src/Security/AdminVoter.php line 19

Open in your IDE?
  1. <?php
  2. //----------------------------------------------------------------------
  3. // src/Security/AdminVoter.php
  4. //----------------------------------------------------------------------
  6. namespace App\Security;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Symfony\Component\Security\Core\Security;
  11. use Doctrine\Persistence\ManagerRegistry;
  13. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  14. use Symfony\Component\Security\Core\Role\SwitchUserRole;
  16. use App\Entity\Access;
  17. use App\Entity\Security\Acl;
  19. class AdminVoter extends Voter
  20. {
  21.     const ROLE_ADMIN "is_admin";
  22.     const CAN_BE_IMPERSONATED "can_be_impersonated";
  24.     const IS_GRANTED_CONSTANTS = array(
  25.         self::ROLE_ADMIN,
  26.         self::CAN_BE_IMPERSONATED,
  27.     );
  29.     public function __construct(ManagerRegistry $doctrine)
  30.     {
  31.         $this->em $doctrine->getManager();
  32.     }
  34.     // Plan.io Task #4453 [See AccessVoter for details]
  35.     public function supportsAttribute(string $attribute): bool
  36.     {
  37.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  38.     }
  40.     protected function supports(string $attribute$subject): bool
  41.     {
  42.         // if the attribute isn't one we support, return false
  43.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  44.         {
  45.             return false;
  46.         }
  48.         return true;
  49.     }
  51.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  52.     {
  53.         $user $token->getUser();
  55.         if (!$user instanceof Access)
  56.         {
  57.             // the user must be logged in; if not, deny access
  58.             return false;
  59.         }
  61.         if (!$user->hasRoleAdmin())
  62.         {
  63.             return false;
  64.         }
  67.         switch ($attribute)
  68.         {
  69.             case self::ROLE_ADMIN:
  70.                 return $this->isAdmin($user$token);
  71.             case self::CAN_BE_IMPERSONATED:
  72.                 return $this->canBeImpersonated($user$subject$token);
  73.         }
  75.         throw new \LogicException('This code should not be reached!');
  76.     }
  78.     // https://symfony.com/doc/5.4/security/impersonating_user.html
  79.     private function getOriginalUser($access$token)
  80.     {
  81.         $originalUser null;
  83.         if ($token instanceof SwitchUserToken)
  84.         {
  85.             $originalUser $token->getOriginalToken()->getUser();
  86.         }
  88.         if ($originalUser !== null)
  89.         {
  90.             return $originalUser;
  91.         }
  92.         return $access;
  93.     }
  95.     private function isAdmin(Access $access$token)
  96.     {
  97.         // Make sure we are looking at the right user
  98.         // This ensures that a ROLE_ADMIN with canSwitch
  99.         // cannot have access to stuff limited to true ROLE_ADMIN
  101.         $originalUser $this->getOriginalUser($access$token);
  103.         if ($originalUser !== null)
  104.         {
  105.             if ($originalUser->isAdmin())
  106.             {
  107.                 return true;
  108.             }
  109.             else
  110.             {
  111.                 return false;
  112.             }
  113.         }
  115.         // We already know that this Access is a true ROLE_ADMIN
  116.         return true;
  117.     }
  119.     private function canBeImpersonated(Access $theOneWhoWantsToSwitchAccess $theOneBeingImpersonated$token)
  120.     {
  121.         if ($this->isAdmin($theOneWhoWantsToSwitch$token))
  122.         {
  123.             if ($theOneBeingImpersonated->isActive())
  124.             {
  125.                 return true;
  126.             }
  127.         }
  128.         return false;
  129.     }
  130. }