src/Security/ArticleCommentVoter.php line 22

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/ArticleCommentVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\APIRest\AccessAPI;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Media\Comment;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclArticle;
  19. use App\Entity\Security\AclPermission;
  20. use App\Services\Config\ModuleTools;
  22. class ArticleCommentVoter extends Voter
  23. {
  24.     //--------------------------------------------------------------------------------
  25.     // is_granted constants
  26.     const APPROVE "approve_comment";
  27.     const DELETE "delete_comment";
  29.     const MODERATION "comment_moderation";
  31.     const IS_GRANTED_CONSTANTS = array(
  32.         self::APPROVE,
  33.         self::DELETE,
  34.         self::MODERATION,
  35.     );
  37.     //--------------------------------------------------------------------------------
  38.     // acl constants
  39.     const ACL_PERM_APPROVE "article_comment_approve";
  40.     const ACL_PERM_APPROVE_OWN_ARTICLE "article_comment_approve_own_article";
  42.     const ACL_PERM_DELETE "article_comment_delete";
  43.     const ACL_PERM_DELETE_OWN_ARTICLE "article_comment_delete_own_article";
  44.     const ACL_PERM_DELETE_OWN "article_comment_delete_own";
  46.     //--------------------------------------------------------------------------------
  48.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  49.     {
  50.         $this->em $doctrine->getManager();
  51.         $this->moduleTools $moduleTools;
  53.         $this->aclRepository $this->em->getRepository(Acl::class);
  54.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  55.     }
  57.     // Plan.io Task #4453 [See AccessVoter for details]
  58.     public function supportsAttribute(string $attribute): bool
  59.     {
  60.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  61.     }
  63.     protected function supports(string $attribute$subject): bool
  64.     {
  65.         // if the attribute isn't one we support, return false
  66.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  67.         {
  68.             return false;
  69.         }
  71.         // only vote on Comment objects inside this voter
  72.         if ($subject !== null && !$subject instanceof Comment)
  73.         {
  74.             return false;
  75.         }
  77.         return true;
  78.     }
  80.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  81.     {
  82.         $user $token->getUser();
  84.         // Plan.io Task #3707
  85.         if ($user instanceof AccessAPI)
  86.         {
  87.             if ($user->getAccess() === null)
  88.             {
  89.                 return false;
  90.             }
  91.             $user $user->getAccess();
  92.         }
  94.         // Plan.io Task #3707
  95.         // At this point $user is an object of Access type
  96.         // even if the $token->getUser() is AccessAPI
  97.         if (!$user instanceof Access)
  98.         {
  99.             // the user must be logged in; if not, deny access
  100.             return false;
  101.         }
  103.         // The user must have a function; if not deny access
  104.         $function $user->getFunction();
  105.         if ($function === null)        return false;
  107.         // Plan.io Task #3710 : Get current group
  108.         $currentGroup $user->getSocietyGroup();
  109.         if ($currentGroup === null)
  110.             return false;
  112.         // Module activated ?
  113.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_ARTICLE))
  114.         {
  115.             return false;
  116.         }
  118.         // you know $subject is a Comment object, thanks to supports
  119.         /** @var Comment $comment */
  120.         $comment $subject;
  122.         // Check current group affectation
  123.         if ($subject !== null && $subject->getArticle() !== null)
  124.         {
  125.             $subjectGroup $subject->getArticle()->getSocietyGroup();
  126.             if ($subjectGroup === null)
  127.                 return false;
  128.             if (!$currentGroup->equals($subjectGroup))
  129.                 return false;
  130.         }
  132.         switch ($attribute)
  133.         {
  134.             case self::DELETE:
  135.                 return $this->canDelete($comment$user$function);
  137.             case self::APPROVE:
  138.                 return $this->canApprove($comment$user$function);
  140.             case self::MODERATION:
  141.                 return $this->canModerate($user$function);
  142.         }
  144.         throw new \LogicException('This code should not be reached!');
  145.     }
  147.     // $access is the user trying to load the resource
  148.     // $comment is the resource being loaded
  150.     private function checkAuthor(Comment $commentAccess $access)
  151.     {
  152.         $author $comment->getAuthor();
  153.         if ($author === null)
  154.             return false;
  156.         if ($author->getId() == $access->getId())
  157.             return true;
  159.         return false;
  160.     }
  162.     // $access is the user trying to load the resource
  163.     // $comment is the resource being loaded
  165.     private function checkArticleAuthor(Comment $commentAccess $access)
  166.     {
  167.         $article $comment->getArticle();
  168.         if ($article === null)
  169.             return false;
  171.         $author $article->getAuthor();
  172.         if ($author === null)
  173.             return false;
  175.         if ($author->getId() == $access->getId())
  176.             return true;
  178.         return false;
  179.     }
  181.     private function canModerate(Access $userAccessFunction $function)
  182.     {
  183.         // Get AclPermissions
  184.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE);
  185.         $aclPermOwnArticle $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE_OWN_ARTICLE);
  187.         // If all are null, exit
  188.         if ($aclPerm === null && $aclPermOwnArticle)
  189.             return false;
  191.         // Get First one
  192.         if ($aclPerm !== null)
  193.         {
  194.             $acl $this->aclRepository->findOneBy(array(
  195.                 'function'        =>    $function,
  196.                 'permission'    =>    $aclPerm
  197.             ));
  198.             if ($acl !== null)
  199.             {
  200.                 if ($acl->getValue())
  201.                 {
  202.                     // A single positive answer is enough
  203.                     return true;
  204.                 }
  205.             }
  206.         }
  207.         // If we are here it means that nothing good has been found
  208.         // Load second permission
  209.         if ($aclPermOwnArticle !== null)
  210.         {
  211.             $acl $this->aclRepository->findOneBy(array(
  212.                 'function'        =>    $function,
  213.                 'permission'    =>    $aclPermOwnArticle
  214.             ));
  215.             if ($acl !== null)
  216.             {
  217.                 if ($acl->getValue())
  218.                 {
  219.                     /// A single positive answer is enough
  220.                     return true;
  221.                 }
  222.             }
  223.         }
  224.         // If we are here, all hope is lost
  225.         return false;
  226.     }
  228.     private function canApprove(Comment $commentAccess $userAccessFunction $function)
  229.     {
  230.         // Get AclPermissions
  231.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE);
  232.         $aclPermOwnArticle $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE_OWN_ARTICLE);
  234.         // If all are null, exit
  235.         if ($aclPerm === null && $aclPermOwnArticle)
  236.             return false;
  238.         // Get First one
  239.         if ($aclPerm !== null)
  240.         {
  241.             $acl $this->aclRepository->findOneBy(array(
  242.                 'function'        =>    $function,
  243.                 'permission'    =>    $aclPerm
  244.             ));
  245.             if ($acl !== null)
  246.             {
  247.                 if ($acl->getValue())
  248.                 {
  249.                     // A single positive answer is enough
  250.                     return true;
  251.                 }
  252.             }
  253.         }
  254.         // If we are here it means that nothing good has been found
  255.         // Load second permission
  256.         if ($aclPermOwnArticle !== null)
  257.         {
  258.             $acl $this->aclRepository->findOneBy(array(
  259.                 'function'        =>    $function,
  260.                 'permission'    =>    $aclPermOwnArticle
  261.             ));
  262.             if ($acl !== null)
  263.             {
  264.                 if ($acl->getValue())
  265.                 {
  266.                     // A single positive answer is enough
  267.                     // In this case the good answer will be provided by the checkSociety
  268.                     return $this->checkArticleAuthor($comment$user);
  269.                 }
  270.             }
  271.         }
  272.         // If we are here, all hope is lost
  273.         return false;
  274.     }
  276.     private function canDelete(Comment $commentAccess $userAccessFunction $function)
  277.     {
  278.         // Always allow deleting own's comments
  279.         if ($this->checkAuthor($comment$user))
  280.             return true;
  282.         // Get AclPermissions
  283.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
  284.         $aclPermOwnArticle $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_OWN_ARTICLE);
  286.         // If all are null, exit
  287.         if ($aclPerm === null && $aclPermOwnArticle === null)
  288.             return false;
  290.         // Get First one
  291.         if ($aclPerm !== null)
  292.         {
  293.             $acl $this->aclRepository->findOneBy(array(
  294.                 'function'        =>    $function,
  295.                 'permission'    =>    $aclPerm
  296.             ));
  297.             if ($acl !== null)
  298.             {
  299.                 if ($acl->getValue())
  300.                 {
  301.                     // A single positive answer is enough
  302.                     return true;
  303.                 }
  304.             }
  305.         }
  306.         // If we are here it means that nothing good has been found
  307.         // Load second permission
  308.         if ($aclPermOwnArticle !== null)
  309.         {
  310.             $acl $this->aclRepository->findOneBy(array(
  311.                 'function'        =>    $function,
  312.                 'permission'    =>    $aclPermOwnArticle
  313.             ));
  314.             if ($acl !== null)
  315.             {
  316.                 if ($acl->getValue())
  317.                 {
  318.                     // A single positive answer is enough
  319.                     // In this case the good answer will be provided by the checkSociety
  320.                     return $this->checkArticleAuthor($comment$user);
  321.                 }
  322.             }
  323.         }
  324.         // If we are here, all hope is lost
  325.         return false;
  326.     }
  327. }