src/Security/DemandVoter.php line 21

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/DemandVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Doctrine\Persistence\ManagerRegistry;
  12. use App\Entity\Access;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Platform\Demand\Demand;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclPermission;
  19. use App\Services\Config\ModuleTools;
  21. class DemandVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  25.     const IS_ACTIVE "demand_is_active";
  27.     const ADD "add_demand";
  28.     const CONVERT_TO_MISSION "convert_demand_to_mission";
  29.     const LINK_TO_MISSION "link_demand_to_mission";
  31.     const LISTING "list_demands";
  33.     const LISTING_SOCIETY "list_demands_society";
  34.     const LISTING_ANY "list_demands_any";
  36.     const VIEW "view_demand";
  37.     const EDIT "edit_demand";
  38.     const EDIT_SOCIETY "edit_demand_society";
  40.     const IS_GRANTED_CONSTANTS = array(
  41.         self::IS_ACTIVE,
  42.         self::ADD,
  43.         self::CONVERT_TO_MISSION,
  44.         self::LINK_TO_MISSION,
  45.         self::LISTING,
  46.         self::LISTING_SOCIETY,
  47.         self::LISTING_ANY,
  48.         self::VIEW,
  49.         self::EDIT,
  50.         self::EDIT_SOCIETY,
  51.     );
  53.     //--------------------------------------------------------------------------------
  54.     // acl constants
  56.     const ACL_PERM_ADD 'demand_add';
  58.     const ACL_PERM_LIST 'demand_list';
  59.     const ACL_PERM_LIST_SOCIETY 'demand_list_society';
  61.     const ACL_PERM_VIEW 'demand_view';
  62.     const ACL_PERM_VIEW_SOCIETY 'demand_view_society';
  64.     const ACL_PERM_EDIT 'demand_edit';
  65.     const ACL_PERM_EDIT_SOCIETY 'demand_edit_society';
  67.     const ACL_PERM_SOCIETY_EDIT 'demand_society_edit';
  68.     const ACL_PERM_SOCIETY_EDIT_SOCIETY 'demand_society_edit_society';
  70.     //--------------------------------------------------------------------------------
  72.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrineModuleTools $moduleTools)
  73.     {
  74.         $this->accessDecisionManager $accessDecisionManager;
  75.         $this->em $doctrine->getManager();
  76.         $this->moduleTools $moduleTools;
  78.         $this->aclRepository $this->em->getRepository(Acl::class);
  79.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  80.     }
  82.     // Plan.io Task #4453 [See AccessVoter for details]
  83.     public function supportsAttribute(string $attribute): bool
  84.     {
  85.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  86.     }
  88.     protected function supports(string $attribute$subject null): bool
  89.     {
  90.         // if the attribute isn't one we support, return false
  91.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  92.         {
  93.             return false;
  94.         }
  96.         // only vote on Demand objects inside this voter
  97.         if ($subject !== null && !$subject instanceof Demand)
  98.         {
  99.             return false;
  100.         }
  102.         return true;
  103.     }
  105.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  106.     {
  107.         $user $token->getUser();
  109.         if (!$user instanceof Access)
  110.         {
  111.             // the user must be logged in; if not, deny access
  112.             return false;
  113.         }
  115.         // The user must have a function; if not deny access
  116.         $function $user->getFunction();
  117.         if ($function === null)        return false;
  119.         // Plan.io Task #3710 : Get current group
  120.         $currentGroup $user->getSocietyGroup();
  121.         if ($currentGroup === null)
  122.             return false;
  124.         // Module activated ?
  125.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_DEMAND))
  126.         {
  127.             return false;
  128.         }
  130.         // you know $subject is a Demand object, thanks to supports
  131.         /** @var Demand $demand */
  132.         $demand $subject;
  134.         // Check current group affectation
  135.         if ($subject !== null)
  136.         {
  137.             $subjectSociety $subject->getSociety();
  138.             if ($subjectSociety === null)
  139.                 return false;
  140.             $subjectGroup $subjectSociety->getGroup();
  141.             if ($subjectGroup === null)
  142.                 return false;
  143.             if (!$currentGroup->equals($subjectGroup))
  144.                 return false;
  145.         }
  147.         switch ($attribute)
  148.         {
  149.             // Check is done before, in the voteOnAttribute
  150.             case self::IS_ACTIVE:
  151.                 return true;
  153.             case self::ADD:
  154.                 return $this->canAdd($demand$user$function);
  156.             case self::CONVERT_TO_MISSION:
  157.                 return $this->canConvertToMission($demand$user$function$token);
  158.             case self::LINK_TO_MISSION:
  159.                 return $this->canLinkToMission($demand$user$function$token);
  161.             case self::VIEW:
  162.                 return $this->canView($demand$user$function);
  164.             case self::EDIT:
  165.                 return $this->canEdit($demand$user$function);
  167.             case self::EDIT_SOCIETY:
  168.                 return $this->canEditSociety($demand$user$function);
  170.             case self::LISTING:
  171.                 return $this->canList($user$function);
  172.             case self::LISTING_SOCIETY:
  173.                 return $this->canListSociety($user$function);
  174.             case self::LISTING_ANY:
  175.                 return $this->canListAny($user$function);
  176.         }
  178.         throw new \LogicException('This code should not be reached!');
  179.     }
  181.     // $access is the user trying to load the resource
  182.     // $demand is the resource being loaded
  184.     // Check if the Author of the Demand is the Access
  185.     private function checkAuthor(Demand $demandAccess $access)
  186.     {
  187.         // Get the Society of the Demand
  188.         $demandAuthor $demand->getAuthor();
  190.         if ($demandAuthor === null)
  191.             return false;
  193.         if ($access->getId() == $demandAuthor->getId())
  194.             return true;
  196.         return false;
  197.     }
  199.     // Check if the Society of the Demand
  200.     // belongs to the societies of the $access
  201.     private function checkSociety(Demand $demandAccess $access)
  202.     {
  203.         // Get all the societies of the access
  204.         $societies $access->getSocieties();
  206.         // Get the Society of the Demand
  207.         $demandSociety $demand->getSociety();
  209.         if ($demandSociety === null)
  210.             return false;
  212.         $found false;
  213.         foreach ($societies as $society)
  214.         {
  215.             if ($society->getId() == $demandSociety->getId())
  216.             {
  217.                 $found true;
  218.                 break;
  219.             }
  220.         }
  221.         return $found;
  222.     }
  224.     private function canAdd(Demand $demand nullAccess $userAccessFunction $function)
  225.     {
  226.         // Get Acl_Perdemand
  227.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  228.         if ($aclPerm === null)        return false;
  230.         // Get Acl
  231.         $acl $this->aclRepository->findOneBy(array(
  232.             'function'        =>    $function,
  233.             'permission'    =>    $aclPerm
  234.         ));
  235.         if ($acl === null)        return false;
  237.         // Since only one acl type can exist
  238.         // we can return the result of the acl_permission
  239.         return $acl->getValue();
  240.     }
  242.     private function canConvertToMission(Demand $demandAccess $userAccessFunction $function$token)
  243.     {
  244.         if ($demand->getClient() === null)
  245.         {
  246.             // This should not happen
  247.             return false;
  248.         }
  249.         if ($demand->getMission() !== null)
  250.         {
  251.             // Already attached to a mission
  252.             return false;
  253.         }
  254.         if ($demand->getResultingMission() !== null)
  255.         {
  256.             // Already converted to a mission
  257.             return false;
  258.         }
  260.         // Request permission to add missions
  261.         $canAddMissions $this->accessDecisionManager->decide($token, ['add_mission']);
  263.         // Request permission to edit this demand
  264.         $canEditDemand $this->canEdit($demand$user$function);
  266.         // 27/10/2022 : For the moment don't allow other demand than jcafLocal
  267.         $isJcafLocal false;
  268.         if ($demand->getType() !== null)
  269.         {
  270.             $isJcafLocal $demand->getType()->getJcafLocal();
  271.         }
  273.         if ($canAddMissions && $canEditDemand && $isJcafLocal)
  274.         {
  275.             return true;
  276.         }
  278.         return false;
  279.     }
  281.     private function canLinkToMission(Demand $demandAccess $userAccessFunction $function$token)
  282.     {
  283.         if ($demand->getClient() === null)
  284.         {
  285.             // This should not happen
  286.             return false;
  287.         }
  289.         if ($demand->getMission() !== null)
  290.         {
  291.             // Already attached to a mission
  292.             return false;
  293.         }
  294.         if ($demand->getResultingMission() !== null)
  295.         {
  296.             // Already converted to a mission
  297.             return false;
  298.         }
  300.         // Request permission to edit this demand
  301.         $canEditDemand $this->canEdit($demand$user$function);
  303.         if ($canEditDemand)
  304.         {
  305.             return true;
  306.         }
  308.         return false;
  309.     }
  311.     private function canView(Demand $demand nullAccess $userAccessFunction $function)
  312.     {
  313.         // Get Acl_Perdemands
  314.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  315.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  317.         // If all are null, exit
  318.         if ($aclPerm === null && $aclPermSociety === null)
  319.             return false;
  321.         // Get First one
  322.         if ($aclPerm !== null)
  323.         {
  324.             $acl $this->aclRepository->findOneBy(array(
  325.                 'function'        =>    $function,
  326.                 'permission'    =>    $aclPerm
  327.             ));
  328.             if ($acl !== null)
  329.             {
  330.                 if ($acl->getValue())
  331.                 {
  332.                     // A single positive answer is enough
  333.                     return true;
  334.                 }
  335.             }
  336.         }
  338.         // If we are here it means that nothing good has been found
  339.         // Load second permission
  340.         if ($aclPermSociety !== null)
  341.         {
  342.             $acl $this->aclRepository->findOneBy(array(
  343.                 'function'        =>    $function,
  344.                 'permission'    =>    $aclPermSociety
  345.             ));
  346.             if ($acl !== null)
  347.             {
  348.                 if ($acl->getValue())
  349.                 {
  350.                     // Check Society : also check author
  351.                     // Les demands appartenant à ses sociétés (et celles dont il est l'auteur)
  352.                     if ($this->checkSociety($demand$user))
  353.                     {
  354.                         return true;
  355.                     }
  356.                     else
  357.                     {
  358.                         return $this->checkAuthor($demand$user);
  359.                     }
  360.                 }
  361.             }
  362.         }
  364.         // If we are here, all hope is lost
  365.         return false;
  366.     }
  368.     private function canEdit(Demand $demand nullAccess $userAccessFunction $function)
  369.     {
  370.         // Get Acl_Perdemands
  371.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  372.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  374.         // If all are null, exit
  375.         if ($aclPerm === null && $aclPermSociety === null)
  376.             return false;
  378.         // Get First one
  379.         if ($aclPerm !== null)
  380.         {
  381.             $acl $this->aclRepository->findOneBy(array(
  382.                 'function'        =>    $function,
  383.                 'permission'    =>    $aclPerm
  384.             ));
  385.             if ($acl !== null)
  386.             {
  387.                 if ($acl->getValue())
  388.                 {
  389.                     // A single positive answer is enough
  390.                     return true;
  391.                 }
  392.             }
  393.         }
  395.         // If we are here it means that nothing good has been found
  396.         // Load second permission
  397.         if ($aclPermSociety !== null)
  398.         {
  399.             $acl $this->aclRepository->findOneBy(array(
  400.                 'function'        =>    $function,
  401.                 'permission'    =>    $aclPermSociety
  402.             ));
  403.             if ($acl !== null)
  404.             {
  405.                 if ($acl->getValue())
  406.                 {
  407.                     // Check Society : also check author
  408.                     // Les demands appartenant à ses sociétés (et celles dont il est l'auteur)
  409.                     if ($this->checkSociety($demand$user))
  410.                     {
  411.                         return true;
  412.                     }
  413.                     else
  414.                     {
  415.                         return $this->checkAuthor($demand$user);
  416.                     }
  417.                 }
  418.             }
  419.         }
  421.         // If we are here, all hope is lost
  422.         return false;
  423.     }
  425.     private function canEditSociety(Demand $demand nullAccess $userAccessFunction $function)
  426.     {
  427.         // Get Acl_Perdemands
  428.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT);
  429.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT_SOCIETY);
  431.         // If all are null, exit
  432.         if ($aclPerm === null && $aclPermSociety === null)
  433.             return false;
  435.         // Get First one
  436.         if ($aclPerm !== null)
  437.         {
  438.             $acl $this->aclRepository->findOneBy(array(
  439.                 'function'        =>    $function,
  440.                 'permission'    =>    $aclPerm
  441.             ));
  442.             if ($acl !== null)
  443.             {
  444.                 if ($acl->getValue())
  445.                 {
  446.                     // A single positive answer is enough
  447.                     return true;
  448.                 }
  449.             }
  450.         }
  452.         // If we are here it means that nothing good has been found
  453.         // Load second permission
  454.         if ($aclPermSociety !== null)
  455.         {
  456.             $acl $this->aclRepository->findOneBy(array(
  457.                 'function'        =>    $function,
  458.                 'permission'    =>    $aclPermSociety
  459.             ));
  460.             if ($acl !== null)
  461.             {
  462.                 if ($acl->getValue())
  463.                 {
  464.                     // Check Society : also check author
  465.                     // Les demands appartenant à ses sociétés (et celles dont il est l'auteur)
  466.                     if ($this->checkSociety($demand$user))
  467.                     {
  468.                         return true;
  469.                     }
  470.                     else
  471.                     {
  472.                         return $this->checkAuthor($demand$user);
  473.                     }
  474.                 }
  475.             }
  476.         }
  478.         // If we are here, all hope is lost
  479.         return false;
  480.     }
  482.     private function canList(Access $userAccessFunction $function)
  483.     {
  484.         // If canView, then canList ;)
  485.         // Get Acl_Perdemand
  486.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  487.         if ($aclPerm === null)        return false;
  489.         // Get Acl
  490.         $acl $this->aclRepository->findOneBy(array(
  491.             'function'        =>    $function,
  492.             'permission'    =>    $aclPerm
  493.         ));
  494.         if ($acl === null)        return false;
  496.         // Since only one acl type can exist
  497.         // we can return the result of the acl_permission
  498.         return $acl->getValue();
  499.     }
  501.     private function canListSociety(Access $userAccessFunction $function)
  502.     {
  503.         // If canView, then canList ;)
  504.         // Get Acl_Perdemand
  505.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  506.         if ($aclPerm === null)        return false;
  508.         // Get Acl
  509.         $acl $this->aclRepository->findOneBy(array(
  510.             'function'        =>    $function,
  511.             'permission'    =>    $aclPerm
  512.         ));
  513.         if ($acl === null)        return false;
  515.         // Since only one acl type can exist
  516.         // we can return the result of the acl_permission
  517.         return $acl->getValue();
  518.     }
  520.     private function canListAny(Access $userAccessFunction $function)
  521.     {
  522.         // Three Acl_Perdemand may exist
  523.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  524.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  526.         // If all are null, exit
  527.         if ($aclPerm === null && $aclPermSociety === null)
  528.             return false;
  530.         // Get First one
  531.         if ($aclPerm !== null)
  532.         {
  533.             $acl $this->aclRepository->findOneBy(array(
  534.                 'function'        =>    $function,
  535.                 'permission'    =>    $aclPerm
  536.             ));
  537.             if ($acl !== null)
  538.             {
  539.                 if ($acl->getValue())
  540.                 {
  541.                     // A single positive answer is enough
  542.                     return true;
  543.                 }
  544.             }
  545.         }
  547.         // If we are here it means that nothing good has been found
  548.         // Load second permission
  549.         if ($aclPermSociety !== null)
  550.         {
  551.             $acl $this->aclRepository->findOneBy(array(
  552.                 'function'        =>    $function,
  553.                 'permission'    =>    $aclPermSociety
  554.             ));
  555.             if ($acl !== null)
  556.             {
  557.                 if ($acl->getValue())
  558.                 {
  559.                     // A single positive answer is enough
  560.                     return true;
  561.                 }
  562.             }
  563.         }
  565.         // If we are here, all hope is lost
  566.         return false;
  567.     }
  568. }