<?php

declare(strict_types=1);

/*
 * Chill is a software for social workers
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace Chill\DocStoreBundle\Security\Authorization;

use Chill\DocStoreBundle\Entity\StoredObject;
use Chill\DocStoreBundle\Security\Guard\DavTokenAuthenticationEventSubscriber;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;

/**
 * Voter for the content of a stored object.
 *
 * This is in use to allow or disallow the edition of the stored object's content.
 */
class StoredObjectVoter extends Voter
{
    protected function supports($attribute, $subject): bool
    {
        return StoredObjectRoleEnum::tryFrom($attribute) instanceof StoredObjectRoleEnum
            && $subject instanceof StoredObject;
    }

    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
    {
        /** @var StoredObject $subject */
        if (
            !$token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
            || $subject->getUuid()->toString() !== $token->getAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
        ) {
            return false;
        }

        if (!$token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)) {
            return false;
        }

        $askedRole = StoredObjectRoleEnum::from($attribute);
        $tokenRoleAuthorization =
            $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS);

        return match ($askedRole) {
            StoredObjectRoleEnum::SEE => StoredObjectRoleEnum::EDIT === $tokenRoleAuthorization || StoredObjectRoleEnum::SEE === $tokenRoleAuthorization,
            StoredObjectRoleEnum::EDIT => StoredObjectRoleEnum::EDIT === $tokenRoleAuthorization
        };
    }
}