chill-bundles/src/Bundle/ChillEventBundle/Security/Authorization/EventVoter.php

<?php

/**
 * Chill is a software for social workers
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

declare(strict_types=1);

namespace Chill\EventBundle\Security\Authorization;

use Chill\EventBundle\Entity\Event;
use Chill\MainBundle\Entity\User;
use Chill\MainBundle\Security\Authorization\AbstractChillVoter;
use Chill\MainBundle\Security\Authorization\AuthorizationHelper;
use Chill\MainBundle\Security\ProvideRoleHierarchyInterface;
use Chill\PersonBundle\Entity\Person;
use Chill\PersonBundle\Security\Authorization\PersonVoter;
use Psr\Log\LoggerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Core\Role\Role;

use function count;
use function in_array;

/**
 * Description of EventVoter.
 */
class EventVoter extends AbstractChillVoter implements ProvideRoleHierarchyInterface
{
    public const CREATE = 'CHILL_EVENT_CREATE';

    public const ROLES = [
        self::SEE,
        self::SEE_DETAILS,
        self::CREATE,
        self::UPDATE,
    ];

    public const SEE = 'CHILL_EVENT_SEE';

    public const SEE_DETAILS = 'CHILL_EVENT_SEE_DETAILS';

    public const UPDATE = 'CHILL_EVENT_UPDATE';

    /**
     * @var AccessDecisionManagerInterface
     */
    protected $accessDecisionManager;

    /**
     * @var AuthorizationHelper
     */
    protected $authorizationHelper;

    /**
     * @var LoggerInterface
     */
    protected $logger;

    public function __construct(
        AccessDecisionManagerInterface $accessDecisionManager,
        AuthorizationHelper $authorizationHelper,
        LoggerInterface $logger
    ) {
        $this->accessDecisionManager = $accessDecisionManager;
        $this->authorizationHelper = $authorizationHelper;
        $this->logger = $logger;
    }

    public function getRoles(): array
    {
        return self::ROLES;
    }

    public function getRolesWithHierarchy(): array
    {
        return [
            'Event' => self::ROLES,
        ];
    }

    public function getRolesWithoutScope(): array
    {
        return [];
    }

    public function supports($attribute, $subject)
    {
        return ($subject instanceof Event && in_array($attribute, self::ROLES, true))
            || ($subject instanceof Person && in_array($attribute, [self::CREATE, self::SEE], true))
            || (null === $subject && self::SEE === $attribute);
    }

    /**
     * @param string $attribute
     * @param Event $subject
     *
     * @return bool
     */
    protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
    {
        $this->logger->debug(sprintf('Voting from %s class', self::class));

        if (!$token->getUser() instanceof User) {
            return false;
        }

        if ($subject instanceof Event) {
            return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
        }

        if ($subject instanceof Person) {
            return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
        }

        // subject is null. We check that at least one center is reachable
        $centers = $this->authorizationHelper
            ->getReachableCenters($token->getUser(), new Role($attribute));

        return count($centers) > 0;

        if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $person)) {
            return false;
        }

        return $this->authorizationHelper->userHasAccess(
            $token->getUser(),
            $subject,
            $attribute
        );
    }
}