src/Security/DocumentVoter.php line 139

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/DocumentVoter.php
  4. // OK #4453 : VoterCache (isActive, listings)
  5. //------------------------------------------------------------------------------
  6. namespace App\Security;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Doctrine\Persistence\ManagerRegistry;
  12. use App\Entity\Access;
  13. use App\Entity\APIRest\AccessAPI;
  14. use App\Entity\Config\Config;
  15. use App\Entity\Config\Module;
  16. use App\Entity\Config\OptionConfig;
  17. use App\Entity\HR\AccessFunction;
  18. use App\Entity\Mission\MissionTarget;
  19. use App\Entity\Planning\Task;
  20. use App\Entity\Security\AccessCacheAcl;
  21. use App\Entity\Security\Acl;
  22. use App\Entity\Security\AclPermission;
  23. use App\Entity\Webapp\Document;
  24. use App\Entity\Webapp\Components\DocumentRule;
  25. use App\Entity\Webapp\Components\DocumentTargetRule;
  26. use App\Entity\Webapp\Components\DocumentType;
  27. use App\Services\Config\ModuleTools;
  28. use App\Services\Config\OptionConfigTools;
  30. class DocumentVoter extends Voter
  31. {
  32.     // Allow authors as managers
  34.     //--------------------------------------------------------------------------------
  35.     // is_granted constants
  36.     const IS_ACTIVE "document_is_active";
  38.     const ADD "add_document";
  40.     const ADD_RFI "add_document_rfi";
  41.     const ADD_RFI_GC "add_document_rfi_gc";
  42.     const ADD_ANOMALY "add_document_anomaly";
  43.     const ADD_ANOMALY_GC "add_document_anomaly_gc";
  44.     const ADD_REPORT "add_document_report";
  45.     const ADD_KVISIT "add_document_kvisit";
  47.     const ADD_CUSTOM_REPORT "add_document_custom_report";
  49.     const LISTING "list_documents";
  50.     const LISTING_SOCIETY "list_documents_society";
  51.     const LISTING_MANAGER "list_documents_manager";
  52.     const LISTING_ANY "list_documents_any";
  54.     const LISTING_ARCHIVED "list_archived_documents";
  55.     const LISTING_ARCHIVED_SOCIETY "list_archived_documents_society";
  56.     const LISTING_ARCHIVED_MANAGER "list_archived_documents_manager";
  57.     const LISTING_ARCHIVED_ANY "list_archived_documents_any";
  59.     const VIEW_PDF "view_pdf_document";
  61.     const ARCHIVE "archive_document";
  63.     const IS_GRANTED_CONSTANTS = array(
  64.         self::IS_ACTIVE,
  66.         self::ADD,
  67.         self::ADD_RFI,
  68.         self::ADD_RFI_GC,
  69.         self::ADD_ANOMALY,
  70.         self::ADD_ANOMALY_GC,
  71.         self::ADD_REPORT,
  72.         self::ADD_KVISIT,
  73.         self::ADD_CUSTOM_REPORT,
  75.         self::LISTING,
  76.         self::LISTING_SOCIETY,
  77.         self::LISTING_MANAGER,
  78.         self::LISTING_ANY,
  79.         self::LISTING_ARCHIVED,
  80.         self::LISTING_ARCHIVED_SOCIETY,
  81.         self::LISTING_ARCHIVED_MANAGER,
  82.         self::LISTING_ARCHIVED_ANY,
  84.         self::VIEW_PDF,
  85.         self::ARCHIVE,
  86.     );
  88.     const IS_GRANTED_CONSTANTS_SHARING_EXCEPTION = array(
  89.         self::VIEW_PDF,
  90.     );
  92.     // Plan.io Task #4453
  93.     const IS_GRANTED_FROM_CACHE = [
  94.         self::IS_ACTIVE,
  95.         self::LISTING,
  96.         self::LISTING_SOCIETY,
  97.         self::LISTING_MANAGER,
  98.         self::LISTING_ANY,
  99.         self::LISTING_ARCHIVED,
  100.         self::LISTING_ARCHIVED_SOCIETY,
  101.         self::LISTING_ARCHIVED_MANAGER,
  102.         self::LISTING_ARCHIVED_ANY,
  103.     ];
  105.     //--------------------------------------------------------------------------------
  106.     // acl constants
  107.     const ACL_PERM_ADD "webapp_doc_add";
  109.     const ACL_PERM_LISTING "webapp_doc_list";
  110.     const ACL_PERM_LISTING_SOCIETY "webapp_doc_list_society";
  111.     const ACL_PERM_LISTING_MANAGER "webapp_doc_list_manager";
  113.     const ACL_PERM_VIEW_PDF "webapp_doc_pdf_view";
  114.     const ACL_PERM_VIEW_PDF_SOCIETY "webapp_doc_pdf_view_society";
  115.     const ACL_PERM_VIEW_PDF_MANAGER "webapp_doc_pdf_view_manager";
  116.     const ACL_PERM_VIEW_PDF_CLIENT_MANAGER "webapp_doc_pdf_view_ind_manager";
  118.     // Archive
  119.     const ACL_PERM_ARCHIVE "webapp_doc_archive";
  120.     const ACL_PERM_ARCHIVE_SOCIETY "webapp_doc_archive_society";
  121.     const ACL_PERM_ARCHIVE_MANAGER "webapp_doc_archive_manager";
  123.     // Archived : List
  124.     const ACL_PERM_LISTING_ARCHIVED "webapp_doc_list_archived";
  125.     const ACL_PERM_LISTING_ARCHIVED_SOCIETY "webapp_doc_list_archived_society";
  126.     const ACL_PERM_LISTING_ARCHIVED_MANAGER "webapp_doc_list_archived_manager";
  128.     // Archived : View
  129.     const ACL_PERM_VIEW_PDF_ARCHIVED "webapp_doc_pdf_view_archived";
  130.     const ACL_PERM_VIEW_PDF_ARCHIVED_SOCIETY "webapp_doc_pdf_view_archived_society";
  131.     const ACL_PERM_VIEW_PDF_ARCHIVED_MANAGER "webapp_doc_pdf_view_archived_manager";
  132.     const ACL_PERM_VIEW_PDF_ARCHIVED_CLIENT_MANAGER "webapp_doc_pdf_view_archived_ind_manager";
  133.     //--------------------------------------------------------------------------------
  135.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleToolsOptionConfigTools $optionConfigTools)
  136.     {
  137.         $this->em $doctrine->getManager();
  138.         $this->moduleTools $moduleTools;
  139.         $this->optionConfigTools $optionConfigTools;
  141.         $this->aclRepository $this->em->getRepository(Acl::class);
  142.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  143.     }
  145.     // Plan.io Task #4453 [See AccessVoter for details]
  146.     public function supportsAttribute(string $attribute): bool
  147.     {
  148.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  149.     }
  150.     
  151.     protected function supports(string $attribute$subject null): bool
  152.     {
  153.         // if the attribute isn't one we support, return false
  154.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  155.         {
  156.             return false;
  157.         }
  159.         // only vote on Document or Task objects inside this voter
  160.         if ($subject !== null && !($subject instanceof Document || $subject instanceof Task))
  161.         {
  162.             return false;
  163.         }
  164.         return true;
  165.     }
  167.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  168.     {
  169.         $user $token->getUser();
  171.         $originalUserIsAccess true;
  173.         // Plan.io Task #3707
  174.         if ($user instanceof AccessAPI)
  175.         {
  176.             if ($user->getAccess() === null)
  177.             {
  178.                 return false;
  179.             }
  180.             $user $user->getAccess();
  181.             $originalUserIsAccess false;
  182.         }
  184.         // Plan.io Task #4453 : Bypass everything, but only for Access users
  185.         // if ($originalUserIsAccess && AccessCacheAcl::voterCacheIsActive())
  186.         // {
  187.         //     if (in_array($attribute, self::IS_GRANTED_FROM_CACHE))
  188.         //     {
  189.         //         $accessCacheAcl = $this->em->getRepository(AccessCacheAcl::class)->findOneBy(array(
  190.         //             'access'    =>  $user,
  191.         //             'aclKey'    =>  $attribute,
  192.         //         ));
  193.         //         if ($accessCacheAcl !== null)
  194.         //         {
  195.         //             return $accessCacheAcl->isActive();
  196.         //         }
  197.         //     }
  198.         // }
  200.         // Plan.io Task #3707
  201.         // At this point $user is an object of Access type
  202.         // even if the $token->getUser() is AccessAPI
  203.         if (!$user instanceof Access)
  204.         {
  205.             // the user must be logged in; if not, deny access
  206.             return false;
  207.         }
  209.         // The user must have a function; if not deny access
  210.         $function $user->getFunction();
  211.         if ($function === null)        return false;
  213.         // Plan.io Task #3710 : Get current group
  214.         $currentGroup $user->getSocietyGroup();
  215.         if ($currentGroup === null)
  216.             return false;
  218.         $this->currentGroup $currentGroup;
  220.         // Module activated ?
  221.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_DOCUMENT))
  222.         {
  223.             return false;
  224.         }
  225.         // This one also needs the planning
  226.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_PLANNING))
  227.         {
  228.             return false;
  229.         }
  230.         // This one also needs clients or clients light
  231.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_CLIENT) && $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_CLIENT_LIGHT))
  232.         {
  233.             return false;
  234.         }
  236.         // you know $subject is a Document object, thanks to supports
  237.         /** @var Document $doc */
  238.         $doc $subject;
  240.         // Check current group affectation
  241.         if ($subject !== null && $subject instanceof Document)
  242.         {
  243.             $docSociety $subject->getSociety();
  244.             if ($docSociety === null)
  245.                 return false;
  246.             $docSocietyGroup $docSociety->getGroup();
  247.             if ($docSocietyGroup === null)
  248.                 return false;
  249.             // if (!$currentGroup->equals($docSocietyGroup))
  250.             //     return false;
  252.             if (!in_array($attributeself::IS_GRANTED_CONSTANTS_SHARING_EXCEPTION))
  253.             {
  254.                 // Just check currentGroup
  255.                 if (!$currentGroup->equals($docSocietyGroup))
  256.                     return false;
  257.             }
  258.             else
  259.             {
  260.                 // Take sharing into account
  261.                 // If the document belongs to a mission that was created by the currentGroup
  262.                 // (document.mission.societyGroupAuthor == currentGroup)
  263.                 // Then it can see the document
  264.                 if (!$currentGroup->equals($docSocietyGroup))
  265.                 {
  266.                     if ($doc->getMission() !== null)
  267.                     {
  268.                         $missionSocietyGroupAuthor $doc->getMission()->getSocietyGroupAuthor();
  270.                         if (!$currentGroup->equals($missionSocietyGroupAuthor))
  271.                         {
  272.                             return false;
  273.                         }
  274.                     }
  275.                 }
  276.             }
  277.         }
  279.         switch ($attribute)
  280.         {
  281.             case self::IS_ACTIVE:
  282.                 return true;
  284.             case self::ADD:
  285.             {
  286.                 if ($subject !== null && $subject instanceof Task)
  287.                 {
  288.                     $task $subject;
  289.                     return $this->canAdd($user$function$task);
  290.                 }
  291.                 return $this->canAdd($user$function);
  292.             }
  294.             case self::ADD_RFI:
  295.             {
  296.                 if ($subject !== null && $subject instanceof Task)
  297.                 {
  298.                     $task $subject;
  299.                     if ($this->canAdd($user$function$task))
  300.                     {
  301.                         return $this->canAddDocumentType($user$function$taskDocumentType::CODE_RFI);
  302.                     }
  303.                 }
  304.                 return false;
  305.             }
  307.             case self::ADD_RFI_GC:
  308.             {
  309.                 if ($subject !== null && $subject instanceof Task)
  310.                 {
  311.                     $task $subject;
  312.                     if ($this->canAdd($user$function$task))
  313.                     {
  314.                         return $this->canAddDocumentType($user$function$taskDocumentType::CODE_RFI_GC);
  315.                     }
  316.                 }
  317.                 return false;
  318.             }
  320.             case self::ADD_ANOMALY:
  321.             {
  322.                 if ($subject !== null && $subject instanceof Task)
  323.                 {
  324.                     $task $subject;
  325.                     if ($this->canAdd($user$function$task))
  326.                     {
  327.                         return $this->canAddDocumentType($user$function$taskDocumentType::CODE_ANOMALY);
  328.                     }
  329.                 }
  330.                 return false;
  331.             }
  333.             case self::ADD_ANOMALY_GC:
  334.             {
  335.                 if ($subject !== null && $subject instanceof Task)
  336.                 {
  337.                     $task $subject;
  338.                     if ($this->canAdd($user$function$task))
  339.                     {
  340.                         return $this->canAddDocumentType($user$function$taskDocumentType::CODE_ANOMALY_GC);
  341.                     }
  342.                 }
  343.                 return false;
  344.             }
  346.             case self::ADD_REPORT:
  347.             {
  348.                 if ($subject !== null && $subject instanceof Task)
  349.                 {
  350.                     $task $subject;
  351.                     if ($this->canAdd($user$function$task))
  352.                     {
  353.                         return $this->canAddDocumentType($user$function$taskDocumentType::CODE_REPORT);
  354.                     }
  355.                 }
  356.                 return false;
  357.             }
  359.             case self::ADD_KVISIT:
  360.             {
  361.                 if ($this->optionConfigTools->isActive_webappKvisitReport($this->currentGroup))
  362.                 {
  363.                     if ($subject !== null && $subject instanceof Task)
  364.                     {
  365.                         $task $subject;
  366.                         if ($this->canAdd($user$function$task))
  367.                         {
  368.                             return $this->canAddDocumentType($user$function$taskDocumentType::CODE_KVISIT_REPORT);
  369.                         }
  370.                     }
  371.                 }
  372.                 return false;
  373.             }
  375.             case self::ADD_CUSTOM_REPORT:
  376.             {
  377.                 if ($subject !== null && $subject instanceof Task)
  378.                 {
  379.                     $task $subject;
  380.                     if ($this->canAdd($user$function$task))
  381.                     {
  382.                         return $this->canAddCustomReport($user$function$task);
  383.                     }
  384.                 }
  385.                 return false;
  386.             }
  388.             case self::LISTING:
  389.                 return $this->canList($user$function);
  390.             case self::LISTING_SOCIETY:
  391.                 return $this->canListSociety($user$function);
  392.             case self::LISTING_MANAGER:
  393.                 return $this->canListManager($user$function);
  394.             case self::LISTING_ANY:
  395.                 return $this->canListAny($user$function);
  397.             case self::VIEW_PDF:
  398.                 return $this->canViewPdf($doc$user$function);
  400.             case self::ARCHIVE:
  401.                 return $this->canArchive($doc$user$function);
  403.             case self::LISTING_ARCHIVED:
  404.                 return $this->canListArchived($user$function);
  405.             case self::LISTING_ARCHIVED_SOCIETY:
  406.                 return $this->canListArchivedSociety($user$function);
  407.             case self::LISTING_ARCHIVED_MANAGER:
  408.                 return $this->canListArchivedManager($user$function);
  409.             case self::LISTING_ARCHIVED_ANY:
  410.                 return $this->canListArchivedAny($user$function);
  411.         }
  413.         throw new \LogicException('This code should not be reached!');
  414.     }
  416.     // $access is the user trying to load the resource
  417.     // $doc is the resource being loaded
  419.     // Check if the Society of the resource
  420.     // belongs to the societies of the $access
  421.     private function checkSociety(Document $docAccess $access)
  422.     {
  423.         // Get all the societies of the access
  424.         $societies $access->getSocieties();
  426.         // Get the Society of the Document
  427.         $docSociety $doc->getSociety();
  429.         if ($docSociety === null)
  430.             return false;
  432.         $found false;
  433.         foreach ($societies as $society)
  434.         {
  435.             if ($society->getId() == $docSociety->getId())
  436.             {
  437.                 $found true;
  438.                 break;
  439.             }
  440.         }
  441.         return $found;
  442.     }
  444.     // Check if the $access is the manager of the $doc
  445.     private function checkManager(Document $docAccess $access)
  446.     {
  447.         // Get manager
  448.         $manager $doc->getManager();
  449.         $author $doc->getAuthor();
  451.         if ($manager === null)
  452.             return false;
  454.         if ($manager === null && $author === null)
  455.             return false;
  457.         if ($manager !== null)
  458.             if ($manager->getId() === $access->getId())
  459.                 return true;
  461.         if ($author !== null)
  462.             if ($author->getId() === $access->getId())
  463.                 return true;
  465.         return false;
  466.     }
  468.     // Check if the $access is the manager of the client of the $doc
  469.     private function checkClientManager(Document $docAccess $access)
  470.     {
  471.         // Get manager
  472.         if ($doc->getReceiver() === null)
  473.             return null;
  475.         $client $doc->getReceiver();
  477.         if ($client->getIndividual() !== null)
  478.         {
  479.             // Only Individuals have managers
  480.             // Get manager
  481.             $manager $client->getIndividual()->getManager();
  482.             if ($manager === null)
  483.                 return false;
  485.             if ($manager->getId() === $access->getId())
  486.                 return true;
  487.         }
  489.         return false;
  490.     }
  492.     private function canAdd(Access $userAccessFunction $function$task null)
  493.     {
  494.         // Plan.io Task #3323 + #4302
  495.         if ($task !== null)
  496.         {
  497.             if ($task->isArchivedRefused())
  498.             {
  499.                 return false;
  500.             }
  501.             if ($task->isHelp())
  502.             {
  503.                 return false;
  504.             }
  505.             if ($task->isAbsence())
  506.             {
  507.                 return false;
  508.             }
  509.             // It's child recurrence
  510.             if ($task->getRecurrenceParent() !== null)
  511.             {
  512.                 return false;
  513.             }
  514.         }
  516.         // Get Acl_Permission
  517.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  518.         if ($aclPerm === null)        return false;
  520.         // Get Acl
  521.         $acl $this->aclRepository->findOneBy(array(
  522.             'function'        =>    $function,
  523.             'permission'    =>    $aclPerm
  524.         ));
  525.         if ($acl === null)        return false;
  527.         // Since only one acl type can exist
  528.         // we can return the result of the acl_permission
  529.         return $acl->getValue();
  530.     }
  532.     // Updated by Plan.io Task #4224 : Added DocumentTargetRule logic
  533.     private function canAddDocumentType(Access $userAccessFunction $functionTask $task$docCode)
  534.     {
  535.         // Get DocumentType
  536.         $docType $this->em->getRepository(DocumentType::class)
  537.             ->findOneByCode($docCode);
  538.         if ($docType === null)
  539.         {
  540.             return false;
  541.         }
  543.         // Get TaskType
  544.         $taskType $task->getType();
  545.         if ($taskType === null)
  546.         {
  547.             return false;
  548.         }
  550.         // Do we need to take the MissionTarget into account ?
  551.         if (!$taskType->getHasDocTargetRule())
  552.         {
  553.             // Nope
  554.             // Just do the DocumentRule check
  555.             $docRule $this->em->getRepository(DocumentRule::class)
  556.                 ->findOneBy(array(
  557.                     'documentType'        =>    $docType,
  558.                     'taskType'            =>    $taskType,
  559.                     'state'                =>    1,
  560.                 ));
  561.             if ($docRule !== null)
  562.             {
  563.                 return true;
  564.             }
  565.             return false;
  566.         }
  568.         // If we are here it means that we have DocumentTargetRules for this TaskType
  570.         // Get MissionTarget, if any
  571.         $missionTarget null;
  572.         $mission $task->getMission();
  573.         if ($mission !== null)
  574.         {
  575.             $missionTarget $mission->getTarget();
  576.         }
  578.         if ($missionTarget === null)
  579.         {
  580.             // Simplest case : No Target, everything is possible ;)
  581.             return true;
  582.         }
  584.         // Apply both MissionTarget and TaskType rule
  585.         $docRule $this->em->getRepository(DocumentTargetRule::class)
  586.             ->findOneBy(array(
  587.                 'documentType'        =>    $docType,
  588.                 'taskType'            =>    $taskType,
  589.                 'missionTarget'        =>    $missionTarget,
  590.                 'state'                =>    1,
  591.             ));
  592.         if ($docRule !== null)
  593.         {
  594.             return true;
  595.         }
  597.         // If we are here, all hope is lost
  598.         return false;
  599.     }
  601.     // We need to pass two arguments to the Security :: DocumentVoter
  602.     // So add the second argument as a property of the first
  603.     // https://stackoverflow.com/questions/39999301/symfony2-pass-a-second-object-to-a-voter
  604.     private function canAddCustomReport(Access $userAccessFunction $functionTask $task)
  605.     {
  606.         // Get DocumentType
  607.         $docType $task->getDocType();
  608.         if ($docType === null)
  609.         {
  610.             return false;
  611.         }
  613.         // Get TaskType
  614.         $taskType $task->getType();
  615.         if ($taskType === null)
  616.         {
  617.             return false;
  618.         }
  620.         // Do we need to take the MissionTarget into account ?
  621.         if (!$taskType->getHasDocTargetRule())
  622.         {
  623.             // Nope
  624.             // Just do the DocumentRule check
  625.             $docRule $this->em->getRepository(DocumentRule::class)
  626.                 ->findOneBy(array(
  627.                     'documentType'        =>    $docType,
  628.                     'taskType'            =>    $taskType,
  629.                     'state'                =>    1,
  630.                 ));
  631.             if ($docRule !== null)
  632.             {
  633.                 return true;
  634.             }
  635.             return false;
  636.         }
  638.         // If we are here it means that we have DocumentTargetRules for this TaskType
  640.         // Get MissionTarget, if any
  641.         $missionTarget null;
  642.         $mission $task->getMission();
  643.         if ($mission !== null)
  644.         {
  645.             $missionTarget $mission->getTarget();
  646.         }
  648.         if ($missionTarget === null)
  649.         {
  650.             // Simplest case : No Target, everything is possible ;)
  651.             return true;
  652.         }
  654.         // Apply both MissionTarget and TaskType rule
  655.         $docRule $this->em->getRepository(DocumentTargetRule::class)
  656.             ->findOneBy(array(
  657.                 'documentType'        =>    $docType,
  658.                 'taskType'            =>    $taskType,
  659.                 'missionTarget'        =>    $missionTarget,
  660.                 'state'                =>    1,
  661.             ));
  662.         if ($docRule !== null)
  663.         {
  664.             return true;
  665.         }
  667.         // If we are here, all hope is lost
  668.         return false;
  669.     }
  671.     private function canList(Access $userAccessFunction $function)
  672.     {
  673.         // Get Acl_Permission
  674.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  675.         if ($aclPerm === null)        return false;
  677.         // Get Acl
  678.         $acl $this->aclRepository->findOneBy(array(
  679.             'function'        =>    $function,
  680.             'permission'    =>    $aclPerm
  681.         ));
  682.         if ($acl === null)        return false;
  684.         // Since only one acl type can exist
  685.         // we can return the result of the acl_permission
  686.         return $acl->getValue();
  687.     }
  689.     private function canListSociety(Access $userAccessFunction $function)
  690.     {
  691.         // Get Acl_Permission
  692.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  693.         if ($aclPerm === null)        return false;
  695.         // Get Acl
  696.         $acl $this->aclRepository->findOneBy(array(
  697.             'function'        =>    $function,
  698.             'permission'    =>    $aclPerm
  699.         ));
  700.         if ($acl === null)        return false;
  702.         // Since only one acl type can exist
  703.         // we can return the result of the acl_permission
  704.         // Further filtering is done in the Controller
  705.         return $acl->getValue();
  706.     }
  708.     private function canListManager(Access $userAccessFunction $function)
  709.     {
  710.         // Get Acl_Permission
  711.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  712.         if ($aclPerm === null)        return false;
  714.         // Get Acl
  715.         $acl $this->aclRepository->findOneBy(array(
  716.             'function'        =>    $function,
  717.             'permission'    =>    $aclPerm
  718.         ));
  719.         if ($acl === null)        return false;
  721.         // Since only one acl type can exist
  722.         // we can return the result of the acl_permission
  723.         // Further filtering is done in the Controller
  724.         return $acl->getValue();
  725.     }
  727.     private function canListAny(Access $userAccessFunction $function)
  728.     {
  729.         // Two Acl_Permission may exist
  730.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  731.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  732.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  734.         // If both are null, exit
  735.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  736.             return false;
  738.         // Get First one
  739.         if ($aclPerm !== null)
  740.         {
  741.             $acl $this->aclRepository->findOneBy(array(
  742.                 'function'        =>    $function,
  743.                 'permission'    =>    $aclPerm
  744.             ));
  745.             if ($acl !== null)
  746.             {
  747.                 if ($acl->getValue())
  748.                 {
  749.                     // A single positive answer is enough
  750.                     return true;
  751.                 }
  752.             }
  753.         }
  754.         // If we are here it means that nothing good has been found
  755.         // Load second permission
  756.         if ($aclPermSociety !== null)
  757.         {
  758.             $acl $this->aclRepository->findOneBy(array(
  759.                 'function'        =>    $function,
  760.                 'permission'    =>    $aclPermSociety
  761.             ));
  762.             if ($acl !== null)
  763.             {
  764.                 if ($acl->getValue())
  765.                 {
  766.                     // A single positive answer is enough
  767.                     return true;
  768.                 }
  769.             }
  770.         }
  772.         // If we are here it means that nothing good has been found
  773.         // Load third permission
  774.         if ($aclPermManager !== null)
  775.         {
  776.             $acl $this->aclRepository->findOneBy(array(
  777.                 'function'        =>    $function,
  778.                 'permission'    =>    $aclPermManager
  779.             ));
  780.             if ($acl !== null)
  781.             {
  782.                 if ($acl->getValue())
  783.                 {
  784.                     // A single positive answer is enough
  785.                     return true;
  786.                 }
  787.             }
  788.         }
  789.         // If we are here, all hope is lost
  790.         return false;
  791.     }
  793.     private function canViewPdf(Document $docAccess $userAccessFunction $function)
  794.     {
  795.         if ($doc->isArchived())
  796.         {
  797.             return $this->canViewArchivedPdf($doc$user$function);
  798.         }
  800.         // Many Acl_Permission may exist
  801.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF);
  802.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_SOCIETY);
  803.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_MANAGER);
  804.         $aclPermClientManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_CLIENT_MANAGER);
  806.         // If all are null, exit
  807.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null && $aclPermClientManager === null)
  808.             return false;
  810.         // Get First one
  811.         if ($aclPerm !== null)
  812.         {
  813.             $acl $this->aclRepository->findOneBy(array(
  814.                 'function'        =>    $function,
  815.                 'permission'    =>    $aclPerm
  816.             ));
  817.             if ($acl !== null)
  818.             {
  819.                 if ($acl->getValue())
  820.                 {
  821.                     // A single positive answer is enough
  822.                     return true;
  823.                 }
  824.             }
  825.         }
  826.         // If we are here it means that nothing good has been found
  827.         // Load second permission
  828.         if ($aclPermSociety !== null)
  829.         {
  830.             $acl $this->aclRepository->findOneBy(array(
  831.                 'function'        =>    $function,
  832.                 'permission'    =>    $aclPermSociety
  833.             ));
  834.             if ($acl !== null)
  835.             {
  836.                 if ($acl->getValue())
  837.                 {
  838.                     // A single positive answer is enough
  839.                     // In this case the good answer will be provided by the checkSociety
  840.                     // However, we don't want to stop if the answer is no, but look further
  841.                     // This is the case when the client is in society A and the document is in society B
  842.                     if ($this->checkSociety($doc$user))
  843.                         return true;
  844.                 }
  845.             }
  846.         }
  847.         // If we are here it means that nothing good has been found
  848.         // Load third permission
  849.         if ($aclPermManager !== null)
  850.         {
  851.             $acl $this->aclRepository->findOneBy(array(
  852.                 'function'        =>    $function,
  853.                 'permission'    =>    $aclPermManager
  854.             ));
  855.             if ($acl !== null)
  856.             {
  857.                 if ($acl->getValue())
  858.                 {
  859.                     // A single positive answer is enough
  860.                     // In this case the good answer will be provided by the checkSociety
  861.                     if ($this->checkManager($doc$user))
  862.                         return true;
  863.                 }
  864.             }
  865.         }
  867.         // If we are here it means that nothing good has been found
  868.         // Load third permission
  869.         if ($aclPermClientManager !== null)
  870.         {
  871.             $acl $this->aclRepository->findOneBy(array(
  872.                 'function'        =>    $function,
  873.                 'permission'    =>    $aclPermClientManager
  874.             ));
  875.             if ($acl !== null)
  876.             {
  877.                 if ($acl->getValue())
  878.                 {
  879.                     // A single positive answer is enough
  880.                     // In this case the good answer will be provided by the checkSociety
  881.                     if ($this->checkClientManager($doc$user))
  882.                         return true;
  883.                 }
  884.             }
  885.         }
  886.         // If we are here, all hope is lost
  887.         return false;
  888.     }
  890.     private function canArchive(Document $docAccess $userAccessFunction $function)
  891.     {
  892.         // Many Acl_Permission may exist
  893.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ARCHIVE);
  894.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ARCHIVE_SOCIETY);
  895.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ARCHIVE_MANAGER);
  897.         // If all are null, exit
  898.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  899.             return false;
  901.         // Get First one
  902.         if ($aclPerm !== null)
  903.         {
  904.             $acl $this->aclRepository->findOneBy(array(
  905.                 'function'        =>    $function,
  906.                 'permission'    =>    $aclPerm
  907.             ));
  908.             if ($acl !== null)
  909.             {
  910.                 if ($acl->getValue())
  911.                 {
  912.                     // A single positive answer is enough
  913.                     return true;
  914.                 }
  915.             }
  916.         }
  917.         // If we are here it means that nothing good has been found
  918.         // Load second permission
  919.         if ($aclPermSociety !== null)
  920.         {
  921.             $acl $this->aclRepository->findOneBy(array(
  922.                 'function'        =>    $function,
  923.                 'permission'    =>    $aclPermSociety
  924.             ));
  925.             if ($acl !== null)
  926.             {
  927.                 if ($acl->getValue())
  928.                 {
  929.                     // A single positive answer is enough
  930.                     // In this case the good answer will be provided by the checkSociety
  931.                     // However, we don't want to stop if the answer is no, but look further
  932.                     // This is the case when the client is in society A and the document is in society B
  933.                     if ($this->checkSociety($doc$user))
  934.                         return true;
  935.                 }
  936.             }
  937.         }
  938.         // If we are here it means that nothing good has been found
  939.         // Load third permission
  940.         if ($aclPermManager !== null)
  941.         {
  942.             $acl $this->aclRepository->findOneBy(array(
  943.                 'function'        =>    $function,
  944.                 'permission'    =>    $aclPermManager
  945.             ));
  946.             if ($acl !== null)
  947.             {
  948.                 if ($acl->getValue())
  949.                 {
  950.                     // A single positive answer is enough
  951.                     // In this case the good answer will be provided by the checkSociety
  952.                     if ($this->checkManager($doc$user))
  953.                         return true;
  954.                 }
  955.             }
  956.         }
  958.         // If we are here, all hope is lost
  959.         return false;
  960.     }
  962.     private function canViewArchivedPdf(Document $docAccess $userAccessFunction $function)
  963.     {
  964.         if ($doc->isNotArchived())
  965.         {
  966.             return $this->canViewPdf($doc$user$function);
  967.         }
  969.         // Many Acl_Permission may exist
  970.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_ARCHIVED);
  971.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_ARCHIVED_SOCIETY);
  972.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_ARCHIVED_MANAGER);
  973.         $aclPermClientManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_ARCHIVED_CLIENT_MANAGER);
  975.         // If all are null, exit
  976.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null && $aclPermClientManager === null)
  977.             return false;
  979.         // Get First one
  980.         if ($aclPerm !== null)
  981.         {
  982.             $acl $this->aclRepository->findOneBy(array(
  983.                 'function'        =>    $function,
  984.                 'permission'    =>    $aclPerm
  985.             ));
  986.             if ($acl !== null)
  987.             {
  988.                 if ($acl->getValue())
  989.                 {
  990.                     // A single positive answer is enough
  991.                     return true;
  992.                 }
  993.             }
  994.         }
  996.         // If we are here it means that nothing good has been found
  997.         // Load second permission
  998.         if ($aclPermSociety !== null)
  999.         {
  1000.             $acl $this->aclRepository->findOneBy(array(
  1001.                 'function'        =>    $function,
  1002.                 'permission'    =>    $aclPermSociety
  1003.             ));
  1004.             if ($acl !== null)
  1005.             {
  1006.                 if ($acl->getValue())
  1007.                 {
  1008.                     // A single positive answer is enough
  1009.                     // In this case the good answer will be provided by the checkSociety
  1010.                     // However, we don't want to stop if the answer is no, but look further
  1011.                     // This is the case when the client is in society A and the document is in society B
  1012.                     if ($this->checkSociety($doc$user))
  1013.                         return true;
  1014.                 }
  1015.             }
  1016.         }
  1018.         // If we are here it means that nothing good has been found
  1019.         // Load third permission
  1020.         if ($aclPermManager !== null)
  1021.         {
  1022.             $acl $this->aclRepository->findOneBy(array(
  1023.                 'function'        =>    $function,
  1024.                 'permission'    =>    $aclPermManager
  1025.             ));
  1026.             if ($acl !== null)
  1027.             {
  1028.                 if ($acl->getValue())
  1029.                 {
  1030.                     // A single positive answer is enough
  1031.                     // In this case the good answer will be provided by the checkSociety
  1032.                     if ($this->checkManager($doc$user))
  1033.                         return true;
  1034.                 }
  1035.             }
  1036.         }
  1038.         // If we are here it means that nothing good has been found
  1039.         // Load third permission
  1040.         if ($aclPermClientManager !== null)
  1041.         {
  1042.             $acl $this->aclRepository->findOneBy(array(
  1043.                 'function'        =>    $function,
  1044.                 'permission'    =>    $aclPermClientManager
  1045.             ));
  1046.             if ($acl !== null)
  1047.             {
  1048.                 if ($acl->getValue())
  1049.                 {
  1050.                     // A single positive answer is enough
  1051.                     if ($this->checkClientManager($doc$user))
  1052.                         return true;
  1053.                     // "Voir les PDF de tous les documents archivés des clients dont il est le gestionnaire et tous les documents archivés dont il est l'auteur"
  1054.                     // Also check if author / manager of this particular document
  1055.                     if ($this->checkManager($doc$user))
  1056.                         return true;
  1057.                 }
  1058.             }
  1059.         }
  1061.         // If we are here, all hope is lost
  1062.         return false;
  1063.     }
  1065.     private function canListArchived(Access $userAccessFunction $function)
  1066.     {
  1067.         // Get Acl_Permission
  1068.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_ARCHIVED);
  1069.         if ($aclPerm === null)        return false;
  1071.         // Get Acl
  1072.         $acl $this->aclRepository->findOneBy(array(
  1073.             'function'        =>    $function,
  1074.             'permission'    =>    $aclPerm
  1075.         ));
  1076.         if ($acl === null)        return false;
  1078.         // Since only one acl type can exist
  1079.         // we can return the result of the acl_permission
  1080.         return $acl->getValue();
  1081.     }
  1083.     private function canListArchivedSociety(Access $userAccessFunction $function)
  1084.     {
  1085.         // Get Acl_Permission
  1086.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_ARCHIVED_SOCIETY);
  1087.         if ($aclPerm === null)        return false;
  1089.         // Get Acl
  1090.         $acl $this->aclRepository->findOneBy(array(
  1091.             'function'        =>    $function,
  1092.             'permission'    =>    $aclPerm
  1093.         ));
  1094.         if ($acl === null)        return false;
  1096.         // Since only one acl type can exist
  1097.         // we can return the result of the acl_permission
  1098.         // Further filtering is done in the Controller
  1099.         return $acl->getValue();
  1100.     }
  1102.     private function canListArchivedManager(Access $userAccessFunction $function)
  1103.     {
  1104.         // Get Acl_Permission
  1105.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_ARCHIVED_MANAGER);
  1106.         if ($aclPerm === null)        return false;
  1108.         // Get Acl
  1109.         $acl $this->aclRepository->findOneBy(array(
  1110.             'function'        =>    $function,
  1111.             'permission'    =>    $aclPerm
  1112.         ));
  1113.         if ($acl === null)        return false;
  1115.         // Since only one acl type can exist
  1116.         // we can return the result of the acl_permission
  1117.         // Further filtering is done in the Controller
  1118.         return $acl->getValue();
  1119.     }
  1121.     private function canListArchivedAny(Access $userAccessFunction $function)
  1122.     {
  1123.         // Two Acl_Permission may exist
  1124.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_ARCHIVED);
  1125.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_ARCHIVED_SOCIETY);
  1126.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_ARCHIVED_MANAGER);
  1128.         // If both are null, exit
  1129.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  1130.             return false;
  1132.         // Get First one
  1133.         if ($aclPerm !== null)
  1134.         {
  1135.             $acl $this->aclRepository->findOneBy(array(
  1136.                 'function'        =>    $function,
  1137.                 'permission'    =>    $aclPerm
  1138.             ));
  1139.             if ($acl !== null)
  1140.             {
  1141.                 if ($acl->getValue())
  1142.                 {
  1143.                     // A single positive answer is enough
  1144.                     return true;
  1145.                 }
  1146.             }
  1147.         }
  1148.         // If we are here it means that nothing good has been found
  1149.         // Load second permission
  1150.         if ($aclPermSociety !== null)
  1151.         {
  1152.             $acl $this->aclRepository->findOneBy(array(
  1153.                 'function'        =>    $function,
  1154.                 'permission'    =>    $aclPermSociety
  1155.             ));
  1156.             if ($acl !== null)
  1157.             {
  1158.                 if ($acl->getValue())
  1159.                 {
  1160.                     // A single positive answer is enough
  1161.                     return true;
  1162.                 }
  1163.             }
  1164.         }
  1166.         // If we are here it means that nothing good has been found
  1167.         // Load third permission
  1168.         if ($aclPermManager !== null)
  1169.         {
  1170.             $acl $this->aclRepository->findOneBy(array(
  1171.                 'function'        =>    $function,
  1172.                 'permission'    =>    $aclPermManager
  1173.             ));
  1174.             if ($acl !== null)
  1175.             {
  1176.                 if ($acl->getValue())
  1177.                 {
  1178.                     // A single positive answer is enough
  1179.                     return true;
  1180.                 }
  1181.             }
  1182.         }
  1183.         // If we are here, all hope is lost
  1184.         return false;
  1185.     }
  1186. }