Chill-project/chill-bundles
6
0
Fork 0
mirror of https://gitlab.com/Chill-Projet/chill-bundles.git synced 2025-09-04 05:44:58 +00:00
Code Issues Actions Projects Releases Wiki Activity

Add role-based access controls for export functionality

Browse Source 
Introduced `CHILL_MAIN_COMPOSE_EXPORT` and `CHILL_MAIN_GENERATE_SAVED_EXPORT` roles for managing export creation and execution permissions. Updated access checks, menu routing, and templates to align with the new roles. Added a migration to extend existing permission groups with the `CHILL_MAIN_COMPOSE_EXPORT` role.
This commit is contained in:
Julien Fastré
2025-04-17 17:34:09 +02:00
parent fc8e3789e0
commit edeb8edbea
10 changed files with 123 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/Bundle/ChillMainBundle/Security/Authorization/ChillExportVoter.php
View File

@@ -11,35 +11,34 @@ declare(strict_types=1);
namespace Chill\MainBundle\Security\Authorization;
use Chill\MainBundle\Export\DirectExportInterface;
use Chill\MainBundle\Export\ExportInterface;
use Chill\MainBundle\Export\ExportManager;
use Chill\MainBundle\Security\ProvideRoleHierarchyInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
class ChillExportVoter extends Voter
class ChillExportVoter extends Voter implements ProvideRoleHierarchyInterface
{
final public const EXPORT = 'chill_export';
/**
* Role which give access to the creation of new export from the export itself.
*/
final public const COMPOSE_EXPORT = 'CHILL_MAIN_COMPOSE_EXPORT';
/**
* Role which give access to the execution and edition to the saved exports, but not for creating new ones.
*/
final public const GENERATE_SAVED_EXPORT = 'CHILL_MAIN_GENERATE_SAVED_EXPORT';
private readonly VoterHelperInterface $helper;
public function __construct(VoterHelperFactoryInterface $voterHelperFactory, ExportManager $exportManager)
public function __construct(VoterHelperFactoryInterface $voterHelperFactory)
{
$this->helper = $voterHelperFactory
->generate(self::class)
->addCheckFor(null, [self::EXPORT])
->addCheckFor(null, [self::COMPOSE_EXPORT, self::GENERATE_SAVED_EXPORT])
->build();
}
protected function supports($attribute, $subject): bool
{
if (
($subject instanceof ExportInterface or $subject instanceof DirectExportInterface)
&& $attribute === $subject->requiredRole()
) {
return true;
}
return $this->helper->supports($attribute, $subject);
}
@@ -47,4 +46,21 @@ class ChillExportVoter extends Voter
{
return $this->helper->voteOnAttribute($attribute, $subject, $token);
}
public function getRolesWithHierarchy(): array
{
return ['export.role.export_role' => [
self::COMPOSE_EXPORT, self::GENERATE_SAVED_EXPORT,
]];
}
public function getRoles(): array
{
return [self::COMPOSE_EXPORT, self::GENERATE_SAVED_EXPORT];
}
public function getRolesWithoutScope(): array
{
return $this->getRoles();
}
}