src/Security/ExternalMessageVoter.php line 64

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/ExternalMessageVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Platform\ExternalMessage\ExternalMessage;
  16. use App\Entity\Security\Acl;
  17. use App\Entity\Security\AclPermission;
  18. use App\Services\Config\ModuleTools;
  20. class ExternalMessageVoter extends Voter
  21. {
  22.     // For now the only external messages are SMS
  23.     // So in this voter we will check if the SMS module is active
  25.     //--------------------------------------------------------------------------------
  26.     // is_granted constants
  27.     const LISTING "list_external_messages";
  29.     const LISTING_SOCIETY "list_external_messages_society";
  30.     const LISTING_ANY "list_external_messages_any";
  32.     const VIEW "view_external_message";
  33.     const EDIT "edit_external_message";
  34.     const EDIT_SOCIETY "edit_external_message_society";
  36.     const IS_GRANTED_CONSTANTS = array(
  37.         self::LISTING,
  38.         self::LISTING_SOCIETY,
  39.         self::LISTING_ANY,
  40.         self::VIEW,
  41.         self::EDIT,
  42.         self::EDIT_SOCIETY,
  43.     );
  45.     //--------------------------------------------------------------------------------
  46.     // acl constants
  48.     const ACL_PERM_LIST 'external_message_list';
  49.     const ACL_PERM_LIST_SOCIETY 'external_message_list_society';
  51.     const ACL_PERM_VIEW 'external_message_view';
  52.     const ACL_PERM_VIEW_SOCIETY 'external_message_view_society';
  54.     const ACL_PERM_EDIT 'external_message_edit';
  55.     const ACL_PERM_EDIT_SOCIETY 'external_message_edit_society';
  57.     const ACL_PERM_SOCIETY_EDIT 'external_message_society_edit';
  58.     const ACL_PERM_SOCIETY_EDIT_SOCIETY 'external_message_society_edit_society';
  60.     //--------------------------------------------------------------------------------
  62.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  63.     {
  64.         $this->em $doctrine->getManager();
  65.         $this->moduleTools $moduleTools;
  67.         $this->aclRepository $this->em->getRepository(Acl::class);
  68.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  69.     }
  71.     // Plan.io Task #4453 [See AccessVoter for details]
  72.     public function supportsAttribute(string $attribute): bool
  73.     {
  74.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  75.     }
  77.     protected function supports(string $attribute$subject null): bool
  78.     {
  79.         // if the attribute isn't one we support, return false
  80.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  81.         {
  82.             return false;
  83.         }
  85.         // only vote on ExternalMessage objects inside this voter
  86.         if ($subject !== null && !$subject instanceof ExternalMessage)
  87.         {
  88.             return false;
  89.         }
  91.         return true;
  92.     }
  94.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  95.     {
  96.         $user $token->getUser();
  98.         if (!$user instanceof Access)
  99.         {
  100.             // the user must be logged in; if not, deny access
  101.             return false;
  102.         }
  104.         // The user must have a function; if not deny access
  105.         $function $user->getFunction();
  106.         if ($function === null)        return false;
  108.         // Plan.io Task #3710 : Get current group
  109.         $currentGroup $user->getSocietyGroup();
  110.         if ($currentGroup === null)
  111.             return false;
  113.         // Module activated ?
  114.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_SMS))
  115.         {
  116.             return false;
  117.         }
  119.         // you know $subject is a ExternalMessage object, thanks to supports
  120.         /** @var ExternalMessage $externalMessage */
  121.         $externalMessage $subject;
  123.         // Check current group affectation
  124.         if ($subject !== null)
  125.         {
  126.             $subjectSociety $subject->getSociety();
  127.             if ($subjectSociety === null)
  128.                 return false;
  129.             $subjectGroup $subjectSociety->getGroup();
  130.             if ($subjectGroup === null)
  131.                 return false;
  132.             if (!$currentGroup->equals($subjectGroup))
  133.                 return false;
  134.         }
  136.         switch ($attribute)
  137.         {
  138.             case self::VIEW:
  139.                 return $this->canView($externalMessage$user$function);
  141.             case self::EDIT:
  142.                 return $this->canEdit($externalMessage$user$function);
  144.             case self::EDIT_SOCIETY:
  145.                 return $this->canEditSociety($externalMessage$user$function);
  147.             case self::LISTING:
  148.                 return $this->canList($user$function);
  149.             case self::LISTING_SOCIETY:
  150.                 return $this->canListSociety($user$function);
  151.             case self::LISTING_ANY:
  152.                 return $this->canListAny($user$function);
  153.         }
  155.         throw new \LogicException('This code should not be reached!');
  156.     }
  158.     // Check if the Society of the ExternalMessage
  159.     // belongs to the societies of the $access
  160.     private function checkSociety(ExternalMessage $externalMessageAccess $access)
  161.     {
  162.         // Get all the societies of the access
  163.         $societies $access->getSocieties();
  165.         // Get the Society of the ExternalMessage
  166.         $externalMessageSociety $externalMessage->getSociety();
  168.         if ($externalMessageSociety === null)
  169.             return false;
  171.         $found false;
  172.         foreach ($societies as $society)
  173.         {
  174.             if ($society->getId() == $externalMessageSociety->getId())
  175.             {
  176.                 $found true;
  177.                 break;
  178.             }
  179.         }
  180.         return $found;
  181.     }
  183.     private function canView(ExternalMessage $externalMessageAccess $userAccessFunction $function)
  184.     {
  185.         // Get Acl_Perdemands
  186.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  187.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  189.         // If all are null, exit
  190.         if ($aclPerm === null && $aclPermSociety === null)
  191.             return false;
  193.         // Get First one
  194.         if ($aclPerm !== null)
  195.         {
  196.             $acl $this->aclRepository->findOneBy(array(
  197.                 'function'        =>    $function,
  198.                 'permission'    =>    $aclPerm
  199.             ));
  200.             if ($acl !== null)
  201.             {
  202.                 if ($acl->getValue())
  203.                 {
  204.                     // A single positive answer is enough
  205.                     return true;
  206.                 }
  207.             }
  208.         }
  210.         // If we are here it means that nothing good has been found
  211.         // Load second permission
  212.         if ($aclPermSociety !== null)
  213.         {
  214.             $acl $this->aclRepository->findOneBy(array(
  215.                 'function'        =>    $function,
  216.                 'permission'    =>    $aclPermSociety
  217.             ));
  218.             if ($acl !== null)
  219.             {
  220.                 if ($acl->getValue())
  221.                 {
  222.                     // Check Society : also check author
  223.                     // Les demands appartenant à ses sociétés (et celles dont il est l'auteur)
  224.                     if ($this->checkSociety($externalMessage$user))
  225.                     {
  226.                         return true;
  227.                     }
  228.                 }
  229.             }
  230.         }
  232.         // If we are here, all hope is lost
  233.         return false;
  234.     }
  236.     private function canEdit(ExternalMessage $externalMessageAccess $userAccessFunction $function)
  237.     {
  238.         // Get Acl_Perdemands
  239.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  240.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  242.         // If all are null, exit
  243.         if ($aclPerm === null && $aclPermSociety === null)
  244.             return false;
  246.         // Get First one
  247.         if ($aclPerm !== null)
  248.         {
  249.             $acl $this->aclRepository->findOneBy(array(
  250.                 'function'        =>    $function,
  251.                 'permission'    =>    $aclPerm
  252.             ));
  253.             if ($acl !== null)
  254.             {
  255.                 if ($acl->getValue())
  256.                 {
  257.                     // A single positive answer is enough
  258.                     return true;
  259.                 }
  260.             }
  261.         }
  263.         // If we are here it means that nothing good has been found
  264.         // Load second permission
  265.         if ($aclPermSociety !== null)
  266.         {
  267.             $acl $this->aclRepository->findOneBy(array(
  268.                 'function'        =>    $function,
  269.                 'permission'    =>    $aclPermSociety
  270.             ));
  271.             if ($acl !== null)
  272.             {
  273.                 if ($acl->getValue())
  274.                 {
  275.                     // Check Society : also check author
  276.                     // Les demands appartenant à ses sociétés (et celles dont il est l'auteur)
  277.                     if ($this->checkSociety($externalMessage$user))
  278.                     {
  279.                         return true;
  280.                     }
  281.                 }
  282.             }
  283.         }
  285.         // If we are here, all hope is lost
  286.         return false;
  287.     }
  289.     private function canEditSociety(ExternalMessage $externalMessageAccess $userAccessFunction $function)
  290.     {
  291.         // Get Acl_Perdemands
  292.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT);
  293.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT_SOCIETY);
  295.         // If all are null, exit
  296.         if ($aclPerm === null && $aclPermSociety === null)
  297.             return false;
  299.         // Get First one
  300.         if ($aclPerm !== null)
  301.         {
  302.             $acl $this->aclRepository->findOneBy(array(
  303.                 'function'        =>    $function,
  304.                 'permission'    =>    $aclPerm
  305.             ));
  306.             if ($acl !== null)
  307.             {
  308.                 if ($acl->getValue())
  309.                 {
  310.                     // A single positive answer is enough
  311.                     return true;
  312.                 }
  313.             }
  314.         }
  316.         // If we are here it means that nothing good has been found
  317.         // Load second permission
  318.         if ($aclPermSociety !== null)
  319.         {
  320.             $acl $this->aclRepository->findOneBy(array(
  321.                 'function'        =>    $function,
  322.                 'permission'    =>    $aclPermSociety
  323.             ));
  324.             if ($acl !== null)
  325.             {
  326.                 if ($acl->getValue())
  327.                 {
  328.                     // Check Society : also check author
  329.                     // Les demands appartenant à ses sociétés (et celles dont il est l'auteur)
  330.                     if ($this->checkSociety($externalMessage$user))
  331.                     {
  332.                         return true;
  333.                     }
  334.                 }
  335.             }
  336.         }
  338.         // If we are here, all hope is lost
  339.         return false;
  340.     }
  342.     private function canList(Access $userAccessFunction $function)
  343.     {
  344.         // If canView, then canList ;)
  345.         // Get Acl_Perdemand
  346.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  347.         if ($aclPerm === null)        return false;
  349.         // Get Acl
  350.         $acl $this->aclRepository->findOneBy(array(
  351.             'function'        =>    $function,
  352.             'permission'    =>    $aclPerm
  353.         ));
  354.         if ($acl === null)        return false;
  356.         // Since only one acl type can exist
  357.         // we can return the result of the acl_permission
  358.         return $acl->getValue();
  359.     }
  361.     private function canListSociety(Access $userAccessFunction $function)
  362.     {
  363.         // If canView, then canList ;)
  364.         // Get Acl_Perdemand
  365.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  366.         if ($aclPerm === null)        return false;
  368.         // Get Acl
  369.         $acl $this->aclRepository->findOneBy(array(
  370.             'function'        =>    $function,
  371.             'permission'    =>    $aclPerm
  372.         ));
  373.         if ($acl === null)        return false;
  375.         // Since only one acl type can exist
  376.         // we can return the result of the acl_permission
  377.         return $acl->getValue();
  378.     }
  380.     private function canListAny(Access $userAccessFunction $function)
  381.     {
  382.         // Three Acl_Perdemand may exist
  383.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  384.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  386.         // If all are null, exit
  387.         if ($aclPerm === null && $aclPermSociety === null)
  388.             return false;
  390.         // Get First one
  391.         if ($aclPerm !== null)
  392.         {
  393.             $acl $this->aclRepository->findOneBy(array(
  394.                 'function'        =>    $function,
  395.                 'permission'    =>    $aclPerm
  396.             ));
  397.             if ($acl !== null)
  398.             {
  399.                 if ($acl->getValue())
  400.                 {
  401.                     // A single positive answer is enough
  402.                     return true;
  403.                 }
  404.             }
  405.         }
  407.         // If we are here it means that nothing good has been found
  408.         // Load second permission
  409.         if ($aclPermSociety !== null)
  410.         {
  411.             $acl $this->aclRepository->findOneBy(array(
  412.                 'function'        =>    $function,
  413.                 'permission'    =>    $aclPermSociety
  414.             ));
  415.             if ($acl !== null)
  416.             {
  417.                 if ($acl->getValue())
  418.                 {
  419.                     // A single positive answer is enough
  420.                     return true;
  421.                 }
  422.             }
  423.         }
  425.         // If we are here, all hope is lost
  426.         return false;
  427.     }
  428. }