. */ namespace Chill\DocStoreBundle\Security\Authorization; use Chill\MainBundle\Security\Authorization\AbstractChillVoter; use Chill\MainBundle\Security\Authorization\AuthorizationHelper; use Chill\MainBundle\Security\ProvideRoleHierarchyInterface; use Chill\DocStoreBundle\Entity\PersonDocument; use Chill\PersonBundle\Entity\Person; use Chill\MainBundle\Entity\User; use Chill\PersonBundle\Security\Authorization\PersonVoter; use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Role\Role; use Psr\Log\LoggerInterface; /** * */ class PersonDocumentVoter extends AbstractChillVoter implements ProvideRoleHierarchyInterface { const CREATE = 'CHILL_PERSON_DOCUMENT_CREATE'; const SEE = 'CHILL_PERSON_DOCUMENT_SEE'; const SEE_DETAILS = 'CHILL_PERSON_DOCUMENT_SEE_DETAILS'; const UPDATE = 'CHILL_PERSON_DOCUMENT_UPDATE'; const DELETE = 'CHILL_PERSON_DOCUMENT_DELETE'; /** * @var AuthorizationHelper */ protected $authorizationHelper; /** * @var AccessDecisionManagerInterface */ protected $accessDecisionManager; /** * @var LoggerInterface */ protected $logger; public function __construct( AccessDecisionManagerInterface $accessDecisionManager, AuthorizationHelper $authorizationHelper, LoggerInterface $logger ) { $this->accessDecisionManager = $accessDecisionManager; $this->authorizationHelper = $authorizationHelper; $this->logger = $logger; } public function getRoles() { return [ self::CREATE, self::SEE, self::SEE_DETAILS, self::UPDATE, self::DELETE ]; } protected function supports($attribute, $subject) { if (\in_array($attribute, $this->getRoles()) && $subject instanceof PersonDocument) { return true; } if ($subject instanceof Person && $attribute === self::CREATE) { return true; } return false; } /** * * @param string $attribute * @param PersonDocument $subject * @param TokenInterface $token * @return boolean */ protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $this->logger->debug(sprintf("Voting from %s class", self::class)); if (!$token->getUser() instanceof User) { return false; } if ($subject instanceof PersonDocument) { return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute); } elseif ($subject instanceof Person) { return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute); } else { // subject is null. We check that at least one center is reachable $centers = $this->authorizationHelper ->getReachableCenters($token->getUser(), new Role($attribute)); return count($centers) > 0; } if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $person)) { return false; } return $this->authorizationHelper->userHasAccess( $token->getUser(), $subject, $attribute ); } protected function isGranted($attribute, $report, $user = null) { if (! $user instanceof User){ return false; } return $this->helper->userHasAccess($user, $report, $attribute); } public function getRolesWithoutScope() { return array(); } public function getRolesWithHierarchy() { return ['PersonDocument' => $this->getRoles() ]; } }