src/Security/CommandVoter.php line 20

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/CommandVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Platform\Command\Command;
  16. use App\Entity\Security\Acl;
  17. use App\Entity\Security\AclPermission;
  18. use App\Services\Config\ModuleTools;
  20. class CommandVoter extends Voter
  21. {
  22.     //--------------------------------------------------------------------------------
  23.     // is_granted constants
  24.     const IS_ACTIVE "command_is_active";
  26.     const ADD "add_command";
  28.     const LISTING "list_commands";
  29.     const LISTING_SOCIETY "list_commands_society";
  30.     const LISTING_MANAGER "list_commands_manager";
  31.     const LISTING_ANY "list_commands_any";
  33.     const VIEW "view_command";
  34.     const EDIT "edit_command";
  36.     const VIEW_PDF "view_pdf_command";
  38.     const IS_GRANTED_CONSTANTS = array(
  39.         self::IS_ACTIVE,
  40.         self::ADD,
  41.         self::LISTING,
  42.         self::LISTING_SOCIETY,
  43.         self::LISTING_MANAGER,
  44.         self::LISTING_ANY,
  45.         self::VIEW,
  46.         self::EDIT,
  47.         self::VIEW_PDF,
  48.     );
  50.     //--------------------------------------------------------------------------------
  51.     // acl constants
  52.     const ACL_PERM_ADD "command_add";
  54.     const ACL_PERM_LISTING "command_list";
  55.     const ACL_PERM_LISTING_SOCIETY "command_list_society";
  56.     const ACL_PERM_LISTING_MANAGER "command_list_manager";
  58.     const ACL_PERM_VIEW "command_view";
  59.     const ACL_PERM_VIEW_SOCIETY "command_view_society";
  60.     const ACL_PERM_VIEW_MANAGER "command_view_manager";
  62.     const ACL_PERM_EDIT "command_edit";
  63.     const ACL_PERM_EDIT_SOCIETY "command_edit_society";
  64.     const ACL_PERM_EDIT_MANAGER "command_edit_manager";
  66.     const ACL_PERM_VIEW_PDF "command_view_pdf";
  67.     const ACL_PERM_VIEW_PDF_SOCIETY "command_view_pdf_society";
  68.     const ACL_PERM_VIEW_PDF_MANAGER "command_view_pdf_manager";
  70.     //--------------------------------------------------------------------------------
  72.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  73.     {
  74.         $this->em $doctrine->getManager();
  75.         $this->moduleTools $moduleTools;
  77.         $this->aclRepository $this->em->getRepository(Acl::class);
  78.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  79.     }
  81.     // Plan.io Task #4453 [See AccessVoter for details]
  82.     public function supportsAttribute(string $attribute): bool
  83.     {
  84.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  85.     }
  87.     protected function supports(string $attribute$subject null): bool
  88.     {
  89.         // if the attribute isn't one we support, return false
  90.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  91.         {
  92.             return false;
  93.         }
  95.         // only vote on Command objects inside this voter
  96.         if ($subject !== null && !$subject instanceof Command)
  97.         {
  98.             return false;
  99.         }
  101.         return true;
  102.     }
  104.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  105.     {
  106.         $user $token->getUser();
  108.         if (!$user instanceof Access)
  109.         {
  110.             // the user must be logged in; if not, deny access
  111.             return false;
  112.         }
  114.         // The user must have a function; if not deny access
  115.         $function $user->getFunction();
  116.         if ($function === null)        return false;
  118.         // Plan.io Task #3710 : Get current group
  119.         $currentGroup $user->getSocietyGroup();
  120.         if ($currentGroup === null)
  121.             return false;
  123.         // Module activated ?
  124.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_COMMAND))
  125.         {
  126.             return false;
  127.         }
  128.         // Check supplier also
  129.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_SUPPLIER))
  130.         {
  131.             return false;
  132.         }
  133.         // Check product / template also
  134.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_PRODUCT))
  135.         {
  136.             return false;
  137.         }
  139.         // you know $subject is a Command object, thanks to supports
  140.         /** @var Command $command */
  141.         $command $subject;
  143.         // Check current group affectation
  144.         if ($subject !== null)
  145.         {
  146.             $subjectSociety $subject->getSociety();
  147.             if ($subjectSociety === null)
  148.                 return false;
  149.             $subjectGroup $subjectSociety->getGroup();
  150.             if ($subjectGroup === null)
  151.                 return false;
  152.             if (!$currentGroup->equals($subjectGroup))
  153.                 return false;
  154.         }
  156.         switch ($attribute)
  157.         {
  158.             case self::IS_ACTIVE:
  159.                 return true;
  161.             case self::ADD:
  162.                 return $this->canAdd($user$function);
  164.             case self::LISTING:
  165.                 return $this->canList($user$function);
  166.             case self::LISTING_SOCIETY:
  167.                 return $this->canListSociety($user$function);
  168.             case self::LISTING_MANAGER:
  169.                 return $this->canListManager($user$function);
  170.             case self::LISTING_ANY:
  171.                 return $this->canListAny($user$function);
  173.             case self::VIEW:
  174.                 return $this->canView($command$user$function);
  176.             case self::EDIT:
  177.                 return $this->canEdit($command$user$function);
  179.             case self::VIEW_PDF:
  180.                 return $this->canViewPdf($command$user$function);
  181.         }
  183.         throw new \LogicException('This code should not be reached!');
  184.     }
  186.     // $access is the user trying to load the resource
  187.     // $command is the resource being loaded
  189.     // Check if the Society of the resource
  190.     // belongs to the societies of the $access
  191.     private function checkSociety(Command $commandAccess $access)
  192.     {
  193.         // Get all the societies of the access
  194.         $societies $access->getSocieties();
  196.         // Get the Society of the Command
  197.         $commandSociety $command->getSociety();
  199.         if ($commandSociety === null)
  200.             return false;
  202.         $found false;
  203.         foreach ($societies as $society)
  204.         {
  205.             if ($society->getId() == $commandSociety->getId())
  206.             {
  207.                 $found true;
  208.                 break;
  209.             }
  210.         }
  211.         return $found;
  212.     }
  214.     // Check if the $access is the manager / author of the $command
  215.     private function checkManager(Command $commandAccess $access)
  216.     {
  217.         // Get manager
  218.         $manager $command->getManager();
  219.         $author $command->getAuthor();
  220.         $accessCommand $command->getAccess();
  222.         if ($manager === null && $author === null)
  223.             return false;
  225.         if ($manager !== null)
  226.             if ($manager->getId() === $access->getId())
  227.                 return true;
  229.         if ($author !== null)
  230.             if ($author->getId() === $access->getId())
  231.                 return true;
  233.         if ($accessCommand !== null)
  234.             if ($accessCommand->getId() === $access->getId())
  235.                 return true;
  237.         return false;
  238.     }
  240.     private function canAdd(Access $userAccessFunction $function)
  241.     {
  242.         // Get Acl_Permission
  243.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  244.         if ($aclPerm === null)        return false;
  246.         // Get Acl
  247.         $acl $this->aclRepository->findOneBy(array(
  248.             'function'        =>    $function,
  249.             'permission'    =>    $aclPerm
  250.         ));
  251.         if ($acl === null)        return false;
  253.         // Since only one acl type can exist
  254.         // we can return the result of the acl_permission
  255.         return $acl->getValue();
  256.     }
  258.     private function canList(Access $userAccessFunction $function)
  259.     {
  260.         // Get Acl_Permission
  261.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  262.         if ($aclPerm === null)        return false;
  264.         // Get Acl
  265.         $acl $this->aclRepository->findOneBy(array(
  266.             'function'        =>    $function,
  267.             'permission'    =>    $aclPerm
  268.         ));
  269.         if ($acl === null)        return false;
  271.         // Since only one acl type can exist
  272.         // we can return the result of the acl_permission
  273.         return $acl->getValue();
  274.     }
  276.     private function canListSociety(Access $userAccessFunction $function)
  277.     {
  278.         // Get Acl_Permission
  279.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  280.         if ($aclPerm === null)        return false;
  282.         // Get Acl
  283.         $acl $this->aclRepository->findOneBy(array(
  284.             'function'        =>    $function,
  285.             'permission'    =>    $aclPerm
  286.         ));
  287.         if ($acl === null)        return false;
  289.         // Since only one acl type can exist
  290.         // we can return the result of the acl_permission
  291.         // Further filtering is done in the Controller
  292.         return $acl->getValue();
  293.     }
  295.     private function canListManager(Access $userAccessFunction $function)
  296.     {
  297.         // Get Acl_Permission
  298.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  299.         if ($aclPerm === null)        return false;
  301.         // Get Acl
  302.         $acl $this->aclRepository->findOneBy(array(
  303.             'function'        =>    $function,
  304.             'permission'    =>    $aclPerm
  305.         ));
  306.         if ($acl === null)        return false;
  308.         // Since only one acl type can exist
  309.         // we can return the result of the acl_permission
  310.         // Further filtering is done in the Controller
  311.         return $acl->getValue();
  312.     }
  314.     private function canListAny(Access $userAccessFunction $function)
  315.     {
  316.         // Two Acl_Permission may exist
  317.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  318.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  319.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  321.         // If all are null, exit
  322.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  323.             return false;
  325.         // Get First one
  326.         if ($aclPerm !== null)
  327.         {
  328.             $acl $this->aclRepository->findOneBy(array(
  329.                 'function'        =>    $function,
  330.                 'permission'    =>    $aclPerm
  331.             ));
  332.             if ($acl !== null)
  333.             {
  334.                 if ($acl->getValue())
  335.                 {
  336.                     // A single positive answer is enough
  337.                     return true;
  338.                 }
  339.             }
  340.         }
  341.         // If we are here it means that nothing good has been found
  342.         // Load second permission
  343.         if ($aclPermSociety !== null)
  344.         {
  345.             $acl $this->aclRepository->findOneBy(array(
  346.                 'function'        =>    $function,
  347.                 'permission'    =>    $aclPermSociety
  348.             ));
  349.             if ($acl !== null)
  350.             {
  351.                 if ($acl->getValue())
  352.                 {
  353.                     // A single positive answer is enough
  354.                     return true;
  355.                 }
  356.             }
  357.         }
  358.         // If we are here it means that nothing good has been found
  359.         // Load third permission
  360.         if ($aclPermManager !== null)
  361.         {
  362.             $acl $this->aclRepository->findOneBy(array(
  363.                 'function'        =>    $function,
  364.                 'permission'    =>    $aclPermManager
  365.             ));
  366.             if ($acl !== null)
  367.             {
  368.                 if ($acl->getValue())
  369.                 {
  370.                     // A single positive answer is enough
  371.                     return true;
  372.                 }
  373.             }
  374.         }
  375.         // If we are here, all hope is lost
  376.         return false;
  377.     }
  379.     private function canView(Command $commandAccess $userAccessFunction $function)
  380.     {
  381.         // Get Acl_Permissions
  382.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  383.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  384.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_MANAGER);
  386.         // If all are null, exit
  387.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  388.             return false;
  390.         // Get First one
  391.         if ($aclPerm !== null)
  392.         {
  393.             $acl $this->aclRepository->findOneBy(array(
  394.                 'function'        =>    $function,
  395.                 'permission'    =>    $aclPerm
  396.             ));
  397.             if ($acl !== null)
  398.             {
  399.                 if ($acl->getValue())
  400.                 {
  401.                     // A single positive answer is enough
  402.                     return true;
  403.                 }
  404.             }
  405.         }
  407.         // If we are here it means that nothing good has been found
  408.         // Load second permission
  409.         if ($aclPermSociety !== null)
  410.         {
  411.             $acl $this->aclRepository->findOneBy(array(
  412.                 'function'        =>    $function,
  413.                 'permission'    =>    $aclPermSociety
  414.             ));
  415.             if ($acl !== null)
  416.             {
  417.                 if ($acl->getValue())
  418.                 {
  419.                     // A single positive answer is enough
  420.                     // In this case the good answer will be provided by the checkSociety
  421.                     return $this->checkSociety($command$user);
  422.                 }
  423.             }
  424.         }
  426.         // If we are here it means that nothing good has been found
  427.         // Load third permission
  428.         if ($aclPermManager !== null)
  429.         {
  430.             $acl $this->aclRepository->findOneBy(array(
  431.                 'function'        =>    $function,
  432.                 'permission'    =>    $aclPermManager
  433.             ));
  434.             if ($acl !== null)
  435.             {
  436.                 if ($acl->getValue())
  437.                 {
  438.                     // A single positive answer is enough
  439.                     // In this case the good answer will be provided by the checkOwn
  440.                     return $this->checkManager($command$user);
  441.                 }
  442.             }
  443.         }
  445.         // If we are here, all hope is lost
  446.         return false;
  447.     }
  449.     private function canEdit(Command $commandAccess $userAccessFunction $function)
  450.     {
  451.         // Plan.io Task #4036
  452.         // Always deny edit on PunchOut Commands if the module is inactive
  453.         if ($command->isPunchOut())
  454.         {
  455.             if ($this->moduleTools->isInactiveByCode($command->getSocietyGroup(), Module::MODULE_PUNCHOUT))
  456.             {
  457.                 return false;
  458.             }
  459.         }
  461.         // Three Acl_Permission may exist
  462.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  463.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  464.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_MANAGER);
  466.         // If all are null, exit
  467.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  468.             return false;
  470.         // Get First one
  471.         if ($aclPerm !== null)
  472.         {
  473.             $acl $this->aclRepository->findOneBy(array(
  474.                 'function'        =>    $function,
  475.                 'permission'    =>    $aclPerm
  476.             ));
  477.             if ($acl !== null)
  478.             {
  479.                 if ($acl->getValue())
  480.                 {
  481.                     // A single positive answer is enough
  482.                     return true;
  483.                 }
  484.             }
  485.         }
  486.         // If we are here it means that nothing good has been found
  487.         // Load second permission
  488.         if ($aclPermSociety !== null)
  489.         {
  490.             $acl $this->aclRepository->findOneBy(array(
  491.                 'function'        =>    $function,
  492.                 'permission'    =>    $aclPermSociety
  493.             ));
  494.             if ($acl !== null)
  495.             {
  496.                 if ($acl->getValue())
  497.                 {
  498.                     // A single positive answer is enough
  499.                     // In this case the good answer will be provided by the checkSociety
  500.                     return $this->checkSociety($command$user);
  501.                 }
  502.             }
  503.         }
  504.         // If we are here it means that nothing good has been found
  505.         // Load third permission
  506.         if ($aclPermManager !== null)
  507.         {
  508.             $acl $this->aclRepository->findOneBy(array(
  509.                 'function'        =>    $function,
  510.                 'permission'    =>    $aclPermManager
  511.             ));
  512.             if ($acl !== null)
  513.             {
  514.                 if ($acl->getValue())
  515.                 {
  516.                     // A single positive answer is enough
  517.                     // In this case the good answer will be provided by the checkOwn
  518.                     return $this->checkManager($command$user);
  519.                 }
  520.             }
  521.         }
  522.         // If we are here, all hope is lost
  523.         return false;
  524.     }
  526.     private function canViewPdf(Command $commandAccess $userAccessFunction $function)
  527.     {
  528.         // Three Acl_Permission may exist
  529.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF);
  530.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_SOCIETY);
  531.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_MANAGER);
  533.         // If all are null, exit
  534.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  535.             return false;
  537.         // Get First one
  538.         if ($aclPerm !== null)
  539.         {
  540.             $acl $this->aclRepository->findOneBy(array(
  541.                 'function'        =>    $function,
  542.                 'permission'    =>    $aclPerm
  543.             ));
  544.             if ($acl !== null)
  545.             {
  546.                 if ($acl->getValue())
  547.                 {
  548.                     // A single positive answer is enough
  549.                     return true;
  550.                 }
  551.             }
  552.         }
  553.         // If we are here it means that nothing good has been found
  554.         // Load second permission
  555.         if ($aclPermSociety !== null)
  556.         {
  557.             $acl $this->aclRepository->findOneBy(array(
  558.                 'function'        =>    $function,
  559.                 'permission'    =>    $aclPermSociety
  560.             ));
  561.             if ($acl !== null)
  562.             {
  563.                 if ($acl->getValue())
  564.                 {
  565.                     // A single positive answer is enough
  566.                     // In this case the good answer will be provided by the checkSociety
  567.                     return $this->checkSociety($command$user);
  568.                 }
  569.             }
  570.         }
  571.         // If we are here it means that nothing good has been found
  572.         // Load third permission
  573.         if ($aclPermManager !== null)
  574.         {
  575.             $acl $this->aclRepository->findOneBy(array(
  576.                 'function'        =>    $function,
  577.                 'permission'    =>    $aclPermManager
  578.             ));
  579.             if ($acl !== null)
  580.             {
  581.                 if ($acl->getValue())
  582.                 {
  583.                     // A single positive answer is enough
  584.                     // In this case the good answer will be provided by the checkOwn
  585.                     return $this->checkManager($command$user);
  586.                 }
  587.             }
  588.         }
  589.         // If we are here, all hope is lost
  590.         return false;
  591.     }
  592. }