src/Security/CostVoter.php line 115

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/CostVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Platform\Cost\Cost;
  16. use App\Entity\Platform\Cost\CostNote;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclPermission;
  19. use App\Services\LogTools;
  20. use App\Services\Config\OptionConfigTools;
  21. use App\Services\Config\ModuleTools;
  23. class CostVoter extends Voter
  24. {
  25.     //--------------------------------------------------------------------------------
  26.     // is_granted constants
  27.     const IS_ACTIVE "cost_is_active";
  29.     const ADD "add_cost";
  30.     const ADD_FOR_OTHERS "add_cost_for_others";
  31.     const ADD_WITH_EDITABLE_STATUS "add_cost_with_editable_status";
  33.     // Plan.io Task #4507
  34.     const ADD_COST_VENDOR_INVOICE "add_cost_vendor_invoice";
  36.     const LISTING "list_costs";
  37.     const LISTING_SOCIETY "list_costs_society";
  38.     const LISTING_OWN "list_costs_own";
  39.     const LISTING_ANY "list_costs_any";
  41.     const VIEW "view_cost";
  43.     const EDIT "edit_cost";
  44.     const EDIT_STATUS "edit_cost_status";
  45.     const EDIT_TYPE "edit_cost_type";
  47.     const DELETE "delete_cost";
  49.     const SEEN "mark_seen_cost";
  51.     const ADD_COST_NOTE "add_cost_note";
  52.     const EDIT_COST_NOTE "edit_cost_note";
  53.     const DELETE_COST_NOTE "delete_cost_note";
  55.     // Plan.io Task #4426
  56.     const IS_ACTIVE_COST_AUTO_ACCOUNT "cost_auto_account_is_active";
  58.     const IS_GRANTED_CONSTANTS = array(
  59.         self::IS_ACTIVE,
  60.         self::ADD,
  61.         self::ADD_FOR_OTHERS,
  62.         self::ADD_WITH_EDITABLE_STATUS,
  63.         self::ADD_COST_VENDOR_INVOICE,
  64.         self::LISTING,
  65.         self::LISTING_SOCIETY,
  66.         self::LISTING_OWN,
  67.         self::LISTING_ANY,
  68.         self::VIEW,
  69.         self::EDIT,
  70.         self::EDIT_STATUS,
  71.         self::EDIT_TYPE,
  72.         self::DELETE,
  73.         self::SEEN,
  74.         self::ADD_COST_NOTE,
  75.         self::EDIT_COST_NOTE,
  76.         self::DELETE_COST_NOTE,
  77.         self::IS_ACTIVE_COST_AUTO_ACCOUNT,
  78.     );
  80.     //--------------------------------------------------------------------------------
  81.     // acl constants
  82.     const ACL_PERM_ADD "cost_add";
  83.     const ACL_PERM_ADD_FOR_OTHERS "cost_add_for_others";
  84.     const ACL_PERM_ADD_WITH_EDITABLE_STATUS "cost_add_with_editable_status";
  85.     
  86.     // Plan.io Task #4507
  87.     const ACL_PERM_ADD_VENDOR_INVOICE "cost_vendor_invoice_add";
  88.     
  89.     const ACL_PERM_LISTING "cost_list";
  90.     const ACL_PERM_LISTING_SOCIETY "cost_list_society";
  91.     const ACL_PERM_LISTING_OWN "cost_list_own";
  93.     const ACL_PERM_VIEW "cost_view";
  94.     const ACL_PERM_VIEW_SOCIETY "cost_view_society";
  95.     const ACL_PERM_VIEW_OWN "cost_view_own";
  97.     const ACL_PERM_EDIT "cost_edit";
  98.     const ACL_PERM_EDIT_SOCIETY "cost_edit_society";
  99.     const ACL_PERM_EDIT_OWN "cost_edit_own";
  101.     const ACL_PERM_EDIT_STATUS "cost_edit_status";
  102.     const ACL_PERM_EDIT_STATUS_SOCIETY "cost_edit_status_society";
  104.     const ACL_PERM_DELETE "cost_delete";
  105.     const ACL_PERM_DELETE_SOCIETY "cost_delete_society";
  106.     const ACL_PERM_DELETE_OWN "cost_delete_own";
  108.     const ACL_PERM_SEEN "cost_seen";
  110.     //--------------------------------------------------------------------------------
  112.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleToolsOptionConfigTools $optionConfigToolsLogTools $logTools)
  113.     {
  114.         $this->em $doctrine->getManager();
  115.         $this->optionConfigTools $optionConfigTools;
  116.         $this->moduleTools $moduleTools;
  117.         $this->logTools $logTools;
  119.         $this->aclRepository $this->em->getRepository(Acl::class);
  120.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  121.     }
  123.     // Plan.io Task #4453 [See AccessVoter for details]
  124.     public function supportsAttribute(string $attribute): bool
  125.     {
  126.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  127.     }
  128.     
  129.     protected function supports(string $attribute$subject null): bool
  130.     {
  131.         // if the attribute isn't one we support, return false
  132.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  133.         {
  134.             return false;
  135.         }
  137.         // only vote on Cost objects inside this voter
  138.         if ($subject !== null && (!$subject instanceof Cost && !$subject instanceof CostNote))
  139.         {
  140.             return false;
  141.         }
  143.         return true;
  144.     }
  146.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  147.     {
  148.         $user $token->getUser();
  150.         if (!$user instanceof Access)
  151.         {
  152.             // the user must be logged in; if not, deny access
  153.             return false;
  154.         }
  156.         // The user must have a function; if not deny access
  157.         $function $user->getFunction();
  158.         if ($function === null)        return false;
  160.         // Plan.io Task #3710 : Get current group
  161.         $currentGroup $user->getSocietyGroup();
  162.         if ($currentGroup === null)
  163.             return false;
  165.         // Module activated ?
  166.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_COST))
  167.         {
  168.             return false;
  169.         }
  171.         // you know $subject is a Cost/CostNote object, thanks to supports
  172.         $costNote null;
  173.         if ($subject instanceof CostNote)
  174.         {
  175.             /** @var CostNote $costNote */
  176.             $costNote $subject;
  177.             /** @var Cost $cost */
  178.             $cost $costNote->getCost();
  179.         }
  180.         else
  181.         {
  182.             /** @var Cost $cost */
  183.             $cost $subject;
  184.         }
  186.         // Check current group affectation
  187.         if ($subject !== null)
  188.         {
  189.             $subjectSociety $subject->getSociety();
  190.             if ($subjectSociety === null)
  191.                 return false;
  192.             $subjectGroup $subjectSociety->getGroup();
  193.             if ($subjectGroup === null)
  194.                 return false;
  195.             if (!$currentGroup->equals($subjectGroup))
  196.                 return false;
  197.         }
  199.         switch ($attribute)
  200.         {
  201.             case self::IS_ACTIVE:
  202.                 return true;
  204.             case self::IS_ACTIVE_COST_AUTO_ACCOUNT:
  205.             {
  206.                 return $this->optionConfigTools->isActive_CostAutoAccount($currentGroup);
  207.             }
  209.             case self::ADD:
  210.                 return $this->canAdd($user$function);
  211.             case self::ADD_FOR_OTHERS:
  212.                 return $this->canAddForOthers($user$function);
  213.             case self::ADD_WITH_EDITABLE_STATUS:
  214.                 return $this->canAddWithEditableStatus($user$function);
  215.             
  216.             // Plan.io Task #4507
  217.             case self::ADD_COST_VENDOR_INVOICE:
  218.                 return $this->canAddVendorInvoice($user$function);
  220.             case self::LISTING:
  221.                 return $this->canList($user$function);
  222.             case self::LISTING_SOCIETY:
  223.                 return $this->canListSociety($user$function);
  224.             case self::LISTING_OWN:
  225.                 return $this->canListOwn($user$function);
  226.             case self::LISTING_ANY:
  227.                 return $this->canListAny($user$function);
  229.             case self::VIEW:
  230.                 return $this->canView($cost$user$function);
  232.             case self::EDIT:
  233.                 return $this->canEdit($cost$user$function);
  234.             case self::EDIT_STATUS:
  235.                 return $this->canEditStatus($cost$user$function);
  236.             case self::EDIT_TYPE:
  237.                 return $this->canEditType($cost$user$function);
  239.             case self::DELETE:
  240.                 return $this->canDelete($cost$user$function);
  242.             case self::SEEN:
  243.                 return $this->canMarkAsSeen($cost$user$function);
  245.             case self::ADD_COST_NOTE:
  246.                 return $this->canAddCostNote($cost$user$function);
  248.             case self::EDIT_COST_NOTE:
  249.                 return $this->canEditCostNote($costNote$user$function);
  251.             case self::DELETE_COST_NOTE:
  252.                 return $this->canDeleteCostNote($costNote$user$function);
  253.         }
  255.         throw new \LogicException('This code should not be reached!');
  256.     }
  258.     // $access is the user trying to load the resource
  259.     // $cost is the resource being loaded
  261.     // Check if the Society of the resource
  262.     // belongs to the societies of the $access
  263.     private function checkSociety(Cost $costAccess $access)
  264.     {
  265.         // Get all the societies of the access
  266.         $societies $access->getSocieties();
  268.         // Get the Society of the Cost
  269.         $costSociety $cost->getSociety();
  271.         if ($costSociety === null)
  272.             return false;
  274.         $found false;
  275.         foreach ($societies as $society)
  276.         {
  277.             if ($society->getId() == $costSociety->getId())
  278.             {
  279.                 $found true;
  280.                 break;
  281.             }
  282.         }
  283.         return $found;
  284.     }
  286.     // Check if the $access is the manager / author of the $cost
  287.     private function checkOwn(Cost $costAccess $access)
  288.     {
  289.         // Get author
  290.         $author $cost->getAuthor();
  291.         if ($author === null)
  292.             return false;
  294.         if ($author->getId() === $access->getId())
  295.             return true;
  297.         // Get access
  298.         $theOne $cost->getAccess();
  299.         if ($theOne === null)
  300.             return false;
  302.         if ($theOne->getId() === $access->getId())
  303.             return true;
  305.         return false;
  306.     }
  308.     private function canAdd(Access $userAccessFunction $function)
  309.     {
  310.         // Get Acl_Permission
  311.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  312.         if ($aclPerm === null)        return false;
  314.         // Get Acl
  315.         $acl $this->aclRepository->findOneBy(array(
  316.             'function'        =>    $function,
  317.             'permission'    =>    $aclPerm
  318.         ));
  319.         if ($acl === null)        return false;
  321.         // Since only one acl type can exist
  322.         // we can return the result of the acl_permission
  323.         return $acl->getValue();
  324.     }
  326.     public function canAddForOthers(Access $userAccessFunction $function)
  327.     {
  328.         // Get Acl_Permission
  329.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_FOR_OTHERS);
  330.         if ($aclPerm === null)        return false;
  332.         // Get Acl
  333.         $acl $this->aclRepository->findOneBy(array(
  334.             'function'        =>    $function,
  335.             'permission'    =>    $aclPerm
  336.         ));
  337.         if ($acl === null)        return false;
  339.         // Since only one acl type can exist
  340.         // we can return the result of the acl_permission
  341.         return $acl->getValue();
  342.     }
  344.     public function canAddWithEditableStatus(Access $userAccessFunction $function)
  345.     {
  346.         // Get Acl_Permission
  347.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_WITH_EDITABLE_STATUS);
  348.         if ($aclPerm === null)        return false;
  350.         // Get Acl
  351.         $acl $this->aclRepository->findOneBy(array(
  352.             'function'        =>    $function,
  353.             'permission'    =>    $aclPerm
  354.         ));
  355.         if ($acl === null)        return false;
  357.         // Since only one acl type can exist
  358.         // we can return the result of the acl_permission
  359.         return $acl->getValue();
  360.     }
  362.     // Plan.io Task #4507
  363.     public function canAddVendorInvoice(Access $userAccessFunction $function)
  364.     {
  365.         // Get Acl_Permission
  366.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_VENDOR_INVOICE);
  367.         if ($aclPerm === null)        return false;
  369.         // Get Acl
  370.         $acl $this->aclRepository->findOneBy(array(
  371.             'function'        =>    $function,
  372.             'permission'    =>    $aclPerm
  373.         ));
  374.         if ($acl === null)        return false;
  376.         // Since only one acl type can exist
  377.         // we can return the result of the acl_permission
  378.         return $acl->getValue();
  379.     }
  381.     private function canList(Access $userAccessFunction $function)
  382.     {
  383.         // Get Acl_Permission
  384.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  385.         if ($aclPerm === null)        return false;
  387.         // Get Acl
  388.         $acl $this->aclRepository->findOneBy(array(
  389.             'function'        =>    $function,
  390.             'permission'    =>    $aclPerm
  391.         ));
  392.         if ($acl === null)        return false;
  394.         // Since only one acl type can exist
  395.         // we can return the result of the acl_permission
  396.         return $acl->getValue();
  397.     }
  399.     private function canListSociety(Access $userAccessFunction $function)
  400.     {
  401.         // Get Acl_Permission
  402.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  403.         if ($aclPerm === null)        return false;
  405.         // Get Acl
  406.         $acl $this->aclRepository->findOneBy(array(
  407.             'function'        =>    $function,
  408.             'permission'    =>    $aclPerm
  409.         ));
  410.         if ($acl === null)        return false;
  412.         // Since only one acl type can exist
  413.         // we can return the result of the acl_permission
  414.         // Further filtering is done in the Controller
  415.         return $acl->getValue();
  416.     }
  418.     private function canListOwn(Access $userAccessFunction $function)
  419.     {
  420.         // Get Acl_Permission
  421.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_OWN);
  422.         if ($aclPerm === null)        return false;
  424.         // Get Acl
  425.         $acl $this->aclRepository->findOneBy(array(
  426.             'function'        =>    $function,
  427.             'permission'    =>    $aclPerm
  428.         ));
  429.         if ($acl === null)        return false;
  431.         // Since only one acl type can exist
  432.         // we can return the result of the acl_permission
  433.         // Further filtering is done in the Controller
  434.         return $acl->getValue();
  435.     }
  437.     private function canListAny(Access $userAccessFunction $function)
  438.     {
  439.         // Two Acl_Permission may exist
  440.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  441.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  442.         $aclPermOwn $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_OWN);
  444.         // If all are null, exit
  445.         if ($aclPerm === null && $aclPermSociety === null && $aclPermOwn === null)
  446.             return false;
  448.         // Get First one
  449.         if ($aclPerm !== null)
  450.         {
  451.             $acl $this->aclRepository->findOneBy(array(
  452.                 'function'        =>    $function,
  453.                 'permission'    =>    $aclPerm
  454.             ));
  455.             if ($acl !== null)
  456.             {
  457.                 if ($acl->getValue())
  458.                 {
  459.                     // A single positive answer is enough
  460.                     return true;
  461.                 }
  462.             }
  463.         }
  464.         // If we are here it means that nothing good has been found
  465.         // Load second permission
  466.         if ($aclPermSociety !== null)
  467.         {
  468.             $acl $this->aclRepository->findOneBy(array(
  469.                 'function'        =>    $function,
  470.                 'permission'    =>    $aclPermSociety
  471.             ));
  472.             if ($acl !== null)
  473.             {
  474.                 if ($acl->getValue())
  475.                 {
  476.                     // A single positive answer is enough
  477.                     return true;
  478.                 }
  479.             }
  480.         }
  481.         // If we are here it means that nothing good has been found
  482.         // Load third permission
  483.         if ($aclPermOwn !== null)
  484.         {
  485.             $acl $this->aclRepository->findOneBy(array(
  486.                 'function'        =>    $function,
  487.                 'permission'    =>    $aclPermOwn
  488.             ));
  489.             if ($acl !== null)
  490.             {
  491.                 if ($acl->getValue())
  492.                 {
  493.                     // A single positive answer is enough
  494.                     return true;
  495.                 }
  496.             }
  497.         }
  498.         // If we are here, all hope is lost
  499.         return false;
  500.     }
  502.     private function canView(Cost $costAccess $userAccessFunction $function)
  503.     {
  504.         // Get Acl_Permissions
  505.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  506.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  507.         $aclPermOwn $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_OWN);
  509.         // If all are null, exit
  510.         if ($aclPerm === null && $aclPermSociety === null && $aclPermOwn === null)
  511.             return false;
  513.         // Get First one
  514.         if ($aclPerm !== null)
  515.         {
  516.             $acl $this->aclRepository->findOneBy(array(
  517.                 'function'        =>    $function,
  518.                 'permission'    =>    $aclPerm
  519.             ));
  520.             if ($acl !== null)
  521.             {
  522.                 if ($acl->getValue())
  523.                 {
  524.                     // A single positive answer is enough
  525.                     return true;
  526.                 }
  527.             }
  528.         }
  530.         // If we are here it means that nothing good has been found
  531.         // Load second permission
  532.         if ($aclPermSociety !== null)
  533.         {
  534.             $acl $this->aclRepository->findOneBy(array(
  535.                 'function'        =>    $function,
  536.                 'permission'    =>    $aclPermSociety
  537.             ));
  538.             if ($acl !== null)
  539.             {
  540.                 if ($acl->getValue())
  541.                 {
  542.                     // A single positive answer is enough
  543.                     // In this case the good answer will be provided by the checkSociety
  544.                     return $this->checkSociety($cost$user);
  545.                 }
  546.             }
  547.         }
  549.         // If we are here it means that nothing good has been found
  550.         // Load third permission
  551.         if ($aclPermOwn !== null)
  552.         {
  553.             $acl $this->aclRepository->findOneBy(array(
  554.                 'function'        =>    $function,
  555.                 'permission'    =>    $aclPermOwn
  556.             ));
  557.             if ($acl !== null)
  558.             {
  559.                 if ($acl->getValue())
  560.                 {
  561.                     // A single positive answer is enough
  562.                     // In this case the good answer will be provided by the checkOwn
  563.                     return $this->checkOwn($cost$user);
  564.                 }
  565.             }
  566.         }
  568.         // If we are here, all hope is lost
  569.         return false;
  570.     }
  572.     private function canEdit(Cost $costAccess $userAccessFunction $function)
  573.     {
  574.         // Children only
  575.         // Plan.io Task #4416 => VendorInvoice also
  576.         if ($cost->getParent() === null && $cost->isNotVendorInvoice())
  577.         {
  578.             return false;
  579.         }
  581.         // If the initial status has changed => Deny editing
  582.         if ($cost->getStatus() === null)
  583.         {
  584.             // This should not happen
  585.             return false;
  586.         }
  587.         else
  588.         {
  589.             if ($cost->getStatus()->isNotDefaultValue())
  590.             {
  591.                 return false;
  592.             }
  593.         }
  595.         // Three Acl_Permission may exist
  596.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  597.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  598.         $aclPermOwn $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_OWN);
  600.         // If all are null, exit
  601.         if ($aclPerm === null && $aclPermSociety === null && $aclPermOwn === null)
  602.             return false;
  604.         // Get First one
  605.         if ($aclPerm !== null)
  606.         {
  607.             $acl $this->aclRepository->findOneBy(array(
  608.                 'function'        =>    $function,
  609.                 'permission'    =>    $aclPerm
  610.             ));
  611.             if ($acl !== null)
  612.             {
  613.                 if ($acl->getValue())
  614.                 {
  615.                     // A single positive answer is enough
  616.                     return true;
  617.                 }
  618.             }
  619.         }
  620.         // If we are here it means that nothing good has been found
  621.         // Load second permission
  622.         if ($aclPermSociety !== null)
  623.         {
  624.             $acl $this->aclRepository->findOneBy(array(
  625.                 'function'        =>    $function,
  626.                 'permission'    =>    $aclPermSociety
  627.             ));
  628.             if ($acl !== null)
  629.             {
  630.                 if ($acl->getValue())
  631.                 {
  632.                     // A single positive answer is enough
  633.                     // In this case the good answer will be provided by the checkSociety
  634.                     return $this->checkSociety($cost$user);
  635.                 }
  636.             }
  637.         }
  638.         // If we are here it means that nothing good has been found
  639.         // Load third permission
  640.         if ($aclPermOwn !== null)
  641.         {
  642.             $acl $this->aclRepository->findOneBy(array(
  643.                 'function'        =>    $function,
  644.                 'permission'    =>    $aclPermOwn
  645.             ));
  646.             if ($acl !== null)
  647.             {
  648.                 if ($acl->getValue())
  649.                 {
  650.                     // A single positive answer is enough
  651.                     // In this case the good answer will be provided by the checkOwn
  652.                     return $this->checkOwn($cost$user);
  653.                 }
  654.             }
  655.         }
  656.         // If we are here, all hope is lost
  657.         return false;
  658.     }
  660.     private function canEditStatus(Cost $costAccess $userAccessFunction $function)
  661.     {
  662.         // Parent only
  663.         if (!$cost->isParent())
  664.         {
  665.             return false;
  666.         }
  668.         // Two Acl_Permission may exist
  669.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_STATUS);
  670.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_STATUS_SOCIETY);
  672.         // If all are null, exit
  673.         if ($aclPerm === null && $aclPermSociety === null)
  674.             return false;
  676.         // Get First one
  677.         if ($aclPerm !== null)
  678.         {
  679.             $acl $this->aclRepository->findOneBy(array(
  680.                 'function'        =>    $function,
  681.                 'permission'    =>    $aclPerm
  682.             ));
  683.             if ($acl !== null)
  684.             {
  685.                 if ($acl->getValue())
  686.                 {
  687.                     // A single positive answer is enough
  688.                     return true;
  689.                 }
  690.             }
  691.         }
  692.         // If we are here it means that nothing good has been found
  693.         // Load second permission
  694.         if ($aclPermSociety !== null)
  695.         {
  696.             $acl $this->aclRepository->findOneBy(array(
  697.                 'function'        =>    $function,
  698.                 'permission'    =>    $aclPermSociety
  699.             ));
  700.             if ($acl !== null)
  701.             {
  702.                 if ($acl->getValue())
  703.                 {
  704.                     // A single positive answer is enough
  705.                     // In this case the good answer will be provided by the checkSociety
  706.                     return $this->checkSociety($cost$user);
  707.                 }
  708.             }
  709.         }
  710.         // If we are here, all hope is lost
  711.         return false;
  712.     }
  714.     public function canEditType(Cost $costAccess $userAccessFunction $function)
  715.     {
  716.         // Parents only
  717.         if ($cost->getParent() !== null)
  718.         {
  719.             return false;
  720.         }
  722.         // No Acl_Permissions for now (Same as Rekto version)
  723.         if ($cost->getStatus() === null)
  724.         {
  725.             return false;
  726.         }
  727.         if ($cost->getStatus()->isDefaultValue())
  728.         {
  729.             return true;
  730.         }
  732.         // If we are here, all hope is lost
  733.         return false;
  734.     }
  736.     public function canDelete(Cost $costAccess $userAccessFunction $function)
  737.     {
  738.         // Children only
  739.         // Plan.io Task #4416 => VendorInvoice also
  740.         if ($cost->getParent() === null && $cost->isNotVendorInvoice())
  741.         {
  742.             return false;
  743.         }
  745.         // Check status (children only => avoid error when dealing with VendorInvoice Costs)
  746.         if ($cost->getParent() !== null)
  747.         {
  748.             if ($cost->getParent()->getStatus() === null)
  749.             {
  750.                 // This should not happen
  751.                 return false;
  752.             }
  753.             if ($cost->getParent()->getStatus()->deniesDelete())
  754.             {
  755.                 return false;
  756.             }
  757.         }
  758.         else
  759.         {
  760.             // Parent is null, so this is a Cost VendorInvoice
  761.             // => Check status directly
  762.             if ($cost->getStatus()->deniesDelete())
  763.             {
  764.                 return false;
  765.             }
  766.         }
  768.         // Three Acl_Permission may exist
  769.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
  770.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_SOCIETY);
  771.         $aclPermOwn $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_OWN);
  773.         // If all are null, exit
  774.         if ($aclPerm === null && $aclPermSociety === null && $aclPermOwn === null)
  775.             return false;
  777.         // Get First one
  778.         if ($aclPerm !== null)
  779.         {
  780.             $acl $this->aclRepository->findOneBy(array(
  781.                 'function'        =>    $function,
  782.                 'permission'    =>    $aclPerm
  783.             ));
  784.             if ($acl !== null)
  785.             {
  786.                 if ($acl->getValue())
  787.                 {
  788.                     // A single positive answer is enough
  789.                     return true;
  790.                 }
  791.             }
  792.         }
  793.         // If we are here it means that nothing good has been found
  794.         // Load second permission
  795.         if ($aclPermSociety !== null)
  796.         {
  797.             $acl $this->aclRepository->findOneBy(array(
  798.                 'function'        =>    $function,
  799.                 'permission'    =>    $aclPermSociety
  800.             ));
  801.             if ($acl !== null)
  802.             {
  803.                 if ($acl->getValue())
  804.                 {
  805.                     // A single positive answer is enough
  806.                     // In this case the good answer will be provided by the checkSociety
  807.                     return $this->checkSociety($cost$user);
  808.                 }
  809.             }
  810.         }
  811.         // If we are here it means that nothing good has been found
  812.         // Load third permission
  813.         if ($aclPermOwn !== null)
  814.         {
  815.             $acl $this->aclRepository->findOneBy(array(
  816.                 'function'        =>    $function,
  817.                 'permission'    =>    $aclPermOwn
  818.             ));
  819.             if ($acl !== null)
  820.             {
  821.                 if ($acl->getValue())
  822.                 {
  823.                     // A single positive answer is enough
  824.                     // In this case the good answer will be provided by the checkOwn
  825.                     return $this->checkOwn($cost$user);
  826.                 }
  827.             }
  828.         }
  829.         // If we are here, all hope is lost
  830.         return false;
  831.     }
  833.     public function canMarkAsSeen(Cost $costAccess $userAccessFunction $function)
  834.     {
  835.         // Children only
  836.         if ($cost->getParent() === null)
  837.         {
  838.             return false;
  839.         }
  841.         // Get Acl_Permission
  842.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SEEN);
  843.         if ($aclPerm === null)        return false;
  845.         // Get Acl
  846.         $acl $this->aclRepository->findOneBy(array(
  847.             'function'        =>    $function,
  848.             'permission'    =>    $aclPerm
  849.         ));
  850.         if ($acl === null)        return false;
  852.         // Since only one acl type can exist
  853.         // we can return the result of the acl_permission
  854.         return $acl->getValue();
  855.     }
  857.     public function canAddCostNote(Cost $costAccess $userAccessFunction $function)
  858.     {
  859.         // Only parent case
  860.         if ($cost->isChild())
  861.         {
  862.             return false;
  863.         }
  865.         // In all cases (Plan.io Task #3001)
  866.         return true;
  867.     }
  869.     public function canEditCostNote(CostNote $costNoteAccess $userAccessFunction $function)
  870.     {
  871.         if ($costNote->getCost() === null || $costNote->getAuthor() === null)
  872.         {
  873.             // Should never happen
  874.             return false;
  875.         }
  877.         // Author case
  878.         if ($costNote->getAuthor()->equals($user))
  879.         {
  880.             return true;
  881.         }
  883.         // In all cases (Plan.io Task #3001)
  884.         return true;
  885.     }
  887.     public function canDeleteCostNote(CostNote $costNoteAccess $userAccessFunction $function)
  888.     {
  889.         if ($costNote->getCost() === null || $costNote->getAuthor() === null)
  890.         {
  891.             // Should never happen
  892.             return false;
  893.         }
  895.         // Author case
  896.         if ($costNote->getAuthor()->equals($user))
  897.         {
  898.             return true;
  899.         }
  901.         // In all cases (Plan.io Task #3001)
  902.         return true;
  903.     }
  904. }