sf4 deprecations: new supports and voteOnAttribute methods implemented in PersonDocumentVoter

Resources/config/services.yml

@@ -18,7 +18,9 @@ services:
     Chill\DocStoreBundle\Security\Authorization\PersonDocumentVoter:
         class: Chill\DocStoreBundle\Security\Authorization\PersonDocumentVoter
         arguments:
+            - "@security.access.decision_manager"
             - "@chill.main.security.authorization.helper"
+            - "@logger"
         tags:
             - { name: security.voter }
             - { name: chill.role }

Security/Authorization/PersonDocumentVoter.php

@@ -24,6 +24,12 @@ use Chill\MainBundle\Security\Authorization\AuthorizationHelper;
 use Chill\MainBundle\Security\ProvideRoleHierarchyInterface;
 use Chill\DocStoreBundle\Entity\PersonDocument;
 use Chill\PersonBundle\Entity\Person;
+use Chill\MainBundle\Entity\User;
+use Chill\PersonBundle\Security\Authorization\PersonVoter;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Role\Role;
+use Psr\Log\LoggerInterface;
 
 /**
  *
@@ -37,16 +43,31 @@ class PersonDocumentVoter extends AbstractChillVoter implements ProvideRoleHiera
     const DELETE = 'CHILL_PERSON_DOCUMENT_DELETE';
 
     /**
-     *
      * @var AuthorizationHelper
      */
-    protected $helper;
+    protected $authorizationHelper;
 
-    public function __construct(AuthorizationHelper $helper)
+    /**
+     * @var AccessDecisionManagerInterface
+     */
+    protected $accessDecisionManager;
+
+    /**
+     * @var LoggerInterface
+     */
+    protected $logger;
+
+    public function __construct(
+        AccessDecisionManagerInterface $accessDecisionManager,
+        AuthorizationHelper $authorizationHelper,
+        LoggerInterface $logger
+    )
     {
-        $this->helper = $helper;
+        $this->accessDecisionManager = $accessDecisionManager;
+        $this->authorizationHelper = $authorizationHelper;
+        $this->logger = $logger;
     }
-    
+
     public function getRoles()
     {
         return [
@@ -71,9 +92,51 @@ class PersonDocumentVoter extends AbstractChillVoter implements ProvideRoleHiera
         return false;
     }
 
+    /**
+     *
+     * @param string $attribute
+     * @param PersonDocument $subject
+     * @param TokenInterface $token
+     * @return boolean
+     */
+    protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
+    {
+        $this->logger->debug(sprintf("Voting from %s class", self::class));
+
+        if (!$token->getUser() instanceof User) {
+            return false;
+        }
+
+        if ($subject instanceof PersonDocument) {
+            return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
+
+        } elseif ($subject instanceof Person) {
+            return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
+
+        } else {
+
+            // subject is null. We check that at least one center is reachable
+            $centers = $this->authorizationHelper
+                ->getReachableCenters($token->getUser(), new Role($attribute));
+
+            return count($centers) > 0;
+        }
+
+        if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $person)) {
+            return false;
+        }
+
+        return $this->authorizationHelper->userHasAccess(
+            $token->getUser(),
+            $subject,
+            $attribute
+        );
+
+    }
+
     protected function isGranted($attribute, $report, $user = null)
     {
-        if (! $user instanceof \Chill\MainBundle\Entity\User){
+        if (! $user instanceof User){
             return false;
         }