chill-bundles/src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php

<?php

declare(strict_types=1);

/*
 * Chill is a software for social workers
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace Chill\DocStoreBundle\Security\Authorization;

use Chill\DocStoreBundle\Entity\StoredObject;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Security;

/**
 * Voter for the content of a stored object.
 *
 * This is in use to allow or disallow the edition of the stored object's content.
 */
class StoredObjectVoter extends Voter
{
    public function __construct(private readonly Security $security, private readonly iterable $storedObjectVoters) {}

    protected function supports($attribute, $subject): bool
    {
        return StoredObjectRoleEnum::tryFrom($attribute) instanceof StoredObjectRoleEnum
            && $subject instanceof StoredObject;
    }

    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
    {
        /** @var StoredObject $subject */
        $attributeAsEnum = StoredObjectRoleEnum::from($attribute);

        // Loop through context-specific voters
        foreach ($this->storedObjectVoters as $storedObjectVoter) {
            if ($storedObjectVoter->supports($attributeAsEnum, $subject)) {
                return $storedObjectVoter->voteOnAttribute($attributeAsEnum, $subject, $token);
            }
        }

        // User role-based fallback
        if ($this->security->isGranted('ROLE_USER') || $this->security->isGranted('ROLE_ADMIN')) {
            // TODO: this maybe considered as a security issue, as all authenticated users can reach a stored object which
            // is potentially detached from an existing entity.
            return true;
        }

        return false;
    }
}