src/Security/MissionShareDemandVoter.php line 69

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/MissionShareDemandVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Doctrine\Persistence\ManagerRegistry;
  12. use App\Entity\Access;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Mission\Mission;
  17. use App\Entity\Mission\MissionShareDemand;
  18. use App\Entity\Platform\SocietyGroup\SocietyGroupFavorite;
  19. use App\Entity\Security\Acl;
  20. use App\Entity\Security\AclPermission;
  21. use App\Services\LogTools;
  22. use App\Services\Config\ModuleTools;
  24. class MissionShareDemandVoter extends Voter
  25. {
  26.     //--------------------------------------------------------------------------------
  27.     // is_granted constants
  29.     // Limit Commissions to JCAF SocietyGroup for now
  30.     const USE_MISSION_SHARE_COMMISSIONS "use_mission_share_commissions";
  32.     // The ones below apply to the demands belonging to the current society group
  33.     const ANNUL_SHARE "annul_share_mission_demand";
  35.     // The ones below apply to the demands shared with the current society group
  36.     const LISTING "list_shared_mission_demands";
  37.     const VIEW "view_shared_mission_demand";
  39.     const ACCEPT "accept_shared_mission_demand";
  40.     const REFUSE "refuse_shared_mission_demand";
  41.     const ACCEPT_OR_REFUSE "accept_or_refuse_shared_mission_demand";
  42.     const REFUSE_ACCEPTED "refuse_accepted_shared_mission_demand";
  44.     const IS_GRANTED_CONSTANTS = array(
  45.         self::USE_MISSION_SHARE_COMMISSIONS,
  47.         self::ANNUL_SHARE,
  49.         self::LISTING,
  50.         self::VIEW,
  52.         self::ACCEPT,
  53.         self::REFUSE,
  54.         self::ACCEPT_OR_REFUSE,
  55.         self::REFUSE_ACCEPTED,
  56.     );
  58.     //--------------------------------------------------------------------------------
  59.     // acl constants
  61.     // The ones below apply to the demands shared with the current society group
  62.     const ACL_PERM_LIST 'mission_shared_list';
  63.     const ACL_PERM_ACCEPT_REFUSE 'mission_shared_accept_refuse';
  65.     //--------------------------------------------------------------------------------
  67.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrineModuleTools $moduleToolsLogTools $logTools)
  68.     {
  69.         $this->accessDecisionManager $accessDecisionManager;
  70.         $this->em $doctrine->getManager();
  71.         $this->moduleTools $moduleTools;
  72.         $this->logTools $logTools;
  74.         $this->aclRepository $this->em->getRepository(Acl::class);
  75.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  76.     }
  78.     // Plan.io Task #4453 [See AccessVoter for details]
  79.     public function supportsAttribute(string $attribute): bool
  80.     {
  81.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  82.     }
  83.     
  84.     protected function supports(string $attribute$subject): bool
  85.     {
  86.         // if the attribute isn't one we support, return false
  87.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  88.         {
  89.             return false;
  90.         }
  92.         // only vote on MissionShareDemand objects inside this voter
  93.         if ($subject !== null && !$subject instanceof MissionShareDemand)
  94.         {
  95.             return false;
  96.         }
  98.         return true;
  99.     }
  101.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  102.     {
  103.         $user $token->getUser();
  105.         if (!$user instanceof Access)
  106.         {
  107.             // the user must be logged in; if not, deny access
  108.             return false;
  109.         }
  111.         // The user must have a function; if not deny access
  112.         $function $user->getFunction();
  113.         if ($function === null)        return false;
  115.         // Plan.io Task #3710 : Get current group
  116.         $currentGroup $user->getSocietyGroup();
  117.         if ($currentGroup === null)
  118.             return false;
  120.         $this->currentGroup $currentGroup;
  122.         // This one also needs clients or clients light
  123.         if (
  124.             $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_CLIENT) &&
  125.             $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_CLIENT_LIGHT)
  126.             )
  127.         {
  128.             return false;
  129.         }
  131.         // you know $subject is a MissionShareDemand object, thanks to supports
  132.         /** @var MissionShareDemand $missionShareDemand */
  133.         $missionShareDemand $subject;
  135.         switch ($attribute)
  136.         {
  137.             case self::USE_MISSION_SHARE_COMMISSIONS:
  138.                 return $this->canUseMissionShareCommissions();
  140.             case self::ANNUL_SHARE:
  141.                 return $this->canAnnulShare($missionShareDemand$user$function$token);
  143.             case self::LISTING:
  144.                 return $this->canList($user$function);
  146.             case self::VIEW:
  147.                 return $this->canView($missionShareDemand$user$function);
  149.             case self::ACCEPT:
  150.                 return $this->canAcceptOrRefuse($missionShareDemand$user$function);
  152.             case self::REFUSE:
  153.                 return $this->canAcceptOrRefuse($missionShareDemand$user$function);
  155.             case self::REFUSE_ACCEPTED:
  156.             {
  157.                 return $this->canRefuseAccepted($missionShareDemand$user$function);
  158.             }
  161.             case self::ACCEPT_OR_REFUSE:
  162.                 return $this->canAcceptOrRefuse($missionShareDemand$user$function);
  163.         }
  165.         throw new \LogicException('This code should not be reached!');
  166.     }
  168.     private function canUseMissionShareCommissions()
  169.     {
  170.         if ($this->currentGroup->isJcaf())
  171.         {
  172.             return true;
  173.         }
  174.         return false;
  175.     }
  177.     private function canAnnulShare(MissionShareDemand $missionShareDemandAccess $userAccessFunction $function$token)
  178.     {
  179.         // This requires the sharing module to be activated
  180.         if ($this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_PLUS))
  181.         {
  182.             return false;
  183.         }
  185.         // Check current group affectation
  186.         // A society group can only annul the demands it has created
  187.         $missionShareDemandGroup $missionShareDemand->getEmitter();
  188.         if ($missionShareDemandGroup === null)
  189.             return false;
  190.         if (!$this->currentGroup->equals($missionShareDemandGroup))
  191.             return false;
  193.         // Cannot annul a demand that is accepted / expired / refused / annulled
  194.         // Always check expiration first
  195.         if ($missionShareDemand->isExpired())
  196.         {
  197.             return false;
  198.         }
  200.         if ($missionShareDemand->isAccepted())
  201.         {
  202.             return false;
  203.         }
  205.         if ($missionShareDemand->isRefused())
  206.         {
  207.             return false;
  208.         }
  210.         if ($missionShareDemand->isAnnulled())
  211.         {
  212.             return false;
  213.         }
  215.         // All looks good
  216.         // Apply standard sharing conditions
  217.         return $this->accessDecisionManager->decide($token, ['share_mission'], $missionShareDemand->getMission());
  218.     }
  220.     private function canList(Access $userAccessFunction $function)
  221.     {
  222.         // Module activated ?
  223.         // At least one, not necessarly the plus one
  224.         // MODULE_MISSION_PLUS is required only if we want to share missions,
  225.         // not accept / refuse missions shared with us
  226.         if (
  227.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION) &&
  228.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_LIGHT) &&
  229.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_PLUS)
  230.             )
  231.         {
  232.             return false;
  233.         }
  235.         // Task plan.io #4096
  236.         // Check has favorite
  237.         $societyGroupFavorites $this->em->getRepository(SocietyGroupFavorite::class)
  238.             ->findBy(array('favorite' => $user->getSocietyGroup(),));
  239.         if (sizeof($societyGroupFavorites) < 1)
  240.         {
  241.             return false;
  242.         }
  244.         // Get Acl_Permission
  245.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  246.         if ($aclPerm === null)        return false;
  248.         // Get Acl
  249.         $acl $this->aclRepository->findOneBy(array(
  250.             'function'        =>    $function,
  251.             'permission'    =>    $aclPerm
  252.         ));
  253.         if ($acl === null)        return false;
  255.         // Since only one acl type can exist
  256.         // we can return the result of the acl_permission
  257.         return $acl->getValue();
  258.     }
  260.     // Can View a MissionShareDemand that has been shared with my society group
  261.     private function canView(MissionShareDemand $missionShareDemandAccess $userAccessFunction $function)
  262.     {
  263.         // Module activated ?
  264.         // At least one, not necessarly the plus one
  265.         // MODULE_MISSION_PLUS is required only if we want to share missions,
  266.         // not accept / refuse missions shared with us
  267.         if (
  268.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION) &&
  269.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_LIGHT) &&
  270.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_PLUS)
  271.             )
  272.         {
  273.             return false;
  274.         }
  276.         $mission $missionShareDemand->getMission();
  277.         if ($mission === null)
  278.         {
  279.             return false;
  280.         }
  282.         // CurrentGroup should be the receiver
  283.         $receiver $missionShareDemand->getReceiver();
  284.         if ($receiver === null)
  285.         {
  286.             return false;
  287.         }
  288.         if (!$receiver->equals($this->currentGroup))
  289.         {
  290.             return false;
  291.         }
  293.         // The demand should be either accepted or in the default status (not accepted)
  294.         // Refused / Annulled / Expired => Die hard
  295.         if ($missionShareDemand->isExpired())
  296.         {
  297.             return false;
  298.         }
  299.         if ($missionShareDemand->isRefused())
  300.         {
  301.             return false;
  302.         }
  303.         if ($missionShareDemand->isAnnulled())
  304.         {
  305.             return false;
  306.         }
  307.         // If we are here, it means the status is ok (Default or Accepted),
  308.         // so simply check if the user has the required permissions to list shared demands
  309.         // Get Acl_Permission
  310.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  311.         if ($aclPerm === null)        return false;
  313.         // Get Acl
  314.         $acl $this->aclRepository->findOneBy(array(
  315.             'function'        =>    $function,
  316.             'permission'    =>    $aclPerm
  317.         ));
  318.         if ($acl === null)        return false;
  320.         // Since only one acl type can exist
  321.         // we can return the result of the acl_permission
  322.         return $acl->getValue();
  323.     }
  325.     private function canAcceptOrRefuse(MissionShareDemand $missionShareDemandAccess $userAccessFunction $function)
  326.     {
  327.         // Module activated ?
  328.         // At least one, not necessarly the plus one
  329.         // MODULE_MISSION_PLUS is required only if we want to share missions,
  330.         // not accept / refuse missions shared with us
  331.         if (
  332.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION) &&
  333.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_LIGHT) &&
  334.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_PLUS)
  335.             )
  336.         {
  337.             return false;
  338.         }
  340.         $mission $missionShareDemand->getMission();
  341.         if ($mission === null)
  342.         {
  343.             return false;
  344.         }
  346.         // CurrentGroup should be the receiver
  347.         $receiver $missionShareDemand->getReceiver();
  348.         if ($receiver === null)
  349.         {
  350.             return false;
  351.         }
  352.         if (!$receiver->equals($this->currentGroup))
  353.         {
  354.             return false;
  355.         }
  357.         // The demand should be in the default status
  358.         // Accepted / Refused / Annulled / Expired => Die hard
  359.         if ($missionShareDemand->isExpired())
  360.         {
  361.             return false;
  362.         }
  363.         if ($missionShareDemand->isAccepted())
  364.         {
  365.             return false;
  366.         }
  367.         if ($missionShareDemand->isRefused())
  368.         {
  369.             return false;
  370.         }
  371.         if ($missionShareDemand->isAnnulled())
  372.         {
  373.             return false;
  374.         }
  375.         // If we are here, it means the status is ok (Default),
  376.         // so simply check if the user has the required permissions to list shared demands
  377.         // Get Acl_Permission
  378.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ACCEPT_REFUSE);
  379.         if ($aclPerm === null)        return false;
  381.         // Get Acl
  382.         $acl $this->aclRepository->findOneBy(array(
  383.             'function'        =>    $function,
  384.             'permission'    =>    $aclPerm
  385.         ));
  386.         if ($acl === null)        return false;
  388.         // Since only one acl type can exist
  389.         // we can return the result of the acl_permission
  390.         return $acl->getValue();
  391.     }
  393.     private function canRefuseAccepted(MissionShareDemand $missionShareDemandAccess $userAccessFunction $function)
  394.     {
  395.         // Module activated ?
  396.         // At least one, not necessarly the plus one
  397.         // MODULE_MISSION_PLUS is required only if we want to share missions,
  398.         // not accept / refuse missions shared with us
  399.         if (
  400.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION) &&
  401.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_LIGHT) &&
  402.             $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_PLUS)
  403.             )
  404.         {
  405.             return false;
  406.         }
  408.         $mission $missionShareDemand->getMission();
  409.         if ($mission === null)
  410.         {
  411.             return false;
  412.         }
  414.         // Plan.io Task #3304
  415.         // Deny refusing a mission for which the owner was paid
  416.         if ($mission->ownerWasPaid())
  417.         {
  418.             return false;
  419.         }
  421.         // CurrentGroup should be the receiver
  422.         $receiver $missionShareDemand->getReceiver();
  423.         if ($receiver === null)
  424.         {
  425.             return false;
  426.         }
  427.         if (!$receiver->equals($this->currentGroup))
  428.         {
  429.             return false;
  430.         }
  432.         // If we are here, it means the status is ok (Accepted),
  433.         // so simply check if the user has the required permissions to list shared demands
  434.         // Get Acl_Permission
  435.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ACCEPT_REFUSE);
  436.         if ($aclPerm === null)        return false;
  438.         // Get Acl
  439.         $acl $this->aclRepository->findOneBy(array(
  440.             'function'        =>    $function,
  441.             'permission'    =>    $aclPerm
  442.         ));
  443.         if ($acl === null)        return false;
  445.         // Since only one acl type can exist
  446.         // we can return the result of the acl_permission
  448.         // The demand should be Accepted status
  449.         if ($missionShareDemand->isAccepted())
  450.         {
  451.             return $acl->getValue();
  452.         }
  453.         // We are doing the status check here because we want to avoid the following case :
  454.         // Demand is accepted, but is has also expired
  455.         // If we check Expired before checking Acl,
  456.         // an expired but accepted demand will return false
  457.         // when it should return true
  459.         // Wtf we are doing here ? :D
  460.         return false;
  461.     }
  462. }