src/Security/InvoiceVoter.php line 142

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/InvoiceVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Doctrine\Persistence\ManagerRegistry;
  12. use App\Entity\Access;
  13. use App\Entity\APIRest\AccessAPI;
  14. use App\Entity\Config\Config;
  15. use App\Entity\Config\Module;
  16. use App\Entity\HR\AccessFunction;
  17. use App\Entity\Platform\Devis\Devis;
  18. use App\Entity\Platform\Invoice\Invoice;
  19. use App\Entity\Mission\Mission;
  20. use App\Entity\Security\Acl;
  21. use App\Entity\Security\AclPermission;
  22. use App\Services\LogTools;
  23. use App\Services\Config\ModuleTools;
  24. use App\Services\Config\OptionConfigTools;
  26. class InvoiceVoter extends Voter
  27. {
  28.     // For now manager = author (both)
  30.     //--------------------------------------------------------------------------------
  31.     // is_granted constants
  32.     const IS_ACTIVE "invoice_is_active";
  34.     // addSimple :: $devis
  35.     // addCredit :: $invoice
  36.     // addFree :: $mission
  37.     const ADD "add_invoice";
  39.     // addPartial :: $devis
  40.     // addPartialForSociety :: $devis
  41.     const ADD_PART "add_partial_invoice";
  43.     // addFromDraft :: $draft instanceof Invoice
  44.     const CONVERT_DRAFT "add_invoice_from_draft";
  45.     const DELETE_DRAFT "delete_draft";
  47.     const LISTING "list_invoices";
  48.     const LISTING_SOCIETY "list_invoices_society";
  49.     const LISTING_MANAGER "list_invoices_manager";
  51.     const LISTING_ANY "list_invoices_any";
  53.     const VIEW "view_invoice";
  54.     const VIEW_PDF "view_pdf_invoice";
  56.     const EDIT "edit_invoice";
  57.     const EDIT_ANNULLED "edit_invoice_annulled";
  59.     const DELETE "delete_invoice";
  60.     const ANNUL "annul_invoice";
  61.     const REVIVE "revive_invoice";
  63.     const IS_ACTIVE_INVOICE_AUTO_ACCOUNT "invoice_auto_account_is_active";
  65.     // Plan.io Task #4326
  66.     const HANDLE_INSTALLMENT "handle_installment_for_invoice";
  68.     // Plan.io Task #4326
  69.     // I need some restrictions on the actions that can be done via the invoices list
  70.     // ie. convert drafts, delete drafts (for now at least ...)
  71.     // So check if the user has at least one edit permission active
  72.     const EDIT_SOME_INVOICES "edit_some_invoices";
  74.     const IS_GRANTED_CONSTANTS = array(
  75.         self::IS_ACTIVE,
  76.         self::ADD,
  77.         self::ADD_PART,                // Plan.io Task #3605
  78.         self::CONVERT_DRAFT,        // Plan.io Task #4326
  79.         self::DELETE_DRAFT,            // Plan.io Task #4326
  80.         self::LISTING,
  81.         self::LISTING_SOCIETY,
  82.         self::LISTING_MANAGER,
  83.         self::LISTING_ANY,
  84.         self::VIEW,
  85.         self::VIEW_PDF,
  86.         self::EDIT,
  87.         self::EDIT_ANNULLED,
  88.         self::DELETE,
  89.         self::ANNUL,
  90.         self::REVIVE,
  91.         self::IS_ACTIVE_INVOICE_AUTO_ACCOUNT,
  92.         self::HANDLE_INSTALLMENT,    // Plan.io Task #4326
  93.         self::EDIT_SOME_INVOICES,    // Plan.io Task #4326
  94.     );
  96.     const IS_GRANTED_CONSTANTS_SHARING_EXCEPTION = array(
  97.         self::VIEW,
  98.         self::VIEW_PDF,
  99.     );
  101.     //--------------------------------------------------------------------------------
  102.     // acl constants
  103.     const ACL_PERM_ADD "invoice_add";
  105.     const ACL_PERM_LISTING "invoice_list";
  106.     const ACL_PERM_LISTING_SOCIETY "invoice_list_society";
  107.     const ACL_PERM_LISTING_MANAGER "invoice_list_manager";
  109.     const ACL_PERM_VIEW "invoice_view";
  110.     const ACL_PERM_VIEW_SOCIETY "invoice_view_society";
  111.     const ACL_PERM_VIEW_MANAGER "invoice_view_manager";
  112.     const ACL_PERM_VIEW_CLIENT_MANAGER "invoice_view_ind_manager";
  114.     const ACL_PERM_VIEW_PDF "invoice_view_pdf";
  115.     const ACL_PERM_VIEW_PDF_SOCIETY "invoice_view_pdf_society";
  116.     const ACL_PERM_VIEW_PDF_MANAGER "invoice_view_pdf_manager";
  117.     const ACL_PERM_VIEW_PDF_CLIENT_MANAGER "invoice_view_pdf_ind_manager";
  119.     const ACL_PERM_EDIT "invoice_edit";
  120.     const ACL_PERM_EDIT_SOCIETY "invoice_edit_society";
  121.     const ACL_PERM_EDIT_MANAGER "invoice_edit_manager";
  122.     const ACL_PERM_EDIT_CLIENT_MANAGER "invoice_edit_ind_manager";
  124.     const ACL_PERM_EDIT_ANNULLED "invoice_edit_annulled";
  126.     const ACL_PERM_ANNUL "invoice_annul";
  127.     const ACL_PERM_ANNUL_SOCIETY "invoice_annul_society";
  129.     const ACL_PERM_REVIVE "invoice_revive";
  130.     const ACL_PERM_REVIVE_SOCIETY "invoice_revive_society";
  132.     //--------------------------------------------------------------------------------
  134.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrineModuleTools $moduleToolsOptionConfigTools $optionConfigToolsLogTools $logTools)
  135.     {
  136.         $this->accessDecisionManager $accessDecisionManager;
  137.         $this->em $doctrine->getManager();
  138.         $this->moduleTools $moduleTools;
  139.         $this->optionConfigTools $optionConfigTools;
  140.         $this->logTools $logTools;
  142.         $this->aclRepository $this->em->getRepository(Acl::class);
  143.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  144.     }
  146.     // Plan.io Task #4453 [See AccessVoter for details]
  147.     public function supportsAttribute(string $attribute): bool
  148.     {
  149.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  150.     }
  152.     protected function supports(string $attribute$subject): bool
  153.     {
  154.         // if the attribute isn't one we support, return false
  155.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  156.         {
  157.             return false;
  158.         }
  160.         // Only vote on Invoice and Mission objects inside this voter
  161.         // ... and Devis (Plan.io #3605)
  162.         if ($subject !== null && !($subject instanceof Invoice || $subject instanceof Mission || $subject instanceof Devis))
  163.         {
  164.             return false;
  165.         }
  167.         return true;
  168.     }
  170.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  171.     {
  172.         $user $token->getUser();
  174.         // Plan.io Task #3707
  175.         if ($user instanceof AccessAPI)
  176.         {
  177.             if ($user->getAccess() === null)
  178.             {
  179.                 return false;
  180.             }
  181.             $user $user->getAccess();
  182.         }
  184.         // Plan.io Task #3707
  185.         // At this point $user is an object of Access type
  186.         // even if the $token->getUser() is AccessAPI
  187.         if (!$user instanceof Access)
  188.         {
  189.             // the user must be logged in; if not, deny access
  190.             return false;
  191.         }
  193.         // The user must have a function; if not deny access
  194.         $function $user->getFunction();
  195.         if ($function === null)        return false;
  197.         // Plan.io Task #3710 : Get current group
  198.         $currentGroup $user->getSocietyGroup();
  199.         if ($currentGroup === null)
  200.             return false;
  202.         $this->currentGroup $currentGroup;
  204.         // Module activated ?
  205.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_INVOICE))
  206.         {
  207.             return false;
  208.         }
  210.         $invoice null;
  211.         $mission null;
  213.         if ($subject instanceof Invoice)
  214.         {
  215.             /** @var Invoice $invoice */
  216.             $invoice $subject;
  218.             // Check current group affectation
  219.             // Make an exception for "view/pdf" : take sharing into account
  220.             if ($invoice !== null)
  221.             {
  222.                 $invoiceSociety $invoice->getSociety();
  223.                 if ($invoiceSociety === null)
  224.                     return false;
  225.                 $invoiceSocietyGroup $invoiceSociety->getGroup();
  226.                 if ($invoiceSocietyGroup === null)
  227.                     return false;
  229.                 if (!in_array($attributeself::IS_GRANTED_CONSTANTS_SHARING_EXCEPTION))
  230.                 {
  231.                     // Just check currentGroup
  232.                     if (!$currentGroup->equals($invoiceSocietyGroup))
  233.                         return false;
  234.                 }
  235.                 else
  236.                 {
  237.                     // Take sharing into account
  238.                     // If the invoice belongs to a mission that was created by the currentGroup
  239.                     // (invoice.mission.societyGroupAuthor == currentGroup)
  240.                     // Then it can see the invoice
  241.                     if (!$currentGroup->equals($invoiceSocietyGroup))
  242.                     {
  243.                         if ($invoice->getMission() !== null)
  244.                         {
  245.                             $missionSocietyGroupAuthor $invoice->getMission()->getSocietyGroupAuthor();
  247.                             if (!$currentGroup->equals($missionSocietyGroupAuthor))
  248.                             {
  249.                                 return false;
  250.                             }
  251.                         }
  252.                     }
  253.                 }
  254.             }
  255.         }
  256.         else
  257.         {
  258.             if ($subject instanceof Mission)
  259.             {
  260.                 /** @var Mission $mission */
  261.                 $mission $subject;
  263.                 // Plan.io Task #3517
  264.                 // Adding an invoice counts as editing a mission
  265.                 // So check if the current user has access to this mission
  266.                 // If this is too restrictive, change 'edit_mission' with 'view_mission'
  267.                 // 'view_mission' is better ;)
  268.                 if (!$this->accessDecisionManager->decide($token, ['view_mission'], $mission))
  269.                 {
  270.                     return false;
  271.                 }
  272.             }
  273.         }
  275.         switch ($attribute)
  276.         {
  277.             case self::IS_ACTIVE:
  278.                 return true;
  280.             case self::IS_ACTIVE_INVOICE_AUTO_ACCOUNT:
  281.             {
  282.                 return $this->optionConfigTools->isActive_InvoiceAutoAccount($currentGroup);
  283.             }
  285.             case self::ADD:
  286.             {
  287.                 // addSimple :: $devis
  288.                 // addCredit :: $invoice
  289.                 // addFree :: $mission
  290.                 return $this->canAdd($subject$user$function);
  291.             }
  293.             case self::EDIT_SOME_INVOICES:
  294.             {
  295.                 // Plan.io Task #4326
  296.                 return $this->canEditSomeInvoices($user$function);
  297.             }
  299.             case self::CONVERT_DRAFT:
  300.             {
  301.                 // Plan.io Task #4326
  302.                 // addFromDraft :: $draft instanceof Invoice
  303.                 return $this->canConvertDraft($subject$user$function);
  304.             }
  306.             case self::DELETE_DRAFT:
  307.             {
  308.                 // Plan.io Task #4326
  309.                 // addFromDraft :: $draft instanceof Invoice
  310.                 return $this->canDeleteDraft($subject$user$function);
  311.             }
  313.             // Plan.io Task #3605
  314.             case self::ADD_PART:
  315.             {
  316.                 // addPartial :: $devis
  317.                 // addPartialForSociety :: $devis
  318.                 return $this->canAddPart($subject$user$function);
  319.             }
  321.             case self::LISTING:
  322.                 return $this->canList($invoice$user$function);
  323.             case self::LISTING_SOCIETY:
  324.                 return $this->canListSociety($invoice$user$function);
  325.             case self::LISTING_MANAGER:
  326.                 return $this->canListManager($invoice$user$function);
  328.             case self::LISTING_ANY:
  329.                 return $this->canListAny($invoice$user$function);
  331.             case self::VIEW:
  332.                 return $this->canView($invoice$user$function);
  333.             case self::VIEW_PDF:
  334.                 return $this->canViewPdf($invoice$user$function);
  336.             case self::EDIT:
  337.                 return $this->canEdit($invoice$user$function);
  339.             case self::EDIT_ANNULLED:
  340.                 return $this->canEditAnnulled($invoice$user$function);
  342.             case self::DELETE:
  343.                 return $this->canDelete($invoice$user$function);
  344.             case self::ANNUL:
  345.                 return $this->canAnnul($invoice$user$function);
  346.             case self::REVIVE:
  347.                 return $this->canRevive($invoice$user$function);
  349.             case self::HANDLE_INSTALLMENT:
  350.                 return $this->canHandleInstallment($invoice$user$function);
  351.         }
  353.         throw new \LogicException('This code should not be reached!');
  354.     }
  356.     // $access is the user trying to load the resource
  357.     // $invoice is the resource being loaded
  359.     // Check if the Society of the resource
  360.     // belongs to the societies of the $access
  361.     private function checkSociety(Invoice $invoiceAccess $access)
  362.     {
  363.         // Get all the societies of the access
  364.         $societies $access->getSocieties();
  366.         // Get the Society of the Invoice
  367.         $invoiceSociety $invoice->getSociety();
  369.         if ($invoiceSociety === null)
  370.             return false;
  372.         $found false;
  373.         foreach ($societies as $society)
  374.         {
  375.             if ($society->getId() == $invoiceSociety->getId())
  376.             {
  377.                 $found true;
  378.                 break;
  379.             }
  380.         }
  381.         return $found;
  382.     }
  384.     // Check if the $access is the manager / author of the $invoice
  385.     private function checkManager(Invoice $invoiceAccess $access)
  386.     {
  387.         // Get manager
  388.         $manager $invoice->getManager();
  389.         $author $invoice->getManager();
  391.         if ($manager === null && $author === null)
  392.             return false;
  394.         if ($manager !== null)
  395.             if ($manager->getId() === $access->getId())
  396.                 return true;
  398.         if ($author !== null)
  399.             if ($author->getId() === $access->getId())
  400.                 return true;
  402.         return false;
  403.     }
  405.     // Check if the $access is the manager of the $invoice
  406.     private function checkClientManager(Invoice $invoiceAccess $access)
  407.     {
  408.         // Get Client
  409.         $client $invoice->getReceiver();
  410.         if ($client === null)
  411.             return false;
  413.         if ($client->getIndividual() !== null)
  414.         {
  415.             // Only Individuals have managers
  416.             // Get manager
  417.             $manager $invoice->getReceiver()->getIndividual()->getManager();
  418.             if ($manager === null)
  419.                 return false;
  421.             if ($manager->getId() === $access->getId())
  422.                 return true;
  423.         }
  425.         return false;
  426.     }
  428.     private function canAdd($subjectAccess $userAccessFunction $function)
  429.     {
  430.         if ($subject instanceof Invoice)
  431.         {
  432.             // Plan.io Task #4326
  433.             // No adding invoices for drafts
  434.             if ($subject->isDraft())
  435.             {
  436.                 return false;
  437.             }
  438.         }
  439.         return $this->commonAddConditions($subject$user$function);
  440.     }
  442.     // Plan.io Task #4326
  443.     private function canDeleteDraft(Invoice $draftAccess $userAccessFunction $function)
  444.     {
  445.         // No deleting invoices
  446.         if ($draft->isNotDraft())
  447.         {
  448.             return false;
  449.         }
  451.         return $this->commonEditConditions($draft$user$function);
  452.     }
  454.     // Plan.io Task #4326
  455.     private function canConvertDraft(Invoice $draftAccess $userAccessFunction $function)
  456.     {
  457.         // No converting invoices
  458.         if ($draft->isNotDraft())
  459.         {
  460.             return false;
  461.         }
  463.         return $this->commonAddConditions($draft$user$function);
  464.     }
  466.     private function commonAddConditions($subjectAccess $userAccessFunction $function)
  467.     {
  468.         if ($subject instanceof Invoice)
  469.         {
  470.             $mission $subject->getMission();
  471.         }
  472.         else
  473.         {
  474.             if ($subject instanceof Devis)
  475.             {
  476.                 $mission $subject->getMission();
  477.             }
  478.             else
  479.             {
  480.                 if ($subject instanceof Mission)
  481.                 {
  482.                     $mission $subject;
  483.                 }
  484.                 else
  485.                 {
  486.                     return false;
  487.                 }
  488.             }
  489.         }
  491.         if ($mission === null)
  492.         {
  493.             return false;
  494.         }
  496.         // Deny actions on archivedRefused objects
  497.         if ($mission->isArchivedRefused())
  498.         {
  499.             return false;
  500.         }
  502.         // If the mission is shared and the author is the current group, deny adding devis
  503.         // When a mission is shared, the author cannot edit it
  504.         if ($mission->isShared())
  505.         {
  506.             if ($mission->isSharedBySocietyGroup($this->currentGroup))
  507.             {
  508.                 return false;
  509.             }
  510.         }
  512.         // Get AclPermission
  513.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  514.         if ($aclPerm === null)        return false;
  516.         // Get Acl
  517.         $acl $this->aclRepository->findOneBy(array(
  518.             'function'        =>    $function,
  519.             'permission'    =>    $aclPerm
  520.         ));
  521.         if ($acl === null)        return false;
  523.         // Since only one acl type can exist
  524.         // we can return the result of the acl_permission
  525.         return $acl->getValue();
  526.     }
  528.     // Plan.io Task #3605
  529.     private function canAddPart(Devis $devisAccess $userAccessFunction $function)
  530.     {
  531.         if (!$this->canAdd($devis->getMission(), $user$function))
  532.         {
  533.             // Deny if no permission to add any kind of invoices
  534.             return false;
  535.         }
  536.         if ($devis->getGhost() !== null)
  537.         {
  538.             // Deny permission if devis has a ghost
  539.             return false;
  540.         }
  542.         // Plan.io Task #4328
  543.         if ($devis->hasEcoBonus())
  544.         {
  545.             // Deny permission if devis has ecobonus
  546.             return false;
  547.         }
  549.         // Allow
  550.         return true;
  551.     }
  553.     private function canEditAnnulled(Invoice $invoice nullAccess $userAccessFunction $function)
  554.     {
  555.         // Plan.io Task #4326 : Deny on everything that is not a Draft
  556.         if ($invoice->isNotDraft())
  557.         {
  558.             return false;
  559.         }
  561.         // Plan.io Task #3897 : Deny on Group Invoices
  562.         if ($invoice->isGroup())
  563.         {
  564.             return false;
  565.         }
  567.         // Deny edit on archivedRefused objects
  568.         if ($invoice->isArchivedRefused())
  569.         {
  570.             return false;
  571.         }
  573.         // Get AclPermission
  574.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_ANNULLED);
  575.         if ($aclPerm === null)        return false;
  577.         // Get Acl
  578.         $acl $this->aclRepository->findOneBy(array(
  579.             'function'        =>    $function,
  580.             'permission'    =>    $aclPerm
  581.         ));
  582.         if ($acl === null)        return false;
  584.         // Since only one acl type can exist
  585.         // we can return the result of the acl_permission
  586.         return $acl->getValue();
  587.     }
  589.     private function canList(Invoice $invoice nullAccess $userAccessFunction $function)
  590.     {
  591.         // Get AclPermission
  592.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  593.         if ($aclPerm === null)        return false;
  595.         // Get Acl
  596.         $acl $this->aclRepository->findOneBy(array(
  597.             'function'        =>    $function,
  598.             'permission'    =>    $aclPerm
  599.         ));
  600.         if ($acl === null)        return false;
  602.         // Since only one acl type can exist
  603.         // we can return the result of the acl_permission
  604.         return $acl->getValue();
  605.     }
  607.     private function canListSociety(Invoice $invoice nullAccess $userAccessFunction $function)
  608.     {
  609.         // Get AclPermission
  610.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  611.         if ($aclPerm === null)        return false;
  613.         // Get Acl
  614.         $acl $this->aclRepository->findOneBy(array(
  615.             'function'        =>    $function,
  616.             'permission'    =>    $aclPerm
  617.         ));
  618.         if ($acl === null)        return false;
  620.         // Since only one acl type can exist
  621.         // we can return the result of the acl_permission
  622.         // Further filtering is done in the Controller
  623.         return $acl->getValue();
  624.     }
  626.     private function canListManager(Invoice $invoice nullAccess $userAccessFunction $function)
  627.     {
  628.         // Get AclPermission
  629.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  630.         if ($aclPerm === null)        return false;
  632.         // Get Acl
  633.         $acl $this->aclRepository->findOneBy(array(
  634.             'function'        =>    $function,
  635.             'permission'    =>    $aclPerm
  636.         ));
  637.         if ($acl === null)        return false;
  639.         // Since only one acl type can exist
  640.         // we can return the result of the acl_permission
  641.         // Further filtering is done in the Controller
  642.         return $acl->getValue();
  643.     }
  645.     private function canListAny(Invoice $invoice nullAccess $userAccessFunction $function)
  646.     {
  647.         // Three AclPermission may exist
  648.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  649.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  650.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  652.         // If all are null, exit
  653.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  654.             return false;
  656.         // Get First one
  657.         if ($aclPerm !== null)
  658.         {
  659.             $acl $this->aclRepository->findOneBy(array(
  660.                 'function'        =>    $function,
  661.                 'permission'    =>    $aclPerm
  662.             ));
  663.             if ($acl !== null)
  664.             {
  665.                 if ($acl->getValue())
  666.                 {
  667.                     // A single positive answer is enough
  668.                     return true;
  669.                 }
  670.             }
  671.         }
  672.         // If we are here it means that nothing good has been found
  673.         // Load second permission
  674.         if ($aclPermSociety !== null)
  675.         {
  676.             $acl $this->aclRepository->findOneBy(array(
  677.                 'function'        =>    $function,
  678.                 'permission'    =>    $aclPermSociety
  679.             ));
  680.             if ($acl !== null)
  681.             {
  682.                 if ($acl->getValue())
  683.                 {
  684.                     // A single positive answer is enough
  685.                     return true;
  686.                 }
  687.             }
  688.         }
  690.         // If we are here it means that nothing good has been found
  691.         // Load third permission
  692.         if ($aclPermManager !== null)
  693.         {
  694.             $acl $this->aclRepository->findOneBy(array(
  695.                 'function'        =>    $function,
  696.                 'permission'    =>    $aclPermManager
  697.             ));
  698.             if ($acl !== null)
  699.             {
  700.                 if ($acl->getValue())
  701.                 {
  702.                     // A single positive answer is enough
  703.                     return true;
  704.                 }
  705.             }
  706.         }
  708.         // If we are here, all hope is lost
  709.         return false;
  710.     }
  712.     private function canView(Invoice $invoice nullAccess $userAccessFunction $function)
  713.     {
  714.         // Four AclPermission may exist
  715.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  716.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  717.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_MANAGER);
  718.         $aclPermClientManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_CLIENT_MANAGER);
  720.         // If all are null, exit
  721.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null && $aclPermClientManager)
  722.             return false;
  724.         // Get First one
  725.         if ($aclPerm !== null)
  726.         {
  727.             $acl $this->aclRepository->findOneBy(array(
  728.                 'function'        =>    $function,
  729.                 'permission'    =>    $aclPerm
  730.             ));
  731.             if ($acl !== null)
  732.             {
  733.                 if ($acl->getValue())
  734.                 {
  735.                     // A single positive answer is enough
  736.                     return true;
  737.                 }
  738.             }
  739.         }
  740.         // If we are here it means that nothing good has been found
  741.         // Load second permission
  742.         if ($aclPermSociety !== null)
  743.         {
  744.             $acl $this->aclRepository->findOneBy(array(
  745.                 'function'        =>    $function,
  746.                 'permission'    =>    $aclPermSociety
  747.             ));
  748.             if ($acl !== null)
  749.             {
  750.                 if ($acl->getValue())
  751.                 {
  752.                     // A single positive answer is enough
  753.                     // In this case the good answer will be provided by the checkSociety
  754.                     return $this->checkSociety($invoice$user);
  755.                 }
  756.             }
  757.         }
  758.         // If we are here it means that nothing good has been found
  759.         // Load third permission
  760.         if ($aclPermManager !== null)
  761.         {
  762.             $acl $this->aclRepository->findOneBy(array(
  763.                 'function'        =>    $function,
  764.                 'permission'    =>    $aclPermManager
  765.             ));
  766.             if ($acl !== null)
  767.             {
  768.                 if ($acl->getValue())
  769.                 {
  770.                     // A single positive answer is enough
  771.                     // In this case the good answer will be provided by the checkSociety
  772.                     return $this->checkManager($invoice$user);
  773.                 }
  774.             }
  775.         }
  776.         // If we are here it means that nothing good has been found
  777.         // Load fourth permission
  778.         if ($aclPermClientManager !== null)
  779.         {
  780.             $acl $this->aclRepository->findOneBy(array(
  781.                 'function'        =>    $function,
  782.                 'permission'    =>    $aclPermClientManager
  783.             ));
  784.             if ($acl !== null)
  785.             {
  786.                 if ($acl->getValue())
  787.                 {
  788.                     // A single positive answer is enough
  789.                     // In this case the good answer will be provided by the checkSociety
  790.                     return $this->checkClientManager($invoice$user);
  791.                 }
  792.             }
  793.         }
  794.         // If we are here, all hope is lost
  795.         return false;
  796.     }
  798.     private function canViewPdf(Invoice $invoice nullAccess $userAccessFunction $function)
  799.     {
  800.         // Four AclPermission may exist
  801.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF);
  802.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_SOCIETY);
  803.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_MANAGER);
  804.         $aclPermClientManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_CLIENT_MANAGER);
  806.         // If all are null, exit
  807.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null && $aclPermClientManager === null)
  808.             return false;
  810.         // Get First one
  811.         if ($aclPerm !== null)
  812.         {
  813.             $acl $this->aclRepository->findOneBy(array(
  814.                 'function'        =>    $function,
  815.                 'permission'    =>    $aclPerm
  816.             ));
  817.             if ($acl !== null)
  818.             {
  819.                 if ($acl->getValue())
  820.                 {
  821.                     // A single positive answer is enough
  822.                     return true;
  823.                 }
  824.             }
  825.         }
  826.         // If we are here it means that nothing good has been found
  827.         // Load second permission
  828.         if ($aclPermSociety !== null)
  829.         {
  830.             $acl $this->aclRepository->findOneBy(array(
  831.                 'function'        =>    $function,
  832.                 'permission'    =>    $aclPermSociety
  833.             ));
  834.             if ($acl !== null)
  835.             {
  836.                 if ($acl->getValue())
  837.                 {
  838.                     // A single positive answer is enough
  839.                     // In this case the good answer will be provided by the checkSociety
  840.                     return $this->checkSociety($invoice$user);
  841.                 }
  842.             }
  843.         }
  844.         // If we are here it means that nothing good has been found
  845.         // Load third permission
  846.         if ($aclPermManager !== null)
  847.         {
  848.             $acl $this->aclRepository->findOneBy(array(
  849.                 'function'        =>    $function,
  850.                 'permission'    =>    $aclPermManager
  851.             ));
  852.             if ($acl !== null)
  853.             {
  854.                 if ($acl->getValue())
  855.                 {
  856.                     // A single positive answer is enough
  857.                     // In this case the good answer will be provided by the checkSociety
  858.                     return $this->checkManager($invoice$user);
  859.                 }
  860.             }
  861.         }
  862.         // If we are here it means that nothing good has been found
  863.         // Load fourth permission
  864.         if ($aclPermClientManager !== null)
  865.         {
  866.             $acl $this->aclRepository->findOneBy(array(
  867.                 'function'        =>    $function,
  868.                 'permission'    =>    $aclPermClientManager
  869.             ));
  870.             if ($acl !== null)
  871.             {
  872.                 if ($acl->getValue())
  873.                 {
  874.                     // A single positive answer is enough
  875.                     // In this case the good answer will be provided by the checkSociety
  876.                     return $this->checkClientManager($invoice$user);
  877.                 }
  878.             }
  879.         }
  880.         // If we are here, all hope is lost
  881.         return false;
  882.     }
  884.     private function canHandleInstallment(Invoice $invoiceAccess $userAccessFunction $function)
  885.     {
  886.         return $this->commonEditConditions($invoice$user$function);
  887.     }
  889.     private function canEdit(Invoice $invoice nullAccess $userAccessFunction $function)
  890.     {
  891.         // Plan.io Task #4326 : Deny on everything that is not a Draft
  892.         if ($invoice->isNotDraft())
  893.         {
  894.             return false;
  895.         }
  897.         // Plan.io Task #4328
  898.         if ($this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_ECO_BONUS) && $invoice->hasEcoBonus())
  899.         {
  900.             // Deny permission if devis has ecobonus
  901.             return false;
  902.         }
  904.         return $this->commonEditConditions($invoice$user$function);
  905.     }
  907.     private function commonEditConditions(Invoice $invoice nullAccess $userAccessFunction $function)
  908.     {
  909.         // Plan.io Task #3897 : Deny on Group Invoices
  910.         if ($invoice->isGroup())
  911.         {
  912.             return false;
  913.         }
  915.         // Deny edit on archivedRefused objects
  916.         if ($invoice->isArchivedRefused())
  917.         {
  918.             return false;
  919.         }
  921.         // No edditing on annulled invoices
  922.         if ($invoice->isAnnulled())
  923.         {
  924.             return false;
  925.         }
  927.         // Plan.io Task #4208 : Invoices should never be annulled,
  928.         // so even if the Invoice has a Credit, allow editing it
  929.         // No edditing on invoices that have been "annuled" (with credit)
  930.         // $credit = $this->em->getRepository(Invoice::class)->findOneByCreditInvoice($invoice);
  931.         // if ($credit !== null)
  932.         //     return false;
  934.         // Four AclPermission may exist
  935.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  936.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  937.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_MANAGER);
  938.         $aclPermClientManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_CLIENT_MANAGER);
  940.         // If all are null, exit
  941.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null && $aclPermClientManager)
  942.             return false;
  944.         // Get First one
  945.         if ($aclPerm !== null)
  946.         {
  947.             $acl $this->aclRepository->findOneBy(array(
  948.                 'function'        =>    $function,
  949.                 'permission'    =>    $aclPerm
  950.             ));
  951.             if ($acl !== null)
  952.             {
  953.                 if ($acl->getValue())
  954.                 {
  955.                     // A single positive answer is enough
  956.                     return true;
  957.                 }
  958.             }
  959.         }
  960.         // If we are here it means that nothing good has been found
  961.         // Load second permission
  962.         if ($aclPermSociety !== null)
  963.         {
  964.             $acl $this->aclRepository->findOneBy(array(
  965.                 'function'        =>    $function,
  966.                 'permission'    =>    $aclPermSociety
  967.             ));
  968.             if ($acl !== null)
  969.             {
  970.                 if ($acl->getValue())
  971.                 {
  972.                     // A single positive answer is enough
  973.                     // In this case the good answer will be provided by the checkSociety
  974.                     return $this->checkSociety($invoice$user);
  975.                 }
  976.             }
  977.         }
  978.         // If we are here it means that nothing good has been found
  979.         // Load third permission
  980.         if ($aclPermManager !== null)
  981.         {
  982.             $acl $this->aclRepository->findOneBy(array(
  983.                 'function'        =>    $function,
  984.                 'permission'    =>    $aclPermManager
  985.             ));
  986.             if ($acl !== null)
  987.             {
  988.                 if ($acl->getValue())
  989.                 {
  990.                     // A single positive answer is enough
  991.                     // In this case the good answer will be provided by the checkSociety
  992.                     return $this->checkManager($invoice$user);
  993.                 }
  994.             }
  995.         }
  996.         // If we are here it means that nothing good has been found
  997.         // Load fourth permission
  998.         if ($aclPermClientManager !== null)
  999.         {
  1000.             $acl $this->aclRepository->findOneBy(array(
  1001.                 'function'        =>    $function,
  1002.                 'permission'    =>    $aclPermClientManager
  1003.             ));
  1004.             if ($acl !== null)
  1005.             {
  1006.                 if ($acl->getValue())
  1007.                 {
  1008.                     // A single positive answer is enough
  1009.                     // In this case the good answer will be provided by the checkSociety
  1010.                     return $this->checkClientManager($invoice$user);
  1011.                 }
  1012.             }
  1013.         }
  1014.         // If we are here, all hope is lost
  1015.         return false;
  1016.     }
  1018.     private function canDelete(Invoice $invoice nullAccess $userAccessFunction $function)
  1019.     {
  1020.         return false;
  1021.     }
  1023.     private function canAnnul(Invoice $invoice nullAccess $userAccessFunction $function)
  1024.     {
  1025.         // We no longer annul invoices
  1026.         return false;
  1027.     }
  1029.     private function canRevive(Invoice $invoice nullAccess $userAccessFunction $function)
  1030.     {
  1031.         // We no longer annul & revive invoices
  1032.         return false;
  1033.     }
  1035.     // Plan.io Task #4326
  1036.     // I need some restrictions on the actions that can be done via the invoices list
  1037.     // ie. convert drafts, delete drafts (for now at least ...)
  1038.     // So check if the user has at least one edit permission active
  1039.     private function canEditSomeInvoices(Access $userAccessFunction $function)
  1040.     {
  1041.         // Four AclPermission may exist
  1042.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  1043.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  1044.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_MANAGER);
  1045.         $aclPermClientManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_CLIENT_MANAGER);
  1047.         // If all are null, exit
  1048.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null && $aclPermClientManager)
  1049.             return false;
  1051.         // Get First one
  1052.         if ($aclPerm !== null)
  1053.         {
  1054.             $acl $this->aclRepository->findOneBy(array(
  1055.                 'function'        =>    $function,
  1056.                 'permission'    =>    $aclPerm
  1057.             ));
  1058.             if ($acl !== null)
  1059.             {
  1060.                 if ($acl->getValue())
  1061.                 {
  1062.                     // A single positive answer is enough
  1063.                     return true;
  1064.                 }
  1065.             }
  1066.         }
  1067.         // If we are here it means that nothing good has been found
  1068.         // Load second permission
  1069.         if ($aclPermSociety !== null)
  1070.         {
  1071.             $acl $this->aclRepository->findOneBy(array(
  1072.                 'function'        =>    $function,
  1073.                 'permission'    =>    $aclPermSociety
  1074.             ));
  1075.             if ($acl !== null)
  1076.             {
  1077.                 if ($acl->getValue())
  1078.                 {
  1079.                     // A single positive answer is enough
  1080.                     return true;
  1081.                 }
  1082.             }
  1083.         }
  1084.         // If we are here it means that nothing good has been found
  1085.         // Load third permission
  1086.         if ($aclPermManager !== null)
  1087.         {
  1088.             $acl $this->aclRepository->findOneBy(array(
  1089.                 'function'        =>    $function,
  1090.                 'permission'    =>    $aclPermManager
  1091.             ));
  1092.             if ($acl !== null)
  1093.             {
  1094.                 if ($acl->getValue())
  1095.                 {
  1096.                     // A single positive answer is enough
  1097.                     return true;
  1098.                 }
  1099.             }
  1100.         }
  1101.         // If we are here it means that nothing good has been found
  1102.         // Load fourth permission
  1103.         if ($aclPermClientManager !== null)
  1104.         {
  1105.             $acl $this->aclRepository->findOneBy(array(
  1106.                 'function'        =>    $function,
  1107.                 'permission'    =>    $aclPermClientManager
  1108.             ));
  1109.             if ($acl !== null)
  1110.             {
  1111.                 if ($acl->getValue())
  1112.                 {
  1113.                     // A single positive answer is enough
  1114.                     return true;
  1115.                 }
  1116.             }
  1117.         }
  1118.         // If we are here, all hope is lost
  1119.         return false;
  1120.     }
  1121. }