src/Security/AdvancedNotificationVoter.php line 21

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/AdvancedNotificationVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\APIRest\AccessAPI;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Ding\AdvancedNotification;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclPermission;
  19. use App\Services\Config\ModuleTools;
  21. class AdvancedNotificationVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  25.     const IS_ACTIVE "advanced_notification_is_active";
  27.     const LISTING "list_advanced_notifications";
  29.     const LISTING_SOCIETY "list_advanced_notifications_society";
  30.     const LISTING_ANY "list_advanced_notifications_any";
  32.     const CHECK "check_advanced_notification";
  34.     const IS_GRANTED_CONSTANTS = array(
  35.         self::IS_ACTIVE,
  36.         self::LISTING,
  37.         self::LISTING_SOCIETY,
  38.         self::LISTING_ANY,
  39.         self::CHECK,
  40.     );
  42.     //--------------------------------------------------------------------------------
  43.     // acl constants
  44.     const ACL_PERM_LIST 'advanced_notification_list';
  45.     const ACL_PERM_LIST_SOCIETY 'advanced_notification_list_society';
  46.     //--------------------------------------------------------------------------------
  48.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  49.     {
  50.         $this->em $doctrine->getManager();
  51.         $this->moduleTools $moduleTools;
  53.         $this->aclRepository $this->em->getRepository(Acl::class);
  54.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  55.     }
  57.     // Plan.io Task #4453 [See AccessVoter for details]
  58.     public function supportsAttribute(string $attribute): bool
  59.     {
  60.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  61.     }
  63.     protected function supports(string $attribute$subject null): bool
  64.     {
  65.         // if the attribute isn't one we support, return false
  66.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  67.         {
  68.             return false;
  69.         }
  71.         // only vote on AdvancedNotification objects inside this voter
  72.         if ($subject !== null && !$subject instanceof AdvancedNotification)
  73.         {
  74.             return false;
  75.         }
  77.         return true;
  78.     }
  80.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  81.     {
  82.         $user $token->getUser();
  84.         // Plan.io Task #3707
  85.         if ($user instanceof AccessAPI)
  86.         {
  87.             if ($user->getAccess() === null)
  88.             {
  89.                 return false;
  90.             }
  91.             $user $user->getAccess();
  92.         }
  94.         // Plan.io Task #3707
  95.         // At this point $user is an object of Access type
  96.         // even if the $token->getUser() is AccessAPI
  97.         if (!$user instanceof Access)
  98.         {
  99.             // the user must be logged in; if not, deny access
  100.             return false;
  101.         }
  102.         // The user must have a function; if not deny access
  103.         $function $user->getFunction();
  104.         if ($function === null)        return false;
  106.         // Plan.io Task #3710 : Get current group
  107.         $currentGroup $user->getSocietyGroup();
  108.         if ($currentGroup === null)
  109.             return false;
  111.         // Module activated ?
  112.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_ADVANCED_NOTIFICATION))
  113.         {
  114.             return false;
  115.         }
  117.         // you know $subject is a AdvancedNotification object, thanks to supports
  118.         /** @var AdvancedNotification $advancedNotification */
  119.         $advancedNotification $subject;
  121.         // Check current group affectation
  122.         if ($subject !== null)
  123.         {
  124.             $subjectSociety $subject->getSociety();
  125.             if ($subjectSociety === null)
  126.                 return false;
  127.             $subjectGroup $subjectSociety->getGroup();
  128.             if ($subjectGroup === null)
  129.                 return false;
  130.             if (!$currentGroup->equals($subjectGroup))
  131.                 return false;
  132.         }
  134.         switch ($attribute)
  135.         {
  136.             // Check is done before, in the voteOnAttribute
  137.             case self::IS_ACTIVE:
  138.                 return true;
  140.             case self::LISTING:
  141.                 return $this->canList($user$function);
  142.             case self::LISTING_SOCIETY:
  143.                 return $this->canListSociety($user$function);
  144.             case self::LISTING_ANY:
  145.                 return $this->canListAny($user$function);
  147.             case self::CHECK:
  148.                 return $this->canCheck($user$function$advancedNotification);
  149.         }
  151.         throw new \LogicException('This code should not be reached!');
  152.     }
  154.     // Check if the Society of the AdvancedNotification
  155.     // belongs to the societies of the $access
  156.     private function checkSociety(AdvancedNotification $advancedNotificationAccess $access)
  157.     {
  158.         // Get all the societies of the access
  159.         $societies $access->getSocieties();
  161.         // Get the Society of the Demand
  162.         $advancedNotificationSociety $advancedNotification->getSociety();
  164.         if ($advancedNotificationSociety === null)
  165.             return false;
  167.         $found false;
  168.         foreach ($societies as $society)
  169.         {
  170.             if ($society->equals($advancedNotificationSociety))
  171.             {
  172.                 $found true;
  173.                 break;
  174.             }
  175.         }
  176.         return $found;
  177.     }
  179.     private function canList(Access $userAccessFunction $function)
  180.     {
  181.         // Get Acl_Permission
  182.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  183.         if ($aclPerm === null)        return false;
  185.         // Get Acl
  186.         $acl $this->aclRepository->findOneBy(array(
  187.             'function'        =>    $function,
  188.             'permission'    =>    $aclPerm
  189.         ));
  190.         if ($acl === null)        return false;
  192.         // Since only one acl type can exist
  193.         // we can return the result of the acl_permission
  194.         return $acl->getValue();
  195.     }
  197.     private function canListSociety(Access $userAccessFunction $function)
  198.     {
  199.         // Get Acl_Permission
  200.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  201.         if ($aclPerm === null)        return false;
  203.         // Get Acl
  204.         $acl $this->aclRepository->findOneBy(array(
  205.             'function'        =>    $function,
  206.             'permission'    =>    $aclPerm
  207.         ));
  208.         if ($acl === null)        return false;
  210.         // Since only one acl type can exist
  211.         // we can return the result of the acl_permission
  212.         return $acl->getValue();
  213.     }
  215.     private function canListAny(Access $userAccessFunction $function)
  216.     {
  217.         // Three Acl_Permission may exist
  218.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  219.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  221.         // If all are null, exit
  222.         if ($aclPerm === null && $aclPermSociety === null)
  223.             return false;
  225.         // Get First one
  226.         if ($aclPerm !== null)
  227.         {
  228.             $acl $this->aclRepository->findOneBy(array(
  229.                 'function'        =>    $function,
  230.                 'permission'    =>    $aclPerm
  231.             ));
  232.             if ($acl !== null)
  233.             {
  234.                 if ($acl->getValue())
  235.                 {
  236.                     // A single positive answer is enough
  237.                     return true;
  238.                 }
  239.             }
  240.         }
  242.         // If we are here it means that nothing good has been found
  243.         // Load second permission
  244.         if ($aclPermSociety !== null)
  245.         {
  246.             $acl $this->aclRepository->findOneBy(array(
  247.                 'function'        =>    $function,
  248.                 'permission'    =>    $aclPermSociety
  249.             ));
  250.             if ($acl !== null)
  251.             {
  252.                 if ($acl->getValue())
  253.                 {
  254.                     // A single positive answer is enough
  255.                     return true;
  256.                 }
  257.             }
  258.         }
  260.         // If we are here, all hope is lost
  261.         return false;
  262.     }
  264.     private function canCheck(Access $userAccessFunction $functionAdvancedNotification $advancedNotification)
  265.     {
  266.         // Get Acl_Perdemands
  267.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  268.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  270.         // If all are null, exit
  271.         if ($aclPerm === null && $aclPermSociety === null)
  272.             return false;
  274.         // Get First one
  275.         if ($aclPerm !== null)
  276.         {
  277.             $acl $this->aclRepository->findOneBy(array(
  278.                 'function'        =>    $function,
  279.                 'permission'    =>    $aclPerm
  280.             ));
  281.             if ($acl !== null)
  282.             {
  283.                 if ($acl->getValue())
  284.                 {
  285.                     // A single positive answer is enough
  286.                     return true;
  287.                 }
  288.             }
  289.         }
  291.         // If we are here it means that nothing good has been found
  292.         // Load second permission
  293.         if ($aclPermSociety !== null)
  294.         {
  295.             $acl $this->aclRepository->findOneBy(array(
  296.                 'function'        =>    $function,
  297.                 'permission'    =>    $aclPermSociety
  298.             ));
  299.             if ($acl !== null)
  300.             {
  301.                 if ($acl->getValue())
  302.                 {
  303.                     // Check Society
  304.                     if ($this->checkSociety($advancedNotification$user))
  305.                     {
  306.                         return true;
  307.                     }
  308.                 }
  309.             }
  310.         }
  312.         // If we are here, all hope is lost
  313.         return false;
  314.     }
  315. }