src/Security/ArticleVoter.php line 22

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/ArticleVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\APIRest\AccessAPI;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Media\Article;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclArticle;
  19. use App\Entity\Security\AclPermission;
  20. use App\Services\Config\ModuleTools;
  22. class ArticleVoter extends Voter
  23. {
  24.     //--------------------------------------------------------------------------------
  25.     // is_granted constants
  26.     const IS_ACTIVE "article_is_active";
  28.     const ADD "add_article";
  29.     const VIEW "view_article";
  30.     const EDIT "edit_article";
  31.     const APPROVE "approve_article";
  32.     const DELETE "delete_article";
  34.     const ADD_COMMENT "add_comment";
  36.     const MODERATION "article_moderation";
  38.     const LIST_ANY "list_article_any";
  40.     const IS_GRANTED_CONSTANTS = array(
  41.         self::IS_ACTIVE,
  42.         self::ADD,
  43.         self::VIEW,
  44.         self::EDIT,
  45.         self::APPROVE,
  46.         self::DELETE,
  47.         self::ADD_COMMENT,
  48.         self::MODERATION,
  49.         self::LIST_ANY,
  50.     );
  52.     //--------------------------------------------------------------------------------
  53.     // acl constants
  54.     const ACL_PERM_ADD "article_add";
  56.     const ACL_PERM_EDIT "article_edit";
  57.     //const ACL_PERM_EDIT_OWN = "article_edit_own";
  59.     const ACL_PERM_APPROVE "article_approve";
  60.     //const ACL_PERM_APPROVE_OWN = "article_approve_own";
  62.     const ACL_PERM_DELETE "article_delete";
  63.     //const ACL_PERM_DELETE_OWN = "article_delete_own";
  65.     const ACL_PERM_ADD_COMMENT "article_comment_add";
  67.     //--------------------------------------------------------------------------------
  69.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  70.     {
  71.         $this->em $doctrine->getManager();
  72.         $this->moduleTools $moduleTools;
  74.         $this->aclRepository $this->em->getRepository(Acl::class);
  75.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  76.     }
  78.     // Plan.io Task #4453 [See AccessVoter for details]
  79.     public function supportsAttribute(string $attribute): bool
  80.     {
  81.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  82.     }
  84.     protected function supports(string $attribute$subject): bool
  85.     {
  86.         // if the attribute isn't one we support, return false
  87.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  88.         {
  89.             return false;
  90.         }
  92.         // only vote on Article objects inside this voter
  93.         if ($subject !== null && !$subject instanceof Article)
  94.         {
  95.             return false;
  96.         }
  98.         return true;
  99.     }
  101.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  102.     {
  103.         $user $token->getUser();
  105.         // Plan.io Task #3707
  106.         if ($user instanceof AccessAPI)
  107.         {
  108.             if ($user->getAccess() === null)
  109.             {
  110.                 return false;
  111.             }
  112.             $user $user->getAccess();
  113.         }
  115.         // Plan.io Task #3707
  116.         // At this point $user is an object of Access type
  117.         // even if the $token->getUser() is AccessAPI
  118.         if (!$user instanceof Access)
  119.         {
  120.             // the user must be logged in; if not, deny access
  121.             return false;
  122.         }
  124.         // The user must have a function; if not deny access
  125.         $function $user->getFunction();
  126.         if ($function === null)        return false;
  128.         // Plan.io Task #3710 : Get current group
  129.         $currentGroup $user->getSocietyGroup();
  130.         if ($currentGroup === null)
  131.             return false;
  133.         // Module activated ?
  134.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_ARTICLE))
  135.         {
  136.             return false;
  137.         }
  139.         // you know $subject is a Article object, thanks to supports
  140.         /** @var Article $article */
  141.         $article $subject;
  143.         // Check current group affectation
  144.         if ($subject !== null)
  145.         {
  146.             $subjectGroup $subject->getSocietyGroup();
  147.             if ($subjectGroup === null)
  148.                 return false;
  149.             if (!$currentGroup->equals($subjectGroup))
  150.                 return false;
  151.         }
  153.         switch ($attribute)
  154.         {
  155.             case self::IS_ACTIVE:
  156.                 return true;
  158.             case self::ADD:
  159.                 return $this->canAdd($user$function);
  161.             case self::VIEW:
  162.                 return $this->canView($article$user$function);
  164.             case self::EDIT:
  165.                 return $this->canEdit($article$user$function);
  167.             case self::DELETE:
  168.                 return $this->canDelete($article$user$function);
  170.             case self::APPROVE:
  171.                 return $this->canApprove($article$user$function);
  173.             case self::ADD_COMMENT:
  174.                 return $this->canAddComment($article$user$function);
  176.             case self::MODERATION:
  177.                 return $this->canModerate($user$function);
  179.             case self::LIST_ANY:
  180.                 return $this->canListAny($user$function);
  181.         }
  183.         throw new \LogicException('This code should not be reached!');
  184.     }
  186.     // $access is the user trying to load the resource
  187.     // $article is the resource being loaded
  189.     private function checkAuthor(Article $articleAccess $access)
  190.     {
  191.         $author $article->getAuthor();
  192.         if ($author === null)
  193.             return false;
  195.         if ($author->getId() == $access->getId())
  196.             return true;
  198.         return false;
  199.     }
  201.     private function canAdd(Access $userAccessFunction $function)
  202.     {
  203.         // Get AclPermission
  204.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  205.         if ($aclPerm === null)        return false;
  207.         // Get Acl
  208.         $acl $this->aclRepository->findOneBy(array(
  209.             'function'        =>    $function,
  210.             'permission'    =>    $aclPerm
  211.         ));
  212.         if ($acl === null)        return false;
  214.         // Since only one acl type can exist
  215.         // we can return the result of the acl_permission
  216.         return $acl->getValue();
  217.     }
  219.     private function canView(Article $articleAccess $userAccessFunction $function)
  220.     {
  221.         if ($this->checkAuthor($article$user))
  222.             return true;
  224.         $acl $this->em->getRepository(AclArticle::class)
  225.             ->findOneBy(array(
  226.                 'article'                =>    $article,
  227.                 'accessFunction'        =>    $function,
  228.             ));
  230.         if ($acl === null)
  231.             return false;
  233.         return $acl->canView();
  234.     }
  236.     private function canEdit(Article $articleAccess $userAccessFunction $function)
  237.     {
  238.         // Always allow editing own's articles
  239.         if ($this->checkAuthor($article$user))
  240.             return true;
  242.         // Get AclPermissions
  243.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  245.         // If all are null, exit
  246.         if ($aclPerm === null)
  247.             return false;
  249.         // Get First one
  250.         if ($aclPerm !== null)
  251.         {
  252.             $acl $this->aclRepository->findOneBy(array(
  253.                 'function'        =>    $function,
  254.                 'permission'    =>    $aclPerm
  255.             ));
  256.             if ($acl !== null)
  257.             {
  258.                 if ($acl->getValue())
  259.                 {
  260.                     // A single positive answer is enough
  261.                     return true;
  262.                 }
  263.             }
  264.         }
  265.         // If we are here, all hope is lost
  266.         return false;
  267.     }
  269.     private function canApprove(Article $articleAccess $userAccessFunction $function)
  270.     {
  271.         // Get AclPermissions
  272.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE);
  274.         // If all are null, exit
  275.         if ($aclPerm === null && $aclPermOwn === null)
  276.             return false;
  278.         // Get First one
  279.         if ($aclPerm !== null)
  280.         {
  281.             $acl $this->aclRepository->findOneBy(array(
  282.                 'function'        =>    $function,
  283.                 'permission'    =>    $aclPerm
  284.             ));
  285.             if ($acl !== null)
  286.             {
  287.                 if ($acl->getValue())
  288.                 {
  289.                     // A single positive answer is enough
  290.                     return true;
  291.                 }
  292.             }
  293.         }
  294.         // If we are here, all hope is lost
  295.         return false;
  296.     }
  298.     private function canDelete(Article $articleAccess $userAccessFunction $function)
  299.     {
  300.         // Always allow deleting own's articles
  301.         if ($this->checkAuthor($article$user))
  302.             return true;
  304.         // Get AclPermissions
  305.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
  307.         // If all are null, exit
  308.         if ($aclPerm === null)
  309.             return false;
  311.         // Get First one
  312.         if ($aclPerm !== null)
  313.         {
  314.             $acl $this->aclRepository->findOneBy(array(
  315.                 'function'        =>    $function,
  316.                 'permission'    =>    $aclPerm
  317.             ));
  318.             if ($acl !== null)
  319.             {
  320.                 if ($acl->getValue())
  321.                 {
  322.                     // A single positive answer is enough
  323.                     return true;
  324.                 }
  325.             }
  326.         }
  327.         // If we are here, all hope is lost
  328.         return false;
  329.     }
  331.     private function canAddComment(Article $articleAccess $userAccessFunction $function)
  332.     {
  333.         // Get AclPermissions
  334.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_COMMENT);
  336.         // If all are null, exit
  337.         if ($aclPerm === null)
  338.             return false;
  340.         // Get First one
  341.         if ($aclPerm !== null)
  342.         {
  343.             $acl $this->aclRepository->findOneBy(array(
  344.                 'function'        =>    $function,
  345.                 'permission'    =>    $aclPerm
  346.             ));
  347.             if ($acl !== null)
  348.             {
  349.                 if ($acl->getValue())
  350.                 {
  351.                     // A single positive answer is enough
  352.                     return true;
  353.                 }
  354.             }
  355.         }
  356.         // If we are here, all hope is lost
  357.         return false;
  358.     }
  360.     private function canModerate(Access $userAccessFunction $function)
  361.     {
  362.         // Get AclPermissions
  363.         $acls = array();
  365.         $acls[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE);
  366.         //$acls[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE_OWN);
  368.         $acls[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  369.         //$acls[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_OWN);
  371.         $acls[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
  372.         //$acls[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_OWN);
  374.         // If all are null, exit
  375.         $allNull true;
  376.         foreach ($acls as $acl)
  377.         {
  378.             if ($acl !== null)
  379.             {
  380.                 $allNull false;
  381.                 break;
  382.             }
  383.         }
  385.         if ($allNull)
  386.             return false;
  388.         // Test
  389.         foreach ($acls as $aclPerm)
  390.         {
  391.             if ($aclPerm !== null)
  392.             {
  393.                 $acl $this->aclRepository->findOneBy(array(
  394.                     'function'        =>    $function,
  395.                     'permission'    =>    $aclPerm
  396.                 ));
  397.                 if ($acl !== null)
  398.                 {
  399.                     if ($acl->getValue())
  400.                     {
  401.                         // A single positive answer is enough
  402.                         return true;
  403.                     }
  404.                 }
  405.             }
  406.         }
  408.         // If we are here, all hope is lost
  409.         return false;
  410.     }
  412.     public function canListAny(Access $userAccessFunction $function)
  413.     {
  414.         return true;
  415.     }
  416. }