fix right to create person for amli use

2025-08-28 02:23:51 +00:00 · 2022-06-30 15:29:30 +02:00
parent ad63df85c7
commit e2634b0b0f
1 changed files with 12 additions and 9 deletions
--- a/src/Bundle/ChillPersonBundle/Controller/PersonController.php
+++ b/src/Bundle/ChillPersonBundle/Controller/PersonController.php
@@ -11,6 +11,7 @@ declare(strict_types=1);

 namespace Chill\PersonBundle\Controller;

+use Chill\MainBundle\Security\Authorization\AuthorizationHelperInterface;
 use Chill\PersonBundle\Config\ConfigPersonAltNamesHelper;
 use Chill\PersonBundle\Entity\Household\Household;
 use Chill\PersonBundle\Entity\Household\HouseholdMember;
@@ -20,6 +21,7 @@ use Chill\PersonBundle\Form\PersonType;
 use Chill\PersonBundle\Privacy\PrivacyEvent;
 use Chill\PersonBundle\Repository\PersonRepository;
 use Chill\PersonBundle\Search\SimilarPersonMatcher;
+use Chill\PersonBundle\Security\Authorization\PersonVoter;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Psr\Log\LoggerInterface;
@@ -44,6 +46,8 @@ use function is_array;

 final class PersonController extends AbstractController
 {
+    private AuthorizationHelperInterface $authorizationHelper;
+
    /**
     * @var ConfigPersonAltNamesHelper
     */
@@ -85,6 +89,7 @@ final class PersonController extends AbstractController
    private $validator;

    public function __construct(
+        AuthorizationHelperInterface $authorizationHelper,
        SimilarPersonMatcher $similarPersonMatcher,
        TranslatorInterface $translator,
        EventDispatcherInterface $eventDispatcher,
@@ -95,6 +100,7 @@ final class PersonController extends AbstractController
        EntityManagerInterface $em,
        Security $security
    ) {
+        $this->authorizationHelper = $authorizationHelper;
        $this->similarPersonMatcher = $similarPersonMatcher;
        $this->translator = $translator;
        $this->eventDispatcher = $eventDispatcher;
@@ -211,15 +217,10 @@ final class PersonController extends AbstractController
    {
        $person = new Person();

-        if (
-            1 === count($this->security->getUser()
-                ->getGroupCenters())
-        ) {
-            $person->setCenter(
-                $this->security->getUser()
-                    ->getGroupCenters()[0]
-                    ->getCenter()
-            );
+        $centers = $this->authorizationHelper->getReachableCenters($this->getUser(), PersonVoter::CREATE);
+
+        if (1 === count($centers)) {
+            $person->setCenter($centers[0]);
        }

        $form = $this->createForm(CreationPersonType::class, $person)
@@ -246,6 +247,8 @@ final class PersonController extends AbstractController
                false === $this->isLastPostDataChanges($form, $request, true)
                || count($alternatePersons) === 0
            ) {
+                $this->denyAccessUnlessGranted(PersonVoter::CREATE, $person);
+                
                $this->em->persist($person);

                $this->em->flush();