* * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . */ namespace Chill\TaskBundle\Security\Authorization; use Chill\MainBundle\Security\Authorization\AbstractChillVoter; use Chill\TaskBundle\Entity\AbstractTask; use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface; use Chill\MainBundle\Security\Authorization\AuthorizationHelper; use Chill\PersonBundle\Security\Authorization\PersonVoter; use Psr\Log\LoggerInterface; use Chill\MainBundle\Security\ProvideRoleHierarchyInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Chill\MainBundle\Entity\User; /** * * * @author Julien Fastré */ class TaskVoter extends AbstractChillVoter implements ProvideRoleHierarchyInterface { const CREATE = 'CHILL_TASK_TASK_CREATE'; const UPDATE = 'CHILL_TASK_TASK_UPDATE'; const SHOW = 'CHILL_TASK_TASK_SHOW'; const ROLES = [ self::CREATE, self::UPDATE, self::SHOW ]; /** * * @var AuthorizationHelper */ protected $authorizationHelper; /** * * @var AccessDecisionManagerInterface */ protected $accessDecisionManager; /** * * @var LoggerInterface */ protected $logger; public function __construct( AccessDecisionManagerInterface $accessDecisionManager, AuthorizationHelper $authorizationHelper, LoggerInterface $logger ) { $this->accessDecisionManager = $accessDecisionManager; $this->authorizationHelper = $authorizationHelper; $this->logger = $logger; } public function supports($attribute, $subject) { return $subject instanceof AbstractTask && in_array($attribute, self::ROLES); } /** * * @param string $attribute * @param AbstractTask $subject * @param TokenInterface $token * @return boolean */ protected function voteOnAttribute($attribute, $subject, TokenInterface $token) { $this->logger->debug(sprintf("Voting from %s class", self::class)); if (!$token->getUser() instanceof User) { return false; } if ($subject->getPerson() === null) { throw new \LogicException("You should associate a person with task " . "in order to check autorizations"); } if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $subject->getPerson())) { return false; } return $this->authorizationHelper->userHasAccess( $token->getUser(), $subject, $attribute ); } public function getRoles() { return self::ROLES; } public function getRolesWithHierarchy(): array { return [ 'Task' => self::ROLES ]; } public function getRolesWithoutScope() { return []; } }