src/Security/HumanResourceVoter.php line 79

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/HumanResourceVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\HR\HumanResource;
  16. use App\Entity\Security\Acl;
  17. use App\Entity\Security\AclPermission;
  18. use App\Services\Config\ModuleTools;
  19. use App\Services\LogTools;
  21. class HumanResourceVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  25.     const IS_ACTIVE "human_resource_is_active";
  27.     const ADD "add_human_resource";
  29.     const LISTING "list_human_resources";
  30.     const LISTING_SOCIETY "list_human_resources_society";
  31.     const LISTING_ANY "list_human_resources_any";
  33.     const VIEW "view_human_resource";
  34.     const EDIT "edit_human_resource";
  35.     const ANONYMIZE "anonymize_human_resource";
  36.     const IMPORT "import_human_resources";
  38.     const LISTING_ATTACHMENTS "list_human_resource_attachments";
  40.     const IS_GRANTED_CONSTANTS = array(
  41.         self::IS_ACTIVE,
  42.         self::ADD,
  43.         self::LISTING,
  44.         self::LISTING_SOCIETY,
  45.         self::LISTING_ANY,
  46.         self::VIEW,
  47.         self::EDIT,
  48.         self::ANONYMIZE,
  49.         self::IMPORT,
  50.         self::LISTING_ATTACHMENTS,
  51.     );
  53.     //--------------------------------------------------------------------------------
  54.     // acl constants
  55.     const ACL_PERM_IMPORT "human_resource_import";
  57.     const ACL_PERM_ADD "human_resource_add";
  59.     const ACL_PERM_LISTING "human_resource_list";
  60.     const ACL_PERM_LISTING_SOCIETY "human_resource_list_society";
  62.     const ACL_PERM_VIEW "human_resource_view";
  63.     const ACL_PERM_VIEW_SOCIETY "human_resource_view_society";
  65.     const ACL_PERM_EDIT "human_resource_edit";
  66.     const ACL_PERM_EDIT_SOCIETY "human_resource_edit_society";
  68.     const ACL_PERM_ANONYMIZE "human_resource_anonymize";
  69.     const ACL_PERM_ANONYMIZE_SOCIETY "human_resource_anonymize_society";
  71.     const ACL_PERM_ATTACHMENT_LIST "rh_attachment_list";
  72.     const ACL_PERM_ATTACHMENT_LIST_SOCIETY "rh_attachment_list_society";
  73.     const ACL_PERM_ATTACHMENT_LIST_BASE_SOCIETY "rh_attachment_list_base_society";
  74.     //--------------------------------------------------------------------------------
  76.     public function __construct(ManagerRegistry $doctrineLogTools $logToolsModuleTools $moduleTools)
  77.     {
  78.         $this->em $doctrine->getManager();
  79.         $this->logTools $logTools;
  80.         $this->moduleTools $moduleTools;
  82.         $this->aclRepository $this->em->getRepository(Acl::class);
  83.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  84.     }
  86.     // Plan.io Task #4453 [See AccessVoter for details]
  87.     public function supportsAttribute(string $attribute): bool
  88.     {
  89.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  90.     }
  92.     protected function supports(string $attribute$subject): bool
  93.     {
  94.         // $this->logTools->ploopLog("[HumanResourceVoter][supports] attribute = $attribute");
  96.         // if the attribute isn't one we support, return false
  97.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  98.         {
  99.             return false;
  100.         }
  102.         // only vote on HumanResource objects inside this voter
  103.         if ($subject !== null && !$subject instanceof HumanResource)
  104.         {
  105.             return false;
  106.         }
  108.         return true;
  109.     }
  111.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  112.     {
  113.         $user $token->getUser();
  115.         if (!$user instanceof Access)
  116.         {
  117.             // the user must be logged in; if not, deny access
  118.             return false;
  119.         }
  121.         // The user must have a function; if not deny access
  122.         $function $user->getFunction();
  123.         if ($function === null)        return false;
  125.         // Plan.io Task #3710 : Get current group
  126.         $currentGroup $user->getSocietyGroup();
  127.         if ($currentGroup === null)
  128.             return false;
  130.         // Module activated ?
  131.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_HUMAN_RESOURCE))
  132.         {
  133.             return false;
  134.         }
  136.         if ($attribute == self::EDIT)
  137.         {
  138.             if ($subject->getAnonymized())
  139.             {
  140.                 return false;
  141.             }
  142.         }
  144.         // you know $subject is a HumanResource object, thanks to supports
  145.         /** @var HumanResource $rh */
  146.         $rh $subject;
  148.         // Check current group affectation
  149.         if ($subject !== null)
  150.         {
  151.             $subjectSociety $subject->getSociety();
  152.             if ($subjectSociety === null)
  153.                 return false;
  154.             $subjectGroup $subjectSociety->getGroup();
  155.             if ($subjectGroup === null)
  156.                 return false;
  157.             if (!$currentGroup->equals($subjectGroup))
  158.                 return false;
  159.         }
  161.         switch ($attribute)
  162.         {
  163.             case self::IS_ACTIVE:
  164.                 return true;
  166.             case self::IMPORT:
  167.                 return $this->canImport($user$function);
  169.             case self::ADD:
  170.                 return $this->canAdd($rh$user$function);
  172.             case self::LISTING:
  173.                 return $this->canList($rh$user$function);
  174.             case self::LISTING_SOCIETY:
  175.                 return $this->canListSociety($rh$user$function);
  176.             case self::LISTING_ANY:
  177.                 return $this->canListAny($rh$user$function);
  179.             case self::VIEW:
  180.                 return $this->canView($rh$user$function);
  182.             case self::EDIT:
  183.                 return $this->canEdit($rh$user$function);
  185.             case self::ANONYMIZE:
  186.                 return $this->canAnonymize($rh$user$function);
  188.             case self::LISTING_ATTACHMENTS:
  189.                 return $this->canListAttachments($rh$user$function);
  190.         }
  192.         throw new \LogicException('This code should not be reached!');
  193.     }
  195.     // $access is the user trying to load the resource
  196.     // $rh is the resource being loaded
  198.     // Check if the Society of the resource
  199.     // belongs to the societies of the $access
  200.     private function checkSociety(HumanResource $rhAccess $access)
  201.     {
  202.         // Get all the societies of the access
  203.         $societies $access->getSocieties();
  205.         // Get the Society of the HumanResource
  206.         $rhSociety $rh->getSociety();
  207.         if ($rhSociety === null)
  208.             return false;
  210.         $found false;
  211.         foreach ($societies as $society)
  212.         {
  213.             if ($society->getId() == $rhSociety->getId())
  214.             {
  215.                 $found true;
  216.                 break;
  217.             }
  218.         }
  219.         return $found;
  220.     }
  222.     // $access is the user trying to load the resource
  223.     // $rh is the resource being loaded
  224.     private function checkBaseSociety(HumanResource $rhAccess $access)
  225.     {
  226.         // Get the base society of the access
  227.         $baseSociety $access->getSociety();
  228.         if ($baseSociety === null)
  229.         {
  230.             return false;
  231.         }
  232.         // Get the Society of the Human_Resource
  233.         $rhSociety $rh->getSociety();
  234.         if ($rhSociety === null)
  235.         {
  236.             return false;
  237.         }
  239.         if ($baseSociety->equals($rhSociety))
  240.         {
  241.             return true;
  242.         }
  244.         return false;
  245.     }
  247.     private function canImport(Access $accessAccessFunction $function)
  248.     {
  249.         // Get Acl_Permission
  250.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_IMPORT);
  251.         if ($aclPerm === null)        return false;
  253.         // Get Acl
  254.         $acl $this->aclRepository->findOneBy(array(
  255.             'function'        =>    $function,
  256.             'permission'    =>    $aclPerm
  257.         ));
  258.         if ($acl === null)        return false;
  260.         return $acl->getValue();
  261.     }
  263.     private function canAdd(HumanResource $rh nullAccess $userAccessFunction $function)
  264.     {
  265.         // Get AclPermission
  266.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  267.         if ($aclPerm === null)        return false;
  269.         // Get Acl
  270.         $acl $this->aclRepository->findOneBy(array(
  271.             'function'        =>    $function,
  272.             'permission'    =>    $aclPerm
  273.         ));
  274.         if ($acl === null)        return false;
  276.         // Since only one acl type can exist
  277.         // we can return the result of the acl_permission
  278.         return $acl->getValue();
  279.     }
  281.     private function canList(HumanResource $rh nullAccess $userAccessFunction $function)
  282.     {
  283.         // Get AclPermission
  284.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  285.         if ($aclPerm === null)        return false;
  287.         // Get Acl
  288.         $acl $this->aclRepository->findOneBy(array(
  289.             'function'        =>    $function,
  290.             'permission'    =>    $aclPerm
  291.         ));
  292.         if ($acl === null)        return false;
  294.         // Since only one acl type can exist
  295.         // we can return the result of the acl_permission
  296.         return $acl->getValue();
  297.     }
  299.     private function canListSociety(HumanResource $rh nullAccess $userAccessFunction $function)
  300.     {
  301.         // Get AclPermission
  302.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  303.         if ($aclPerm === null)        return false;
  305.         // Get Acl
  306.         $acl $this->aclRepository->findOneBy(array(
  307.             'function'        =>    $function,
  308.             'permission'    =>    $aclPerm
  309.         ));
  310.         if ($acl === null)        return false;
  312.         // Since only one acl type can exist
  313.         // we can return the result of the acl_permission
  314.         // Further filtering is done in the Controller
  315.         return $acl->getValue();
  316.     }
  318.     private function canListAny(HumanResource $rh nullAccess $userAccessFunction $function)
  319.     {
  320.         // Two AclPermission may exist
  321.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  322.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  323.         // If both are null, exit
  324.         if ($aclPerm === null && $aclPermSociety === null)
  325.             return false;
  327.         // Get First one
  328.         if ($aclPerm !== null)
  329.         {
  330.             $acl $this->aclRepository->findOneBy(array(
  331.                 'function'        =>    $function,
  332.                 'permission'    =>    $aclPerm
  333.             ));
  334.             if ($acl !== null)
  335.             {
  336.                 if ($acl->getValue())
  337.                 {
  338.                     // A single positive answer is enough
  339.                     return true;
  340.                 }
  341.             }
  342.         }
  343.         // If we are here it means that nothing good has been found
  344.         // Load second permission
  345.         if ($aclPermSociety !== null)
  346.         {
  347.             $acl $this->aclRepository->findOneBy(array(
  348.                 'function'        =>    $function,
  349.                 'permission'    =>    $aclPermSociety
  350.             ));
  351.             if ($acl !== null)
  352.             {
  353.                 if ($acl->getValue())
  354.                 {
  355.                     // A single positive answer is enough
  356.                     return true;
  357.                 }
  358.             }
  359.         }
  360.         // If we are here, all hope is lost
  361.         return false;
  362.     }
  364.     private function canView(HumanResource $rh nullAccess $userAccessFunction $function)
  365.     {
  366.         // Two AclPermission may exist
  367.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  368.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  369.         // If both are null, exit
  370.         if ($aclPerm === null && $aclPermSociety === null)
  371.             return false;
  373.         // Get First one
  374.         if ($aclPerm !== null)
  375.         {
  376.             $acl $this->aclRepository->findOneBy(array(
  377.                 'function'        =>    $function,
  378.                 'permission'    =>    $aclPerm
  379.             ));
  380.             if ($acl !== null)
  381.             {
  382.                 if ($acl->getValue())
  383.                 {
  384.                     // A single positive answer is enough
  385.                     return true;
  386.                 }
  387.             }
  388.         }
  389.         // If we are here it means that nothing good has been found
  390.         // Load second permission
  391.         if ($aclPermSociety !== null)
  392.         {
  393.             $acl $this->aclRepository->findOneBy(array(
  394.                 'function'        =>    $function,
  395.                 'permission'    =>    $aclPermSociety
  396.             ));
  397.             if ($acl !== null)
  398.             {
  399.                 if ($acl->getValue())
  400.                 {
  401.                     // A single positive answer is enough
  402.                     // In this case the good answer will be provided by the checkSociety
  403.                     return $this->checkSociety($rh$user);
  404.                 }
  405.             }
  406.         }
  407.         // If we are here, all hope is lost
  408.         return false;
  409.     }
  411.     private function canEdit(HumanResource $rh nullAccess $userAccessFunction $function)
  412.     {
  413.         if($rh->getAnonymized())
  414.         {
  415.             return false;
  416.         }
  418.         // Two AclPermission may exist
  419.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  420.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  421.         // If both are null, exit
  422.         if ($aclPerm === null && $aclPermSociety === null)
  423.             return false;
  425.         // Get First one
  426.         if ($aclPerm !== null)
  427.         {
  428.             $acl $this->aclRepository->findOneBy(array(
  429.                 'function'        =>    $function,
  430.                 'permission'    =>    $aclPerm
  431.             ));
  432.             if ($acl !== null)
  433.             {
  434.                 if ($acl->getValue())
  435.                 {
  436.                     // A single positive answer is enough
  437.                     return true;
  438.                 }
  439.             }
  440.         }
  441.         // If we are here it means that nothing good has been found
  442.         // Load second permission
  443.         if ($aclPermSociety !== null)
  444.         {
  445.             $acl $this->aclRepository->findOneBy(array(
  446.                 'function'        =>    $function,
  447.                 'permission'    =>    $aclPermSociety
  448.             ));
  449.             if ($acl !== null)
  450.             {
  451.                 if ($acl->getValue())
  452.                 {
  453.                     // A single positive answer is enough
  454.                     // In this case the good answer will be provided by the checkSociety
  455.                     return $this->checkSociety($rh$user);
  456.                 }
  457.             }
  458.         }
  459.         // If we are here, all hope is lost
  460.         return false;
  461.     }
  463.     private function canAnonymize(HumanResource $rh nullAccess $userAccessFunction $function)
  464.     {
  465.         // Two AclPermission may exist
  466.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ANONYMIZE);
  467.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ANONYMIZE_SOCIETY);
  468.         // If both are null, exit
  469.         if ($aclPerm === null && $aclPermSociety === null)
  470.             return false;
  472.         // Get First one
  473.         if ($aclPerm !== null)
  474.         {
  475.             $acl $this->aclRepository->findOneBy(array(
  476.                 'function'        =>    $function,
  477.                 'permission'    =>    $aclPerm
  478.             ));
  479.             if ($acl !== null)
  480.             {
  481.                 if ($acl->getValue())
  482.                 {
  483.                     // A single positive answer is enough
  484.                     return true;
  485.                 }
  486.             }
  487.         }
  488.         // If we are here it means that nothing good has been found
  489.         // Load second permission
  490.         if ($aclPermSociety !== null)
  491.         {
  492.             $acl $this->aclRepository->findOneBy(array(
  493.                 'function'        =>    $function,
  494.                 'permission'    =>    $aclPermSociety
  495.             ));
  496.             if ($acl !== null)
  497.             {
  498.                 if ($acl->getValue())
  499.                 {
  500.                     // A single positive answer is enough
  501.                     // In this case the good answer will be provided by the checkSociety
  502.                     return $this->checkSociety($rh$user);
  503.                 }
  504.             }
  505.         }
  506.         // If we are here, all hope is lost
  507.         return false;
  508.     }
  510.     private function canListAttachments(HumanResource $rhAccess $userAccessFunction $function)
  511.     {
  512.         // Several Acl_Permission may exist
  513.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ATTACHMENT_LIST);
  514.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ATTACHMENT_LIST_SOCIETY);
  515.         $aclPermBaseSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ATTACHMENT_LIST_BASE_SOCIETY);
  517.         // If all are null, exit
  518.         if ($aclPerm === null && $aclPermSociety === null && $aclPermBaseSociety === null)
  519.             return false;
  521.         // Get First one
  522.         if ($aclPerm !== null)
  523.         {
  524.             $acl $this->aclRepository->findOneBy(array(
  525.                 'function'        =>    $function,
  526.                 'permission'    =>    $aclPerm
  527.             ));
  528.             if ($acl !== null)
  529.             {
  530.                 if ($acl->getValue())
  531.                 {
  532.                     // A single positive answer is enough
  533.                     return true;
  534.                 }
  535.             }
  536.         }
  537.         // If we are here it means that nothing good has been found
  538.         // Load second permission
  539.         if ($aclPermSociety !== null)
  540.         {
  541.             $acl $this->aclRepository->findOneBy(array(
  542.                 'function'        =>    $function,
  543.                 'permission'    =>    $aclPermSociety
  544.             ));
  545.             if ($acl !== null)
  546.             {
  547.                 if ($acl->getValue())
  548.                 {
  549.                     // A single positive answer is enough
  550.                     // In this case the good answer will be provided by the checkSociety
  551.                     return $this->checkSociety($rh$user);
  552.                 }
  553.             }
  554.         }
  555.         // If we are here it means that nothing good has been found
  556.         // Load third permission
  557.         if ($aclPermBaseSociety !== null)
  558.         {
  559.             $acl $this->aclRepository->findOneBy(array(
  560.                 'function'        =>    $function,
  561.                 'permission'    =>    $aclPermBaseSociety
  562.             ));
  563.             if ($acl !== null)
  564.             {
  565.                 if ($acl->getValue())
  566.                 {
  567.                     // A single positive answer is enough
  568.                     // In this case the good answer will be provided by the checkBaseSociety
  569.                     return $this->checkBaseSociety($rh$user);
  570.                 }
  571.             }
  572.         }
  573.         // If we are here, all hope is lost
  574.         return false;
  575.     }
  576. }