Dav: Introduce access control inside de dav controller

2025-08-27 01:53:49 +00:00 · 2023-09-15 22:21:56 +02:00
parent 3fe870ba71
commit a57e6c0cc9
9 changed files with 419 additions and 22 deletions
--- a/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectRoleEnum.php
+++ b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectRoleEnum.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Authorization;
+
+enum StoredObjectRoleEnum: string
+{
+    case SEE = 'SEE';
+
+    case EDIT = 'SEE_AND_EDIT';
+}
--- a/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php
+++ b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php
@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Authorization;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Guard\DavTokenAuthenticationEventSubscriber;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+class StoredObjectVoter extends Voter
+{
+    protected function supports($attribute, $subject): bool
+    {
+        return StoredObjectRoleEnum::tryFrom($attribute) instanceof StoredObjectRoleEnum
+            && $subject instanceof StoredObject;
+    }
+
+    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
+    {
+        /** @var StoredObject $subject */
+        if (
+            !$token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
+            ||
+            $subject->getUuid()->toString() !== $token->getAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
+        ) {
+            return false;
+        }
+
+        if (!$token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)) {
+            return false;
+        }
+
+        $askedRole = StoredObjectRoleEnum::from($attribute);
+        $tokenRoleAuthorization =
+            $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS);
+
+        return match ($askedRole) {
+            StoredObjectRoleEnum::SEE =>
+                $tokenRoleAuthorization === StoredObjectRoleEnum::EDIT || $tokenRoleAuthorization === StoredObjectRoleEnum::SEE,
+            StoredObjectRoleEnum::EDIT => $tokenRoleAuthorization === StoredObjectRoleEnum::EDIT
+        };
+    }
+}