From aad10cc61f7d3c8b099d3a56690bcb8a2909baba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Fastr=C3=A9?= <julien.fastre@champs-libres.coop>
Date: Wed, 13 Nov 2024 22:41:30 +0100
Subject: [PATCH] Add workflow permission check to StoredObjectVoter

This commit introduces logic to grant permissions based on workflow conditions in the `AbstractStoredObjectVoter`. It also includes a new test case to ensure the workflow-based permission check functions correctly.
---
 .../AbstractStoredObjectVoter.php             |  5 +++++
 .../AbstractStoredObjectVoterTest.php         | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter/AbstractStoredObjectVoter.php b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter/AbstractStoredObjectVoter.php
index 1b9378e72..f8713f2dc 100644
--- a/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter/AbstractStoredObjectVoter.php
+++ b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter/AbstractStoredObjectVoter.php
@@ -49,6 +49,11 @@ abstract class AbstractStoredObjectVoter implements StoredObjectVoterInterface
         // Retrieve the related accompanying course document
         $entity = $this->getRepository()->findAssociatedEntityToStoredObject($subject);
 
+        if ($this->workflowDocumentService->isAllowedByWorkflow($entity)) {
+            // read and write permissions are granted by workflow
+            return true;
+        }
+
         // Determine the attribute to pass to AccompanyingCourseDocumentVoter
         $voterAttribute = $this->attributeToRole($attribute);
 
diff --git a/src/Bundle/ChillDocStoreBundle/Tests/Security/Authorization/AbstractStoredObjectVoterTest.php b/src/Bundle/ChillDocStoreBundle/Tests/Security/Authorization/AbstractStoredObjectVoterTest.php
index 6fbb9c2e4..0090496db 100644
--- a/src/Bundle/ChillDocStoreBundle/Tests/Security/Authorization/AbstractStoredObjectVoterTest.php
+++ b/src/Bundle/ChillDocStoreBundle/Tests/Security/Authorization/AbstractStoredObjectVoterTest.php
@@ -99,6 +99,25 @@ class AbstractStoredObjectVoterTest extends TestCase
         $this->workflowDocumentService->method('notBlockedByWorkflow')->willReturn($workflowAllowed);
     }
 
+    public function testIsAllowedByWorkflow(): void
+    {
+        [$user, $token, $subject, $entity] = $this->setupMockObjects();
+        $workflowRelatedEntityPermissionHelper = $this->createMock(WorkflowRelatedEntityPermissionHelper::class);
+        $workflowRelatedEntityPermissionHelper->method('isAllowedByWorkflow')->withAnyParameters()->willReturn(true);
+
+        $associatedObjectRepository = $this->createMock(AssociatedEntityToStoredObjectInterface::class);
+        $associatedObjectRepository->method('findAssociatedEntityToStoredObject')->willReturn($entity);
+
+        $voter = $this->buildStoredObjectVoter(
+            true,
+            $associatedObjectRepository,
+            $this->createMock(Security::class),
+            $workflowRelatedEntityPermissionHelper
+        );
+
+        self::assertTrue($voter->voteOnAttribute(StoredObjectRoleEnum::EDIT, $subject, $token));
+    }
+
     public function testSupportsOnAttribute(): void
     {
         [$user, $token, $subject, $entity] = $this->setupMockObjects();