fix some authorization check in menu

2025-06-07 18:44:08 +00:00 · 2022-03-25 13:11:03 +01:00 · 2022-03-25 13:11:03 +01:00 · d11eebefae
commit d11eebefae
parent b423821ae9
4 changed files with 43 additions and 11 deletions
--- a/src/Bundle/ChillCalendarBundle/Menu/AccompanyingCourseMenuBuilder.php
+++ b/src/Bundle/ChillCalendarBundle/Menu/AccompanyingCourseMenuBuilder.php
@ -41,12 +41,14 @@ class AccompanyingCourseMenuBuilder implements LocalMenuBuilderInterface
        $period = $parameters['accompanyingCourse'];

        if (AccompanyingPeriod::STEP_DRAFT !== $period->getStep()) {
+            /*
            $menu->addChild($this->translator->trans('Calendar'), [
                'route' => 'chill_calendar_calendar_list',
                'routeParameters' => [
                    'accompanying_period_id' => $period->getId(),
                ], ])
                ->setExtras(['order' => 35]);
+            */
        }
    }

--- a/src/Bundle/ChillPersonBundle/Menu/AccompanyingCourseMenuBuilder.php
+++ b/src/Bundle/ChillPersonBundle/Menu/AccompanyingCourseMenuBuilder.php
@ -96,15 +96,7 @@ class AccompanyingCourseMenuBuilder implements LocalMenuBuilderInterface

        $workflow = $this->registry->get($period, 'accompanying_period_lifecycle');

-        if (null !== $period->getClosingDate()) {
-            $menu->addChild($this->translator->trans('Re-open accompanying course'), [
-                'route' => 'chill_person_accompanying_course_reopen',
-                'routeParameters' => [
-                    'accompanying_period_id' => $period->getId(),
-                ], ])
-                ->setExtras(['order' => 99998]);
-        }
-
+        if ($this->security->isGranted(AccompanyingPeriodVoter::EDIT, $period)) {
            if ($workflow->can($period, 'close')) {
                $menu->addChild($this->translator->trans('Close Accompanying Course'), [
                    'route' => 'chill_person_accompanying_course_close',
@ -115,6 +107,18 @@ class AccompanyingCourseMenuBuilder implements LocalMenuBuilderInterface
            }
        }

+        if (null !== $period->getClosingDate()
+            && $this->security->isGranted(AccompanyingPeriodVoter::RE_OPEN_COURSE, $period)) {
+            $menu->addChild($this->translator->trans('Re-open accompanying course'), [
+                'route' => 'chill_person_accompanying_course_reopen',
+                'routeParameters' => [
+                    'accompanying_period_id' => $period->getId(),
+                ],])
+                ->setExtras(['order' => 99998]);
+        }
+
+    }
+
    public static function getMenuIds(): array
    {
        return ['accompanyingCourse'];
--- a/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php
+++ b/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php
@ -34,12 +34,23 @@ class AccompanyingPeriodVoter extends AbstractChillVoter implements ProvideRoleH
        self::FULL,
        self::TOGGLE_CONFIDENTIAL_ALL,
        self::TOGGLE_INTENSITY,
+        self::RE_OPEN_COURSE,
    ];

    public const CREATE = 'CHILL_PERSON_ACCOMPANYING_PERIOD_CREATE';

+    /**
+     * role to DELETE the course
+     *
+     * Will be true only for the creator, and if the course is still at DRAFT step.
+     */
    public const DELETE = 'CHILL_PERSON_ACCOMPANYING_PERIOD_DELETE';

+    /**
+     * role to EDIT the course.
+     *
+     * If the course is closed, it will be always false.
+     */
    public const EDIT = 'CHILL_PERSON_ACCOMPANYING_PERIOD_UPDATE';

    /**
@ -56,6 +67,14 @@ class AccompanyingPeriodVoter extends AbstractChillVoter implements ProvideRoleH
     */
    public const SEE_DETAILS = 'CHILL_PERSON_ACCOMPANYING_PERIOD_SEE_DETAILS';

+    /**
+     * Reopen a closed course.
+     *
+     * This forward to the EDIT role, without taking into account that the course
+     * is closed
+     */
+    public const RE_OPEN_COURSE = 'CHILL_PERSON_ACCOMPANYING_PERIOD_REOPEN';
+
    public const TOGGLE_CONFIDENTIAL = 'CHILL_PERSON_ACCOMPANYING_PERIOD_TOGGLE_CONFIDENTIAL';

    /**
@ -116,6 +135,10 @@ class AccompanyingPeriodVoter extends AbstractChillVoter implements ProvideRoleH
                if (in_array($attribute, [self::EDIT, self::DELETE], true)) {
                    return false;
                }
+
+                if (self::RE_OPEN_COURSE === $attribute) {
+                    return $this->voterHelper->voteOnAttribute(self::EDIT, $subject, $token);
+                }
            }

            if (AccompanyingPeriod::STEP_DRAFT === $subject->getStep()) {
--- a/src/Bundle/ChillTaskBundle/Menu/MenuBuilder.php
+++ b/src/Bundle/ChillTaskBundle/Menu/MenuBuilder.php
@ -12,6 +12,7 @@ declare(strict_types=1);
 namespace Chill\TaskBundle\Menu;

 use Chill\MainBundle\Routing\LocalMenuBuilderInterface;
+use Chill\PersonBundle\Entity\AccompanyingPeriod;
 use Chill\TaskBundle\Security\Authorization\TaskVoter;
 use Knp\Menu\MenuItem;
 use LogicException;
@ -40,9 +41,11 @@ class MenuBuilder implements LocalMenuBuilderInterface

    public function buildAccompanyingCourseMenu($menu, $parameters)
    {
+        /** @var AccompanyingPeriod $course */
        $course = $parameters['accompanyingCourse'];

-        if ($this->authorizationChecker->isGranted(TaskVoter::SHOW, $course)) {
+        if ($this->authorizationChecker->isGranted(TaskVoter::SHOW, $course)
+            && AccompanyingPeriod::STEP_DRAFT !== $course->getStep()) {
            $menu->addChild(
                $this->translator->trans('Tasks'),
                [