Chill-project/chill-bundles
6
0
Fork 0
mirror of https://gitlab.com/Chill-Projet/chill-bundles.git synced 2025-06-14 14:24:24 +00:00
Code Issues Actions Projects Releases Wiki Activity

Merge branch 'EventVoter' into sf3

Browse Source
This commit is contained in:
Tchama 2019-01-25 18:19:29 +01:00
commit e2be8f119d
5 changed files with 133 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Menu/PersonMenuBuilder.php
View File

@ -2,21 +2,14 @@
namespace Chill\EventBundle\Menu; namespace Chill\EventBundle\Menu;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Translation\TranslatorInterface; use Symfony\Component\Translation\TranslatorInterface;
use Symfony\Component\Security\Core\Role\Role;
use Knp\Menu\MenuItem; use Knp\Menu\MenuItem;
use Chill\MainBundle\Routing\LocalMenuBuilderInterface; use Chill\MainBundle\Routing\LocalMenuBuilderInterface;
use Chill\MainBundle\Security\Authorization\AuthorizationHelper;
use Chill\EventBundle\Security\Authorization\EventVoter; use Chill\EventBundle\Security\Authorization\EventVoter;
class PersonMenuBuilder implements LocalMenuBuilderInterface class PersonMenuBuilder implements LocalMenuBuilderInterface
{ {
/**
*
* @var TokenStorageInterface
*/
protected $tokenStorage;
/** /**
* *
@ -26,31 +19,25 @@ class PersonMenuBuilder implements LocalMenuBuilderInterface
/** /**
* *
* @var AuthorizationHelper * @var AuthorizationCheckerInterface
*/ */
protected $authorizationHelper; protected $authorizationChecker;
public function __construct( public function __construct(
AuthorizationHelper $authorizationHelper, AuthorizationCheckerInterface $authorizationChecker,
TokenStorageInterface $tokenStorage,
TranslatorInterface $translator TranslatorInterface $translator
) { ) {
$this->tokenStorage = $tokenStorage; $this->authorizationChecker = $authorizationChecker;
$this->translator = $translator; $this->translator = $translator;
$this->authorizationHelper = $authorizationHelper;
} }
public function buildMenu($menuId, MenuItem $menu, array $parameters) public function buildMenu($menuId, MenuItem $menu, array $parameters)
{ {
/* @var $person \Chill\PersonBundle\Entity\Person */ /* @var $person \Chill\PersonBundle\Entity\Person */
$person = $parameters['person']; $person = $parameters['person'] ?? null;
$user = $this->tokenStorage->getToken()->getUser(); if ($this->authorizationChecker->isGranted(EventVoter::SEE, $person)) {
$roleSee = new Role(EventVoter::SEE);
// ASK use authorizationHelper or authorizationChecker ??
if ($this->authorizationHelper->userHasAccess($user, $person, $roleSee)) {
$menu->addChild($this->translator->trans('Events participation'), [ $menu->addChild($this->translator->trans('Events participation'), [
'route' => 'chill_event__list_by_person', 'route' => 'chill_event__list_by_person',

2
Resources/config/services/authorization.yml
View File

@ -2,7 +2,9 @@ services:
chill_event.event_voter: chill_event.event_voter:
class: Chill\EventBundle\Security\Authorization\EventVoter class: Chill\EventBundle\Security\Authorization\EventVoter
arguments: arguments:
- "@security.access.decision_manager"
- "@chill.main.security.authorization.helper" - "@chill.main.security.authorization.helper"
- "@logger"
tags: tags:
- { name: chill.role } - { name: chill.role }
- { name: security.voter } - { name: security.voter }

3
Resources/config/services/menu.yml
View File

@ -1,8 +1,7 @@
services: services:
Chill\EventBundle\Menu\PersonMenuBuilder: Chill\EventBundle\Menu\PersonMenuBuilder:
arguments: arguments:
$authorizationHelper: '@Chill\MainBundle\Security\Authorization\AuthorizationHelper' $authorizationChecker: '@Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface'
$tokenStorage: '@Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface'
$translator: '@Symfony\Component\Translation\TranslatorInterface' $translator: '@Symfony\Component\Translation\TranslatorInterface'
tags: tags:
- { name: 'chill.menu_builder' } - { name: 'chill.menu_builder' }

75
Resources/views/Event/listByPerson.html.twig
View File

@ -46,46 +46,13 @@
<td> <td>
<ul class="record_actions"> <ul class="record_actions">
<li> <li>
{% set currentPath = path(app.request.attributes.get('_route'), app.request.attributes.get('_route_params')) %} {% set currentPath = path(app.request.attributes.get('_route'), app.request.attributes.get('_route_params')) %}
{% set returnLabel = 'Back to %person% events'|trans({ '%person%' : currentPerson } ) %} {% set returnLabel = 'Back to %person% events'|trans({ '%person%' : currentPerson } ) %}
{# temporaire --
TODO corriger EventVoter.php pour régler les autorisations sur les boutons, puis remplacer ci-dessous par le code commenté #}
<a href="{{ path('chill_event__event_show', {
'event_id' : participation.event.id,
'return_path' : currentPath,
'return_label' : returnLabel
}) }}" class="sc-button bt-show" title="{{ 'See details of the event'|trans }}"></a>
<div class="bt-dropdown">
<a href="" class="sc-button bt-update"></a>
<div class="bt-dropdown-content">
<a href="{{ path('chill_event__event_edit', {
'event_id' : participation.event.id,
'return_path' : currentPath,
'return_label' : returnLabel
}) }}" class="sc-button bt-update">{{ 'Edit the event'|trans }}
</a>
<a href="{{ path('chill_event_participation_edit', {
'participation_id' : participation.id,
'return_path' : currentPath,
'return_label' : returnLabel
}) }}" class="sc-button bt-update">{{ 'Edit the participation'|trans }}
</a>
</div>
</div>
{#
{% if is_granted('CHILL_EVENT_SEE_DETAILS', participation.event) %} {% if is_granted('CHILL_EVENT_SEE_DETAILS', participation.event) %}
<a href="{{ path('chill_event__event_show', { <a href="{{ path('chill_event__event_show', { 'event_id' : participation.event.id, 'return_path' : currentPath, 'return_label' : returnLabel } ) }}"
'event_id' : participation.event.id, class="sc-button bt-show" title="{{ 'See details of the event'|trans }}"></a>
'return_path' : currentPath,
'return_label' : returnLabel
} ) }}" class="sc-button bt-show"></a>
{% endif %} {% endif %}
{% if is_granted('CHILL_EVENT_UPDATE', participation.event) {% if is_granted('CHILL_EVENT_UPDATE', participation.event)
@ -95,18 +62,13 @@
<a href="" class="sc-button bt-update"></a> <a href="" class="sc-button bt-update"></a>
<div class="bt-dropdown-content"> <div class="bt-dropdown-content">
<a href="{{ path('chill_event__event_edit', { <a href="{{ path('chill_event__event_edit', { 'event_id' : participation.event.id, 'return_path' : currentPath, 'return_label' : returnLabel }) }}"
'event_id' : participation.event.id, class="sc-button bt-update">
'return_path' : currentPath, {{ 'Edit the event'|trans }}
'return_label' : returnLabel
}) }}" class="sc-button bt-update">{{ 'Event edit'|trans }}
</a> </a>
<a href="{{ path('chill_event_participation_edit', { 'participation_id' : participation.id, 'return_path' : currentPath, 'return_label' : returnLabel }) }}"
<a href="{{ path('chill_event_participation_edit', { class="sc-button bt-update">
'participation_id' : participation.id, {{ 'Edit the participation'|trans }}
'return_path' : currentPath,
'return_label' : returnLabel
}) }}" class="sc-button bt-update">{{ 'Participation Edit'|trans }}
</a> </a>
</div> </div>
@ -114,25 +76,20 @@
{% else %} {% else %}
{% if is_granted('CHILL_EVENT_UPDATE', participation.event) %} {% if is_granted('CHILL_EVENT_UPDATE', participation.event) %}
<a href="{{ path('chill_event__event_edit', { <a href="{{ path('chill_event__event_edit', { 'event_id' : participation.event.id, 'return_path' : currentPath, 'return_label' : returnLabel }) }}"
'event_id' : participation.event.id, class="sc-button bt-update">
'return_path' : currentPath, {{ 'Edit the event'|trans }}
'return_label' : returnLabel
}) }}" class="sc-button bt-update">{{ 'Event edit'|trans }}
</a> </a>
{% endif %} {% endif %}
{% if is_granted('CHILL_EVENT_PARTICIPATION_UPDATE', participation) %} {% if is_granted('CHILL_EVENT_PARTICIPATION_UPDATE', participation) %}
<a href="{{ path('chill_event_participation_edit', { <a href="{{ path('chill_event_participation_edit', { 'participation_id' : participation.id, 'return_path' : currentPath, 'return_label' : returnLabel }) }}"
'participation_id' : participation.id, class="sc-button bt-update">
'return_path' : currentPath, {{ 'Edit the participation'|trans }}
'return_label' : returnLabel
}) }}" class="sc-button bt-update">{{ 'Participation Edit'|trans }}
</a> </a>
{% endif %} {% endif %}
{% endif %} {% endif %}
#}
</li> </li>
</ul> </ul>
</td> </td>

136
Security/Authorization/EventVoter.php
View File

@ -1,6 +1,20 @@
<?php <?php
/*
* Copyright (C) 2018 Champs Libres Cooperative <info@champs-libres.coop>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
namespace Chill\EventBundle\Security\Authorization; namespace Chill\EventBundle\Security\Authorization;
@ -9,62 +23,126 @@ use Chill\MainBundle\Security\ProvideRoleHierarchyInterface;
use Chill\EventBundle\Entity\Event; use Chill\EventBundle\Entity\Event;
use Chill\MainBundle\Security\Authorization\AuthorizationHelper; use Chill\MainBundle\Security\Authorization\AuthorizationHelper;
use Chill\MainBundle\Entity\User; use Chill\MainBundle\Entity\User;
use Chill\PersonBundle\Entity\Person;
use Chill\PersonBundle\Security\Authorization\PersonVoter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Psr\Log\LoggerInterface;
/** /**
* Description of EventVoter * Description of EventVoter
* *
* @author Julien Fastré <julien.fastre@champs-libres.coop> * @author Mathieu Jaumotte <jaum_mathieu@collectifs.net>
* @author Champs Libres <info@champs-libres.coop> * @author Champs Libres <info@champs-libres.coop>
*/ */
class EventVoter extends AbstractChillVoter implements ProvideRoleHierarchyInterface class EventVoter extends AbstractChillVoter implements ProvideRoleHierarchyInterface
{ {
const SEE = 'CHILL_EVENT_SEE'; const SEE = 'CHILL_EVENT_SEE';
const SEE_DETAILS = 'CHILL_EVENT_SEE_DETAILS'; const SEE_DETAILS = 'CHILL_EVENT_SEE_DETAILS';
const CREATE = 'CHILL_EVENT_CREATE'; const CREATE = 'CHILL_EVENT_CREATE';
const UPDATE = 'CHILL_EVENT_UPDATE'; const UPDATE = 'CHILL_EVENT_UPDATE';
const ROLES = [
self::SEE,
self::SEE_DETAILS,
self::CREATE,
self::UPDATE
];
/**
* @var AuthorizationHelper
*/
protected $authorizationHelper; protected $authorizationHelper;
public function __construct(AuthorizationHelper $helper) /**
* @var AccessDecisionManagerInterface
*/
protected $accessDecisionManager;
/**
* @var LoggerInterface
*/
protected $logger;
public function __construct(
AccessDecisionManagerInterface $accessDecisionManager,
AuthorizationHelper $authorizationHelper,
LoggerInterface $logger
)
{ {
$this->authorizationHelper = $helper; $this->accessDecisionManager = $accessDecisionManager;
$this->authorizationHelper = $authorizationHelper;
$this->logger = $logger;
} }
protected function getSupportedAttributes() public function supports($attribute, $subject)
{ {
return array(self::SEE, self::SEE_DETAILS, return ($subject instanceof Event && in_array($attribute, self::ROLES))
self::CREATE, self::UPDATE); ||
($subject instanceof Person && \in_array($attribute, [ self::CREATE, self::SEE ]))
||
(NULL === $subject && $attribute === self::SEE )
;
} }
protected function getSupportedClasses() /**
*
* @param string $attribute
* @param Event $subject
* @param TokenInterface $token
* @return boolean
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{ {
return array(Event::class); $this->logger->debug(sprintf("Voting from %s class", self::class));
}
protected function isGranted($attribute, $event, $user = null)
{
if (!$user instanceof User) {
return false;
}
return $this->authorizationHelper->userHasAccess($user, $event, $attribute); if (!$token->getUser() instanceof User) {
} return false;
}
if ($subject instanceof Event) {
return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
} elseif ($subject instanceof Person) {
return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
} else {
// subject is null. We check that at least one center is reachable
$centers = $this->authorizationHelper
->getReachableCenters($token->getUser(), new Role($attribute));
return count($centers) > 0;
}
if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $person)) {
return false;
}
return $this->authorizationHelper->userHasAccess(
$token->getUser(),
$subject,
$attribute
);
}
public function getRoles() public function getRoles()
{ {
return $this->getSupportedAttributes(); return self::ROLES;
}
public function getRolesWithHierarchy()
{
return [
'Event' => self::ROLES
];
} }
public function getRolesWithoutScope() public function getRolesWithoutScope()
{ {
return null; return [];
} }
public function getRolesWithHierarchy()
{
return [ 'Event' => $this->getRoles() ];
}
} }