From d7cdeaa28e62ee5875c1e5da5d9e03fd495ea451 Mon Sep 17 00:00:00 2001 From: nobohan Date: Thu, 23 Jul 2020 14:55:44 +0200 Subject: [PATCH] sf4 deprecations: new supports and voteOnAttribute methods implemented in PersonDocumentVoter --- Resources/config/services.yml | 2 + .../Authorization/PersonDocumentVoter.php | 75 +++++++++++++++++-- 2 files changed, 71 insertions(+), 6 deletions(-) diff --git a/Resources/config/services.yml b/Resources/config/services.yml index 4439c8dbb..79aa64ffa 100644 --- a/Resources/config/services.yml +++ b/Resources/config/services.yml @@ -18,7 +18,9 @@ services: Chill\DocStoreBundle\Security\Authorization\PersonDocumentVoter: class: Chill\DocStoreBundle\Security\Authorization\PersonDocumentVoter arguments: + - "@security.access.decision_manager" - "@chill.main.security.authorization.helper" + - "@logger" tags: - { name: security.voter } - { name: chill.role } diff --git a/Security/Authorization/PersonDocumentVoter.php b/Security/Authorization/PersonDocumentVoter.php index 47bfed38b..78429b439 100644 --- a/Security/Authorization/PersonDocumentVoter.php +++ b/Security/Authorization/PersonDocumentVoter.php @@ -24,6 +24,12 @@ use Chill\MainBundle\Security\Authorization\AuthorizationHelper; use Chill\MainBundle\Security\ProvideRoleHierarchyInterface; use Chill\DocStoreBundle\Entity\PersonDocument; use Chill\PersonBundle\Entity\Person; +use Chill\MainBundle\Entity\User; +use Chill\PersonBundle\Security\Authorization\PersonVoter; +use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Role\Role; +use Psr\Log\LoggerInterface; /** * @@ -37,16 +43,31 @@ class PersonDocumentVoter extends AbstractChillVoter implements ProvideRoleHiera const DELETE = 'CHILL_PERSON_DOCUMENT_DELETE'; /** - * * @var AuthorizationHelper */ - protected $helper; + protected $authorizationHelper; - public function __construct(AuthorizationHelper $helper) + /** + * @var AccessDecisionManagerInterface + */ + protected $accessDecisionManager; + + /** + * @var LoggerInterface + */ + protected $logger; + + public function __construct( + AccessDecisionManagerInterface $accessDecisionManager, + AuthorizationHelper $authorizationHelper, + LoggerInterface $logger + ) { - $this->helper = $helper; + $this->accessDecisionManager = $accessDecisionManager; + $this->authorizationHelper = $authorizationHelper; + $this->logger = $logger; } - + public function getRoles() { return [ @@ -71,9 +92,51 @@ class PersonDocumentVoter extends AbstractChillVoter implements ProvideRoleHiera return false; } + /** + * + * @param string $attribute + * @param PersonDocument $subject + * @param TokenInterface $token + * @return boolean + */ + protected function voteOnAttribute($attribute, $subject, TokenInterface $token) + { + $this->logger->debug(sprintf("Voting from %s class", self::class)); + + if (!$token->getUser() instanceof User) { + return false; + } + + if ($subject instanceof PersonDocument) { + return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute); + + } elseif ($subject instanceof Person) { + return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute); + + } else { + + // subject is null. We check that at least one center is reachable + $centers = $this->authorizationHelper + ->getReachableCenters($token->getUser(), new Role($attribute)); + + return count($centers) > 0; + } + + if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $person)) { + return false; + } + + return $this->authorizationHelper->userHasAccess( + $token->getUser(), + $subject, + $attribute + ); + + } + protected function isGranted($attribute, $report, $user = null) { - if (! $user instanceof \Chill\MainBundle\Entity\User){ + if (! $user instanceof User){ return false; }