2021-12-21 10:59:23 +01:00

137 lines
3.6 KiB
PHP

<?php
/**
* Chill is a software for social workers
*
* For the full copyright and license information, please view
* the LICENSE file that was distributed with this source code.
*/
declare(strict_types=1);
namespace Chill\EventBundle\Security\Authorization;
use Chill\EventBundle\Entity\Event;
use Chill\MainBundle\Entity\User;
use Chill\MainBundle\Security\Authorization\AbstractChillVoter;
use Chill\MainBundle\Security\Authorization\AuthorizationHelper;
use Chill\MainBundle\Security\ProvideRoleHierarchyInterface;
use Chill\PersonBundle\Entity\Person;
use Chill\PersonBundle\Security\Authorization\PersonVoter;
use Psr\Log\LoggerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Core\Role\Role;
use function count;
use function in_array;
/**
* Description of EventVoter.
*/
class EventVoter extends AbstractChillVoter implements ProvideRoleHierarchyInterface
{
public const CREATE = 'CHILL_EVENT_CREATE';
public const ROLES = [
self::SEE,
self::SEE_DETAILS,
self::CREATE,
self::UPDATE,
];
public const SEE = 'CHILL_EVENT_SEE';
public const SEE_DETAILS = 'CHILL_EVENT_SEE_DETAILS';
public const UPDATE = 'CHILL_EVENT_UPDATE';
/**
* @var AccessDecisionManagerInterface
*/
protected $accessDecisionManager;
/**
* @var AuthorizationHelper
*/
protected $authorizationHelper;
/**
* @var LoggerInterface
*/
protected $logger;
public function __construct(
AccessDecisionManagerInterface $accessDecisionManager,
AuthorizationHelper $authorizationHelper,
LoggerInterface $logger
) {
$this->accessDecisionManager = $accessDecisionManager;
$this->authorizationHelper = $authorizationHelper;
$this->logger = $logger;
}
public function getRoles(): array
{
return self::ROLES;
}
public function getRolesWithHierarchy(): array
{
return [
'Event' => self::ROLES,
];
}
public function getRolesWithoutScope(): array
{
return [];
}
public function supports($attribute, $subject)
{
return ($subject instanceof Event && in_array($attribute, self::ROLES, true))
|| ($subject instanceof Person && in_array($attribute, [self::CREATE, self::SEE], true))
|| (null === $subject && self::SEE === $attribute);
}
/**
* @param string $attribute
* @param Event $subject
*
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$this->logger->debug(sprintf('Voting from %s class', self::class));
if (!$token->getUser() instanceof User) {
return false;
}
if ($subject instanceof Event) {
return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
}
if ($subject instanceof Person) {
return $this->authorizationHelper->userHasAccess($token->getUser(), $subject, $attribute);
}
// subject is null. We check that at least one center is reachable
$centers = $this->authorizationHelper
->getReachableCenters($token->getUser(), new Role($attribute));
return count($centers) > 0;
if (!$this->accessDecisionManager->decide($token, [PersonVoter::SEE], $person)) {
return false;
}
return $this->authorizationHelper->userHasAccess(
$token->getUser(),
$subject,
$attribute
);
}
}