev/null
+++ b/src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProviderInterface.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+
+/**
+ * Provide a JWT Token which will be valid for viewing or editing a document
+ */
+interface JWTDavTokenProviderInterface
+{
+    public function createToken(StoredObject $storedObject, StoredObjectRoleEnum $roleEnum): string;
+}
diff --git a/src/Bundle/ChillDocStoreBundle/Tests/Controller/WebdavControllerTest.php b/src/Bundle/ChillDocStoreBundle/Tests/Controller/WebdavControllerTest.php
index 9064d8419..93d4d85e8 100644
--- a/src/Bundle/ChillDocStoreBundle/Tests/Controller/WebdavControllerTest.php
+++ b/src/Bundle/ChillDocStoreBundle/Tests/Controller/WebdavControllerTest.php
@@ -45,6 +45,8 @@ class WebdavControllerTest extends KernelTestCase
     {
         $storedObjectManager = new MockedStoredObjectManager();
         $security = $this->prophesize(Security::class);
+        $security->isGranted(Argument::in(['EDIT', 'SEE']), Argument::type(StoredObject::class))
+            ->willReturn(true);
 
         return new WebdavController($this->engine, $storedObjectManager, $security->reveal());
     }
@@ -83,7 +85,7 @@ class WebdavControllerTest extends KernelTestCase
         self::assertEquals(200, $response->getStatusCode());
         self::assertContains('allow', $response->headers->keys());
 
-        foreach (explode(',', 'OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,PUT') as $method) {
+        foreach (explode(',', 'OPTIONS,GET,HEAD,PROPFIND') as $method) {
             self::assertStringContainsString($method, $response->headers->get('allow'));
         }
 
@@ -100,7 +102,7 @@ class WebdavControllerTest extends KernelTestCase
         self::assertEquals(200, $response->getStatusCode());
         self::assertContains('allow', $response->headers->keys());
 
-        foreach (explode(',', 'OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,PUT') as $method) {
+        foreach (explode(',', 'OPTIONS,GET,HEAD,PROPFIND') as $method) {
             self::assertStringContainsString($method, $response->headers->get('allow'));
         }
 
diff --git a/src/Bundle/ChillDocStoreBundle/Tests/Security/Authorization/StoredObjectVoterTest.php b/src/Bundle/ChillDocStoreBundle/Tests/Security/Authorization/StoredObjectVoterTest.php
new file mode 100644
index 000000000..c4518586f
--- /dev/null
+++ b/src/Bundle/ChillDocStoreBundle/Tests/Security/Authorization/StoredObjectVoterTest.php
@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Tests\Security\Authorization;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectVoter;
+use Chill\DocStoreBundle\Security\Guard\DavTokenAuthenticationEventSubscriber;
+use PHPUnit\Framework\TestCase;
+use Prophecy\PhpUnit\ProphecyTrait;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * @internal
+ * @coversNothing
+ */
+class StoredObjectVoterTest extends TestCase
+{
+    use ProphecyTrait;
+
+    /**
+     * @dataProvider provideDataVote
+     */
+    public function testVote(TokenInterface $token, object|null $subject, string $attribute, mixed $expected): void
+    {
+        $voter = new StoredObjectVoter();
+
+        self::assertEquals($expected, $voter->vote($token, $subject, [$attribute]));
+    }
+
+    public function provideDataVote(): iterable
+    {
+        yield [
+            $this->buildToken(StoredObjectRoleEnum::EDIT, new StoredObject()),
+            new \stdClass(),
+            'SOMETHING',
+            VoterInterface::ACCESS_ABSTAIN
+        ];
+
+        yield [
+            $this->buildToken(StoredObjectRoleEnum::EDIT, $so = new StoredObject()),
+            $so,
+            'SOMETHING',
+            VoterInterface::ACCESS_ABSTAIN
+        ];
+
+        yield [
+            $this->buildToken(StoredObjectRoleEnum::EDIT, $so = new StoredObject()),
+            $so,
+            StoredObjectRoleEnum::SEE->value,
+            VoterInterface::ACCESS_GRANTED
+        ];
+
+        yield [
+            $this->buildToken(StoredObjectRoleEnum::EDIT, $so = new StoredObject()),
+            $so,
+            StoredObjectRoleEnum::EDIT->value,
+            VoterInterface::ACCESS_GRANTED
+        ];
+
+        yield [
+            $this->buildToken(StoredObjectRoleEnum::SEE, $so = new StoredObject()),
+            $so,
+            StoredObjectRoleEnum::EDIT->value,
+            VoterInterface::ACCESS_DENIED,
+        ];
+
+        yield [
+            $this->buildToken(StoredObjectRoleEnum::SEE, $so = new StoredObject()),
+            $so,
+            StoredObjectRoleEnum::SEE->value,
+            VoterInterface::ACCESS_GRANTED
+        ];
+
+        yield [
+            $this->buildToken(null, null),
+            new StoredObject(),
+            StoredObjectRoleEnum::SEE->value,
+            VoterInterface::ACCESS_DENIED,
+        ];
+
+        yield [
+            $this->buildToken(null, null),
+            new StoredObject(),
+            StoredObjectRoleEnum::SEE->value,
+            VoterInterface::ACCESS_DENIED,
+        ];
+    }
+
+
+    private function buildToken(?StoredObjectRoleEnum $storedObjectRoleEnum = null, ?StoredObject $storedObject = null): TokenInterface
+    {
+        $token = $this->prophesize(TokenInterface::class);
+
+        if (null !== $storedObjectRoleEnum) {
+            $token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)->willReturn(true);
+            $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)->willReturn($storedObjectRoleEnum);
+        } else {
+            $token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)->willReturn(false);
+            $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)->willThrow(new \InvalidArgumentException());
+        }
+
+
+        if (null !== $storedObject) {
+            $token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)->willReturn(true);
+            $token->getAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)->willReturn($storedObject->getUuid()->toString());
+        } else {
+            $token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)->willReturn(false);
+            $token->getAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)->willThrow(new \InvalidArgumentException());
+        }
+
+        return $token->reveal();
+    }
+}