src/Security/InstallmentVoter.php line 25

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/InstallmentVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Doctrine\Persistence\ManagerRegistry;
  12. use App\Entity\Access;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Platform\Command\Command;
  17. use App\Entity\Platform\Devis\Devis;
  18. use App\Entity\Platform\Installment;
  19. use App\Entity\Platform\Invoice\Invoice;
  20. use App\Entity\Security\Acl;
  21. use App\Entity\Security\AclPermission;
  22. use App\Services\Config\ModuleTools;
  23. use App\Services\Config\OptionConfigTools;
  25. class InstallmentVoter extends Voter
  26. {
  27.     //--------------------------------------------------------------------------------
  28.     // is_granted constants
  30.     // This depends of the Devis Module, not the Payments,
  31.     // which design the Online payment option (Paypal, Stripe)
  32.     // It also depends on the Commands
  33.     const IS_ACTIVE "installment_is_active";
  35.     const LISTING "list_installments";
  36.     const LISTING_SOCIETY "list_installments_society";
  37.     const LISTING_ANY "list_installments_any";
  39.     const IMPORT "import_installments";
  41.     // Plan.io Task #4326
  42.     const ADD "add_installment";
  43.     const EDIT "edit_installment";
  44.     const DELETE "delete_installment";
  46.     // Plan.io Task #4653
  47.     const IS_ACTIVE_INSTALLMENT_AUTO_ACCOUNT "installment_auto_account_is_active";
  49.     const IS_GRANTED_CONSTANTS = array(
  50.         self::IS_ACTIVE,
  52.         self::LISTING,
  53.         self::LISTING_SOCIETY,
  54.         self::LISTING_ANY,
  56.         self::IMPORT,
  58.         self::ADD,
  59.         self::EDIT,
  60.         self::DELETE,
  62.         self::IS_ACTIVE_INSTALLMENT_AUTO_ACCOUNT,
  63.     );
  65.     //--------------------------------------------------------------------------------
  66.     // acl constants
  67.     const ACL_PERM_LISTING "installment_list";
  68.     const ACL_PERM_LISTING_SOCIETY "installment_list_society";
  70.     const ACL_PERM_IMPORT "installment_import";
  72.     //--------------------------------------------------------------------------------
  74.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrine
  75.         ModuleTools $moduleToolsOptionConfigTools $optionConfigTools)
  76.     {
  77.         $this->accessDecisionManager $accessDecisionManager;
  78.         $this->em $doctrine->getManager();
  79.         $this->moduleTools $moduleTools;
  80.         $this->optionConfigTools $optionConfigTools;
  82.         $this->aclRepository $this->em->getRepository(Acl::class);
  83.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  84.     }
  86.     // Plan.io Task #4453 [See AccessVoter for details]
  87.     public function supportsAttribute(string $attribute): bool
  88.     {
  89.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  90.     }
  91.     
  92.     protected function supports(string $attribute$subject null): bool
  93.     {
  94.         // if the attribute isn't one we support, return false
  95.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  96.         {
  97.             return false;
  98.         }
  100.         // only vote on Installment objects inside this voter
  101.         // ... and Invoice / Devis / Command
  102.         if ($subject !== null && !($subject instanceof Installment ||
  103.                                     $subject instanceof Devis ||
  104.                                     $subject instanceof Invoice ||
  105.                                     $subject instanceof Command
  106.         ))
  107.         {
  108.             return false;
  109.         }
  111.         return true;
  112.     }
  114.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  115.     {
  116.         $user $token->getUser();
  118.         if (!$user instanceof Access)
  119.         {
  120.             // the user must be logged in; if not, deny access
  121.             return false;
  122.         }
  124.         // The user must have a function; if not deny access
  125.         $function $user->getFunction();
  126.         if ($function === null)        return false;
  128.         // Plan.io Task #3710 : Get current group
  129.         $currentGroup $user->getSocietyGroup();
  130.         if ($currentGroup === null)
  131.             return false;
  133.         // Module activated ?
  134.         // This depends of the Devis Module, not the Payments,
  135.         // which design the PayPal payment option
  136.         // It also depends on the Commands
  137.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_DEVIS) && $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_COMMAND))
  138.         {
  139.             return false;
  140.         }
  142.         // $subject can be Installment object,
  143.         // or Devis / Invoice / Command (Plan.io Task #4326)
  145.         $installment null;
  146.         $otherThanInstallment null;
  148.         if ($subject instanceof Installment)
  149.         {
  150.             $installment $subject;
  151.         }
  152.         if ($subject instanceof Devis || $subject instanceof Invoice ||    $subject instanceof Command)
  153.         {
  154.             $otherThanInstallment $subject;
  155.         }
  157.         // Check current group affectation
  158.         if ($subject !== null)
  159.         {
  160.             $subjectSociety $subject->getSociety();
  161.             if ($subjectSociety === null)
  162.                 return false;
  163.             $subjectGroup $subjectSociety->getGroup();
  164.             if ($subjectGroup === null)
  165.                 return false;
  166.             if (!$currentGroup->equals($subjectGroup))
  167.                 return false;
  168.         }
  170.         switch ($attribute)
  171.         {
  172.             case self::IS_ACTIVE:
  173.                 return true;
  175.             case self::IS_ACTIVE_INSTALLMENT_AUTO_ACCOUNT:
  176.             {
  177.                 return $this->optionConfigTools->isActive_InstallmentAutoAccount($currentGroup);
  178.             }
  180.             case self::IMPORT:
  181.                 return $this->canImport($user$function);
  183.             case self::LISTING:
  184.                 return $this->canList($user$function);
  185.             case self::LISTING_SOCIETY:
  186.                 return $this->canListSociety($user$function);
  187.             case self::LISTING_ANY:
  188.                 return $this->canListAny($user$function);
  190.             case self::ADD:
  191.                 return $this->canAdd($user$function$token$otherThanInstallment);
  193.             // For edit and delete subject can be both Installment or Object linked to installment
  194.             case self::EDIT:
  195.                 return $this->canEdit($user$function$token$subject);
  196.             case self::DELETE:
  197.                 return $this->canDelete($user$function$token$subject);
  198.         }
  200.         throw new \LogicException('This code should not be reached!');
  201.     }
  203.     private function canAdd(Access $userAccessFunction $function$token$subject)
  204.     {
  205.         if ($subject instanceof Command)
  206.         {
  207.             return $this->accessDecisionManager->decide($token, ['edit_command'], $subject);
  208.         }
  209.         if ($subject instanceof Devis)
  210.         {
  211.             return $this->accessDecisionManager->decide($token, ['edit_devis'], $subject);
  212.         }
  213.         if ($subject instanceof Invoice)
  214.         {
  215.             // Plan.io Task #4326
  216.             // Deny on Drafts
  217.             if ($subject->isDraft())
  218.             {
  219.                 return false;
  220.             }
  222.             // Allow on Invoices based on edit permissions
  223.             return $this->accessDecisionManager->decide($token, ['handle_installment_for_invoice'], $subject);
  224.         }
  225.         return false;
  226.     }
  228.     private function canEdit(Access $userAccessFunction $function$token$subject)
  229.     {
  230.         if ($subject instanceof Installment)
  231.         {
  232.             $installment $subject;
  234.             // Plan.io Task #4653
  235.             if ($installment->isEffectivelyAccounted())
  236.             {
  237.                 return false;
  238.             }
  240.             if ($installment->getCommand() !== null)
  241.             {
  242.                 return $this->accessDecisionManager->decide($token, ['edit_command'], $installment->getCommand());
  243.             }
  244.             if ($installment->getDevis() !== null)
  245.             {
  246.                 return $this->accessDecisionManager->decide($token, ['edit_devis'], $installment->getDevis());
  247.             }
  248.             if ($installment->getInvoice() instanceof Invoice)
  249.             {
  250.                 $invoice $installment->getInvoice();
  252.                 // Plan.io Task #4326
  253.                 // Deny on Drafts
  254.                 if ($invoice->isDraft())
  255.                 {
  256.                     return false;
  257.                 }
  259.                 // Allow on Invoices based on edit permissions
  260.                 return $this->accessDecisionManager->decide($token, ['handle_installment_for_invoice'], $invoice);
  261.             }
  262.         }
  264.         if ($subject instanceof Command)
  265.         {
  266.             return $this->accessDecisionManager->decide($token, ['edit_command'], $subject);
  267.         }
  268.         if ($subject instanceof Devis)
  269.         {
  270.             return $this->accessDecisionManager->decide($token, ['edit_devis'], $subject);
  271.         }
  272.         if ($subject instanceof Invoice)
  273.         {
  274.             $invoice $subject;
  276.             // Plan.io Task #4326
  277.             // Deny on Drafts
  278.             if ($invoice->isDraft())
  279.             {
  280.                 return false;
  281.             }
  283.             // Allow on Invoices based on edit permissions
  284.             return $this->accessDecisionManager->decide($token, ['handle_installment_for_invoice'], $invoice);
  285.         }
  287.         return false;
  288.     }
  290.     private function canDelete(Access $userAccessFunction $function$token$subject)
  291.     {
  292.         if ($subject instanceof Installment)
  293.         {
  294.             $installment $subject;
  296.             // Plan.io Task #4653
  297.             if ($installment->isEffectivelyAccounted())
  298.             {
  299.                 return false;
  300.             }
  302.             if ($installment->getCommand() !== null)
  303.             {
  304.                 return $this->accessDecisionManager->decide($token, ['edit_command'], $installment->getCommand());
  305.             }
  306.             if ($installment->getDevis() !== null)
  307.             {
  308.                 return $this->accessDecisionManager->decide($token, ['edit_devis'], $installment->getDevis());
  309.             }
  310.             if ($installment->getInvoice() instanceof Invoice)
  311.             {
  312.                 // Always allow deleting installments on invoices
  313.                 // Needed by Plan.io Task #2849
  314.                 return true;
  315.             }
  316.         }
  318.         if ($subject instanceof Command)
  319.         {
  320.             return $this->accessDecisionManager->decide($token, ['edit_command'], $subject);
  321.         }
  322.         if ($subject instanceof Devis)
  323.         {
  324.             return $this->accessDecisionManager->decide($token, ['edit_devis'], $subject);
  325.         }
  326.         if ($subject instanceof Invoice)
  327.         {
  328.             // Always allow deleting installments on invoices
  329.             // Needed by Plan.io Task #2849
  330.             return true;
  331.         }
  333.         return false;
  334.     }
  336.     private function canImport(Access $accessAccessFunction $function)
  337.     {
  338.         // Restrictions are also applied in the Controller
  339.         // But this helps speeding page loading if the access is not even allowed to load the page
  340.         // (ie. if it has no list privileges whatsoever)
  342.         // Get Acl_Permission
  343.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_IMPORT);
  344.         if ($aclPerm === null)        return false;
  346.         // Get Acl
  347.         $acl $this->aclRepository->findOneBy(array(
  348.             'function'        =>    $function,
  349.             'permission'    =>    $aclPerm
  350.         ));
  351.         if ($acl === null)        return false;
  353.         // Since only one list type can exist,
  354.         // we can return the result of the acl_permission
  355.         return $acl->getValue();
  356.     }
  358.     private function canList(Access $userAccessFunction $function)
  359.     {
  360.         // Get Acl_Permission
  361.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  362.         if ($aclPerm === null)        return false;
  364.         // Get Acl
  365.         $acl $this->aclRepository->findOneBy(array(
  366.             'function'        =>    $function,
  367.             'permission'    =>    $aclPerm
  368.         ));
  369.         if ($acl === null)        return false;
  371.         // Since only one acl type can exist
  372.         // we can return the result of the acl_permission
  373.         return $acl->getValue();
  374.     }
  376.     private function canListSociety(Access $userAccessFunction $function)
  377.     {
  378.         // Get Acl_Permission
  379.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  380.         if ($aclPerm === null)        return false;
  382.         // Get Acl
  383.         $acl $this->aclRepository->findOneBy(array(
  384.             'function'        =>    $function,
  385.             'permission'    =>    $aclPerm
  386.         ));
  387.         if ($acl === null)        return false;
  389.         // Since only one acl type can exist
  390.         // we can return the result of the acl_permission
  391.         // Further filtering is done in the Controller
  392.         return $acl->getValue();
  393.     }
  395.     private function canListAny(Access $userAccessFunction $function)
  396.     {
  397.         // Two Acl_Permission may exist
  398.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  399.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  401.         // If all are null, exit
  402.         if ($aclPerm === null && $aclPermSociety === null)
  403.             return false;
  405.         // Get First one
  406.         if ($aclPerm !== null)
  407.         {
  408.             $acl $this->aclRepository->findOneBy(array(
  409.                 'function'        =>    $function,
  410.                 'permission'    =>    $aclPerm
  411.             ));
  412.             if ($acl !== null)
  413.             {
  414.                 if ($acl->getValue())
  415.                 {
  416.                     // A single positive answer is enough
  417.                     return true;
  418.                 }
  419.             }
  420.         }
  421.         // If we are here it means that nothing good has been found
  422.         // Load second permission
  423.         if ($aclPermSociety !== null)
  424.         {
  425.             $acl $this->aclRepository->findOneBy(array(
  426.                 'function'        =>    $function,
  427.                 'permission'    =>    $aclPermSociety
  428.             ));
  429.             if ($acl !== null)
  430.             {
  431.                 if ($acl->getValue())
  432.                 {
  433.                     // A single positive answer is enough
  434.                     return true;
  435.                 }
  436.             }
  437.         }
  439.         // If we are here, all hope is lost
  440.         return false;
  441.     }
  442. }