Refactorize StoredObjectVoter.php

The StoredObjectVoter.php has been refactorized to handle context-specific voters.\ This way we can check if the context-specific voter should handle the authorization or not.\ If not, there is a simple fallback to check on the USER_ROLE.
2025-10-24 22:23:13 +00:00 · 2024-06-14 17:22:27 +02:00
parent 65c41e6fa9
commit d9e37d0958
2 changed files with 35 additions and 7 deletions
--- a/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php
+++ b/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php
@@ -15,6 +15,7 @@ use Chill\DocStoreBundle\Entity\StoredObject;
 use Chill\DocStoreBundle\Security\Guard\DavTokenAuthenticationEventSubscriber;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\Security;

 /**
 * Voter for the content of a stored object.
@@ -23,6 +24,14 @@ use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 */
 class StoredObjectVoter extends Voter
 {
+    private $security;
+    private $storedObjectVoters;
+
+    public function __construct(Security $security, iterable $storedObjectVoters) {
+        $this->security = $security;
+        $this->storedObjectVoters = $storedObjectVoters;
+    }
+
    protected function supports($attribute, $subject): bool
    {
        return StoredObjectRoleEnum::tryFrom($attribute) instanceof StoredObjectRoleEnum
@@ -43,13 +52,18 @@ class StoredObjectVoter extends Voter
            return false;
        }

-        $askedRole = StoredObjectRoleEnum::from($attribute);
-        $tokenRoleAuthorization =
-            $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS);
+        // Loop through context-specific voters
+        foreach ($this->storedObjectVoters as $storedObjectVoter) {
+            if ($storedObjectVoter->supports($attribute, $subject)) {
+                return $storedObjectVoter->voteOnAttribute($attribute, $subject, $token);
+            }
+        }

-        return match ($askedRole) {
-            StoredObjectRoleEnum::SEE => StoredObjectRoleEnum::EDIT === $tokenRoleAuthorization || StoredObjectRoleEnum::SEE === $tokenRoleAuthorization,
-            StoredObjectRoleEnum::EDIT => StoredObjectRoleEnum::EDIT === $tokenRoleAuthorization
-        };
+        // User role-based fallback
+        if ($this->security->isGranted('ROLE_USER')) {
+            return true;
+        }
+
+        return false;
    }
 }
--- a/src/Bundle/ChillDocStoreBundle/config/services/voter.yaml
+++ b/src/Bundle/ChillDocStoreBundle/config/services/voter.yaml
@@ -0,0 +1,14 @@
+services:
+    _defaults:
+        autowire: true
+        autoconfigure: true
+    Chill\DocStoreBundle\Security\Authorization\StoredObjectVoter:
+        arguments:
+            $storedObjectVoters:
+                # context specific voters
+                - '@accompanying_course_document_voter'
+        tags:
+            - { name: security.voter }
+
+    accompanying_course_document_voter:
+        class: Chill\DocStoreBundle\Security\Authorization\AccompanyingCourseDocumentVoter