src/Security/AccessApiVoter.php line 21

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/AccessApiVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Doctrine\Persistence\ManagerRegistry;
  12. use App\Entity\Access;
  13. use App\Entity\APIRest\AccessAPI;
  14. use App\Entity\Config\Config;
  15. use App\Entity\Config\Module;
  16. use App\Entity\HR\AccessFunction;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclPermission;
  19. use App\Services\Config\ModuleTools;
  21. class AccessApiVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  26.     const IS_ACTIVE "mobile_api_is_active";
  28.     const ACTIVATE_DEACTIVATE "activate_deactivate_mobile_api_user";
  29.     const ACTIVATE_DEACTIVATE_FOR_ACCESS "activate_deactivate_mobile_api_user_for_access";
  31.     const LISTING "list_api_accesses";
  32.     const LISTING_SOCIETY "list_api_accesses_society";
  33.     const LISTING_ANY "list_api_accesses_any";
  35.     const IS_GRANTED_CONSTANTS = array(
  36.         self::IS_ACTIVE,
  38.         self::ACTIVATE_DEACTIVATE,
  39.         self::ACTIVATE_DEACTIVATE_FOR_ACCESS,
  41.         self::LISTING,
  42.         self::LISTING_SOCIETY,
  43.         self::LISTING_ANY,
  44.     );
  46.     //--------------------------------------------------------------------------------
  47.     // acl constants
  49.     const ACL_PERM_ACTIVATE_DEACTIVATE 'mobile_api_activate_deactivate_user';
  50.     const ACL_PERM_ACTIVATE_DEACTIVATE_SOCIETY 'mobile_api_activate_deactivate_user_society';
  52.     //--------------------------------------------------------------------------------
  54.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrineModuleTools $moduleTools)
  55.     {
  56.         $this->accessDecisionManager $accessDecisionManager;
  57.         $this->em $doctrine->getManager();
  58.         $this->moduleTools $moduleTools;
  60.         $this->aclRepository $this->em->getRepository(Acl::class);
  61.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  62.     }
  64.     protected function supports(string $attribute$subject null): bool
  65.     {
  66.         // if the attribute isn't one we support, return false
  67.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  68.         {
  69.             return false;
  70.         }
  72.         // only vote on Access / AccessAPI objects inside this voter
  73.         if ($subject !== null && !($subject instanceof Access || $subject instanceof AccessAPI))
  74.         {
  75.             return false;
  76.         }
  78.         return true;
  79.     }
  81.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  82.     {
  83.         $user $token->getUser();
  85.         if (!$user instanceof Access)
  86.         {
  87.             // the user must be logged in; if not, deny access
  88.             return false;
  89.         }
  91.         // The user must have a function; if not deny access
  92.         $function $user->getFunction();
  93.         if ($function === null)        return false;
  95.         // Plan.io Task #3710 : Get current group
  96.         $currentGroup $user->getSocietyGroup();
  97.         if ($currentGroup === null)
  98.             return false;
  100.         // Module activated ?
  101.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_MOBILE_API))
  102.         {
  103.             return false;
  104.         }
  106.         $subjectAccess null;
  107.         $subjectAccessApi null;
  109.         if ($subject instanceof Access)
  110.         {
  111.             $subjectAccess $subject;
  112.             $subjectAccessApi $subject->getAccessAPI();
  113.         }
  114.         if ($subject instanceof AccessAPI)
  115.         {
  116.             $subjectAccess $subject->getAccess();
  117.             $subjectAccessApi $subject;
  118.         }
  120.         // Check current group affectation
  121.         if ($subjectAccess !== null)
  122.         {
  123.             $subjectSociety $subjectAccess->getSociety();
  124.             if ($subjectSociety === null)
  125.                 return false;
  126.             $subjectGroup $subjectSociety->getGroup();
  127.             if ($subjectGroup === null)
  128.                 return false;
  129.             if (!$currentGroup->equals($subjectGroup))
  130.                 return false;
  131.         }
  133.         switch ($attribute)
  134.         {
  135.             case self::IS_ACTIVE:
  136.                 return true;
  138.             case self::ACTIVATE_DEACTIVATE:
  139.             {
  140.                 return $this->canChangeState($subjectAccessApi$user$function);
  141.             }
  143.             case self::ACTIVATE_DEACTIVATE_FOR_ACCESS:
  144.             {
  145.                 if ($subjectAccess !== null && $subjectAccessApi === null)
  146.                 {
  147.                     // Creation case
  148.                     return $this->canAddForAccess($subjectAccess$user$function);
  149.                 }
  150.                 return $this->canChangeState($subjectAccessApi$user$function);
  151.             }
  153.             case self::LISTING:
  154.             {
  155.                 return $this->accessDecisionManager->decide($token, ['list_accesses']);
  156.             }
  157.             case self::LISTING_SOCIETY:
  158.             {
  159.                 return $this->accessDecisionManager->decide($token, ['list_accesses_society']);
  160.             }
  161.             case self::LISTING_ANY:
  162.             {
  163.                 return $this->accessDecisionManager->decide($token, ['list_accesses_any']);
  164.             }
  165.         }
  167.         throw new \LogicException('This code should not be reached!');
  168.     }
  170.     // $access is the user trying to load the resource
  171.     // $cost is the resource being loaded
  173.     // Check if the Society of the resource
  174.     // belongs to the societies of the $access
  175.     private function checkSociety(Access $subjectAccess $access)
  176.     {
  177.         // Get all the societies of the access
  178.         $societies $access->getSocieties();
  180.         // Get the Society of the Demand
  181.         $subjectSociety $subject->getSociety();
  183.         if ($subjectSociety === null)
  184.             return false;
  186.         $found false;
  187.         foreach ($societies as $society)
  188.         {
  189.             if ($society->getId() == $subjectSociety->getId())
  190.             {
  191.                 $found true;
  192.                 break;
  193.             }
  194.         }
  195.         return $found;
  196.     }
  198.     private function canChangeState(AccessAPI $accessApiAccess $userAccessFunction $function)
  199.     {
  200.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ACTIVATE_DEACTIVATE);
  201.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ACTIVATE_DEACTIVATE_SOCIETY);
  203.         // If all are null, exit
  204.         if ($aclPerm === null && $aclPermSociety === null)
  205.             return false;
  207.         // Get First one
  208.         if ($aclPerm !== null)
  209.         {
  210.             $acl $this->aclRepository->findOneBy(array(
  211.                 'function'        =>    $function,
  212.                 'permission'    =>    $aclPerm
  213.             ));
  214.             if ($acl !== null)
  215.             {
  216.                 if ($acl->getValue())
  217.                 {
  218.                     // A single positive answer is enough
  219.                     return true;
  220.                 }
  221.             }
  222.         }
  224.         // If we are here it means that nothing good has been found
  225.         // Load second permission
  226.         if ($aclPermSociety !== null)
  227.         {
  228.             $acl $this->aclRepository->findOneBy(array(
  229.                 'function'        =>    $function,
  230.                 'permission'    =>    $aclPermSociety
  231.             ));
  232.             if ($acl !== null)
  233.             {
  234.                 if ($acl->getValue())
  235.                 {
  236.                     return $this->checkSociety($accessApi->getAccess(), $user);
  237.                 }
  238.             }
  239.         }
  241.         // If we are here, all hope is lost
  242.         return false;
  243.     }
  245.     private function canAddForAccess(Access $accessAccess $userAccessFunction $function)
  246.     {
  247.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ACTIVATE_DEACTIVATE);
  248.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ACTIVATE_DEACTIVATE_SOCIETY);
  250.         // If all are null, exit
  251.         if ($aclPerm === null && $aclPermSociety === null)
  252.             return false;
  254.         // Get First one
  255.         if ($aclPerm !== null)
  256.         {
  257.             $acl $this->aclRepository->findOneBy(array(
  258.                 'function'        =>    $function,
  259.                 'permission'    =>    $aclPerm
  260.             ));
  261.             if ($acl !== null)
  262.             {
  263.                 if ($acl->getValue())
  264.                 {
  265.                     // A single positive answer is enough
  266.                     return true;
  267.                 }
  268.             }
  269.         }
  271.         // If we are here it means that nothing good has been found
  272.         // Load second permission
  273.         if ($aclPermSociety !== null)
  274.         {
  275.             $acl $this->aclRepository->findOneBy(array(
  276.                 'function'        =>    $function,
  277.                 'permission'    =>    $aclPermSociety
  278.             ));
  279.             if ($acl !== null)
  280.             {
  281.                 if ($acl->getValue())
  282.                 {
  283.                     return $this->checkSociety($access$user);
  284.                 }
  285.             }
  286.         }
  288.         // If we are here, all hope is lost
  289.         return false;
  290.     }
  291. }