src/Security/AccessVoter.php line 71

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/AccessVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Security\Acl;
  16. use App\Entity\Security\AclPermission;
  17. use App\Services\Config\ModuleTools;
  19. class AccessVoter extends Voter
  20. {
  21.     //--------------------------------------------------------------------------------
  22.     // is_granted constants
  23.     const IS_ACTIVE "access_is_active";
  25.     const EDIT "edit_access";
  26.     const ADD_FROM "add_access_from";
  28.     const LISTING "list_accesses";
  29.     const LISTING_SOCIETY "list_accesses_society";
  30.     const LISTING_ANY "list_accesses_any";
  32.     const ASSIGNING "assign_access_societies";
  33.     const ASSIGNING_SOCIETY "assign_access_societies_society";
  34.     const ASSIGNING_ANY "assign_access_societies_any";
  36.     const IS_GRANTED_CONSTANTS = array(
  37.         self::IS_ACTIVE,
  39.         self::EDIT,
  40.         self::ADD_FROM,
  42.         self::LISTING,
  43.         self::LISTING_SOCIETY,
  44.         self::LISTING_ANY,
  46.         self::ASSIGNING,
  47.         self::ASSIGNING_SOCIETY,
  48.         self::ASSIGNING_ANY,
  49.     );
  51.     //--------------------------------------------------------------------------------
  52.     const ACL_PERM_ADD_FROM "access_add_from";
  54.     const ACL_PERM_LISTING "access_list";
  55.     const ACL_PERM_LISTING_SOCIETY "access_list_society";
  57.     const ACL_PERM_ASSIGN "access_assign";
  58.     const ACL_PERM_ASSIGN_SOCIETY "access_assign_society";
  60.     const ACL_PERM_EDIT "access_edit";
  61.     const ACL_PERM_EDIT_SOCIETY "access_edit_society";
  62.     const ACL_PERM_EDIT_OWN "access_edit_own";
  64.     //--------------------------------------------------------------------------------
  66.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  67.     {
  68.         $this->em $doctrine->getManager();
  69.         $this->moduleTools $moduleTools;
  71.         $this->aclRepository $this->em->getRepository(Acl::class);
  72.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  73.     }
  75.     // Plan.io Task #4453
  76.     // This method returns true if the voter applies to the given attribute;
  77.     // if it returns false, Symfony won't call it again for this attribute
  78.     // https://symfony.com/blog/new-in-symfony-5-4-faster-security-voters
  79.     // https://symfony.com/doc/current/security/voters.html#improving-voter-performance
  80.     public function supportsAttribute(string $attribute): bool
  81.     {
  82.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  83.     }
  84.     
  85.     protected function supports(string $attribute$subject): bool
  86.     {
  87.         // if the attribute isn't one we support, return false
  88.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  89.         {
  90.             return false;
  91.         }
  93.         // only vote on Access objects inside this voter
  94.         if ($subject !== null && !$subject instanceof Access)
  95.         {
  96.             return false;
  97.         }
  99.         return true;
  100.     }
  102.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  103.     {
  104.         $user $token->getUser();
  106.         if (!$user instanceof Access)
  107.         {
  108.             // the user must be logged in; if not, deny access
  109.             return false;
  110.         }
  112.         // ROLE_USER must have a function; if not deny access
  113.         if ($user->isUser())
  114.         {
  115.             $function $user->getFunction();
  116.             if ($function === null)        return false;
  117.         }
  119.         // Plan.io Task #3710 : Get current group
  120.         $currentGroup $user->getSocietyGroup();
  121.         if ($currentGroup === null)
  122.             return false;
  124.         // Module activated ?
  125.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_ACCESS))
  126.         {
  127.             return false;
  128.         }
  129.         // Module human_resource should also be activated
  130.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_HUMAN_RESOURCE))
  131.         {
  132.             return false;
  133.         }
  135.         // you know $subject is an Access object, thanks to supports
  136.         /** @var Access $access */
  137.         $access $subject;
  139.         switch ($attribute)
  140.         {
  141.             case self::IS_ACTIVE:
  142.                 return true;
  144.             case self::EDIT:
  145.                 return $this->canEdit($access$user$function);
  147.             case self::ADD_FROM:
  148.                 return $this->canAddFrom($access$user$function);
  150.             case self::LISTING:
  151.                 return $this->canList($access$user$function);
  152.             case self::LISTING_SOCIETY:
  153.                 return $this->canListSociety($access$user$function);
  154.             case self::LISTING_ANY:
  155.                 return $this->canListAny($access$user$function);
  157.             case self::ASSIGNING:
  158.                 return $this->canAssign($access$user$function);
  159.             case self::ASSIGNING_SOCIETY:
  160.                 return $this->canAssignSociety($access$user$function);
  161.             case self::ASSIGNING_ANY:
  162.                 return $this->canAssignAny($access$user$function);
  163.         }
  165.         throw new \LogicException('This code should not be reached!');
  166.     }
  168.     // $access is the thing that we are doing stuff on
  169.     // $user is the logged in user
  170.     private function checkSociety(Access $accessAccess $user)
  171.     {
  172.         // Get all the societies of the user
  173.         $societies $user->getSocieties();
  175.         // Get the Society of the Access
  176.         $accessSociety $access->getSociety();
  177.         if ($accessSociety === null)
  178.             return false;
  180.         $found false;
  181.         foreach ($societies as $society)
  182.         {
  183.             if ($society->getId() == $accessSociety->getId())
  184.             {
  185.                 $found true;
  186.                 break;
  187.             }
  188.         }
  189.         return $found;
  190.     }
  192.     // $access is the thing that we are doing stuff on
  193.     // $user is the logged in user
  195.     private function canEdit(Access $accessAccess $user$function)
  196.     {
  197.         // Get Acl_Perdemands
  198.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  199.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  200.         $aclPermOwn $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_OWN);
  202.         // If all are null, exit
  203.         if ($aclPerm === null && $aclPermSociety === null && $aclPermOwn)
  204.             return false;
  206.         // Get First one
  207.         if ($aclPerm !== null)
  208.         {
  209.             $acl $this->aclRepository->findOneBy(array(
  210.                 'function'        =>    $function,
  211.                 'permission'    =>    $aclPerm
  212.             ));
  213.             if ($acl !== null)
  214.             {
  215.                 if ($acl->getValue())
  216.                 {
  217.                     // A single positive answer is enough
  218.                     return true;
  219.                 }
  220.             }
  221.         }
  223.         // If we are here it means that nothing good has been found
  224.         // Load second permission
  225.         if ($aclPermSociety !== null)
  226.         {
  227.             $acl $this->aclRepository->findOneBy(array(
  228.                 'function'        =>    $function,
  229.                 'permission'    =>    $aclPermSociety
  230.             ));
  231.             if ($acl !== null)
  232.             {
  233.                 if ($acl->getValue())
  234.                 {
  235.                     // Check Society
  236.                     if ($this->checkSociety($access$user))
  237.                     {
  238.                         return true;
  239.                     }
  240.                 }
  241.             }
  242.         }
  244.         // If we are here it means that nothing good has been found
  245.         // Load third permission
  246.         if ($aclPermOwn !== null)
  247.         {
  248.             $acl $this->aclRepository->findOneBy(array(
  249.                 'function'        =>    $function,
  250.                 'permission'    =>    $aclPermOwn
  251.             ));
  252.             if ($acl !== null)
  253.             {
  254.                 if ($acl->getValue())
  255.                 {
  256.                     // Check Own
  257.                     if ($user->equals($access$user))
  258.                     {
  259.                         return true;
  260.                     }
  261.                 }
  262.             }
  263.         }
  265.         // If we are here, all hope is lost
  266.         return false;
  267.     }
  269.     private function canAddFrom(Access $access nullAccess $userAccessFunction $function)
  270.     {
  271.         // Get Acl_Permission
  272.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_FROM);
  273.         if ($aclPerm === null)        return false;
  275.         // Get Acl
  276.         $acl $this->aclRepository->findOneBy(array(
  277.             'function'        =>    $function,
  278.             'permission'    =>    $aclPerm
  279.         ));
  280.         if ($acl === null)        return false;
  282.         // Since only one list type can exist for the Applications,
  283.         // we can return the result of the acl_permission
  284.         return $acl->getValue();
  285.     }
  287.     private function canAssign(Access $access nullAccess $userAccessFunction $function)
  288.     {
  289.         // Get Acl_Permission
  290.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ASSIGN);
  291.         if ($aclPerm === null)        return false;
  293.         // Get Acl
  294.         $acl $this->aclRepository->findOneBy(array(
  295.             'function'        =>    $function,
  296.             'permission'    =>    $aclPerm
  297.         ));
  298.         if ($acl === null)        return false;
  300.         // Since only one list type can exist for the Applications,
  301.         // we can return the result of the acl_permission
  303.         return $acl->getValue();
  304.     }
  306.     private function canAssignSociety(Access $access nullAccess $userAccessFunction $function)
  307.     {
  308.         // Get Acl_Permission
  309.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ASSIGN_SOCIETY);
  310.         if ($aclPerm === null)        return false;
  312.         // Get Acl
  313.         $acl $this->aclRepository->findOneBy(array(
  314.             'function'        =>    $function,
  315.             'permission'    =>    $aclPerm
  316.         ));
  317.         if ($acl === null)        return false;
  319.         // Further filtering is done in the Controller
  320.         return $acl->getValue();
  321.     }
  323.     private function canAssignAny(Access $access nullAccess $userAccessFunction $function)
  324.     {
  325.         // Two Acl_Permission may exist
  326.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ASSIGN);
  327.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ASSIGN_SOCIETY);
  328.         // If both are null, exit
  329.         if ($aclPerm === null && $aclPermSociety === null)
  330.             return false;
  332.         // Get First one
  333.         if ($aclPerm !== null)
  334.         {
  335.             $acl $this->aclRepository->findOneBy(array(
  336.                 'function'        =>    $function,
  337.                 'permission'    =>    $aclPerm
  338.             ));
  339.             if ($acl !== null)
  340.             {
  341.                 if ($acl->getValue())
  342.                 {
  343.                     // A single positive answer is enough
  344.                     return true;
  345.                 }
  346.             }
  347.         }
  348.         // If we are here it means that nothing good has been found
  349.         // Load second permission
  350.         if ($aclPermSociety !== null)
  351.         {
  352.             $acl $this->aclRepository->findOneBy(array(
  353.                 'function'        =>    $function,
  354.                 'permission'    =>    $aclPermSociety
  355.             ));
  356.             if ($acl !== null)
  357.             {
  358.                 if ($acl->getValue())
  359.                 {
  360.                     // A single positive answer is enough
  361.                     return true;
  362.                 }
  363.             }
  364.         }
  365.         // If we are here, all hope is lost
  366.         return false;
  367.     }
  369.     private function canList(Access $access nullAccess $userAccessFunction $function)
  370.     {
  371.         // Get Acl_Permission
  372.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  373.         if ($aclPerm === null)        return false;
  375.         // Get Acl
  376.         $acl $this->aclRepository->findOneBy(array(
  377.             'function'        =>    $function,
  378.             'permission'    =>    $aclPerm
  379.         ));
  380.         if ($acl === null)        return false;
  382.         // Further filtering is done in the Controller
  383.         return $acl->getValue();
  384.     }
  386.     private function canListSociety(Access $access nullAccess $userAccessFunction $function)
  387.     {
  388.         // Get Acl_Permission
  389.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  390.         if ($aclPerm === null)        return false;
  392.         // Get Acl
  393.         $acl $this->aclRepository->findOneBy(array(
  394.             'function'        =>    $function,
  395.             'permission'    =>    $aclPerm
  396.         ));
  397.         if ($acl === null)        return false;
  399.         // Further filtering is done in the Controller
  400.         return $acl->getValue();
  401.     }
  403.     private function canListAny(Access $access nullAccess $userAccessFunction $function)
  404.     {
  405.         // Two Acl_Permission may exist
  406.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  407.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  408.         // If both are null, exit
  409.         if ($aclPerm === null && $aclPermSociety === null)
  410.             return false;
  412.         // Get First one
  413.         if ($aclPerm !== null)
  414.         {
  415.             $acl $this->aclRepository->findOneBy(array(
  416.                 'function'        =>    $function,
  417.                 'permission'    =>    $aclPerm
  418.             ));
  419.             if ($acl !== null)
  420.             {
  421.                 if ($acl->getValue())
  422.                 {
  423.                     // A single positive answer is enough
  424.                     return true;
  425.                 }
  426.             }
  427.         }
  428.         // If we are here it means that nothing good has been found
  429.         // Load second permission
  430.         if ($aclPermSociety !== null)
  431.         {
  432.             $acl $this->aclRepository->findOneBy(array(
  433.                 'function'        =>    $function,
  434.                 'permission'    =>    $aclPermSociety
  435.             ));
  436.             if ($acl !== null)
  437.             {
  438.                 if ($acl->getValue())
  439.                 {
  440.                     // A single positive answer is enough
  441.                     return true;
  442.                 }
  443.             }
  444.         }
  445.         // If we are here, all hope is lost
  446.         return false;
  447.     }
  448. }