src/Security/MissionVoter.php line 128

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/MissionVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Doctrine\Persistence\ManagerRegistry;
  12. use App\Entity\Access;
  13. use App\Entity\APIRest\AccessAPI;
  14. use App\Entity\Client\Client;
  15. use App\Entity\Config\Config;
  16. use App\Entity\Config\Module;
  17. use App\Entity\HR\AccessFunction;
  18. use App\Entity\Mission\Mission;
  19. use App\Entity\Security\Acl;
  20. use App\Entity\Security\AclPermission;
  21. use App\Entity\Webapp\Document;
  22. use App\Services\LogTools;
  23. use App\Services\Config\ModuleTools;
  24. use App\Services\Mission\MissionSecurityTools;
  26. class MissionVoter extends Voter
  27. {
  28.     //--------------------------------------------------------------------------------
  29.     // is_granted constants
  30.     const IS_ACTIVE "mission_is_active";
  31.     const IS_ACTIVE_SHARING "mission_sharing_is_active";
  33.     const ADD "add_mission";
  34.     const ADD_OR_CONVERT "add_mission_or_convert_devis_simulation";
  36.     const LISTING "list_missions";
  37.     const LISTING_SOCIETY "list_missions_society";
  38.     const LISTING_AUTHOR "list_missions_author";
  39.     const LISTING_ANY "list_missions_any";
  41.     const VIEW "view_mission";
  42.     const EDIT "edit_mission";
  43.     const EDIT_SOCIETY "edit_mission_society";
  44.     const EDIT_MANAGER "edit_mission_manager";
  46.     const SHARE "share_mission";
  48.     // Plan.io Task #3304
  49.     const PAY_OWNER "pay_mission_owner";
  51.     // Plan.io Task #4071
  52.     const ADD_CHILD "add_mission_child";
  54.     // Plan.Io Task #4247
  55.     const MERGE "merge_mission";
  56.     const MERGE_TOOL "merge_tool_mission";
  58.     const IS_GRANTED_CONSTANTS = array(
  59.         self::IS_ACTIVE,
  60.         self::IS_ACTIVE_SHARING,
  62.         self::ADD,
  63.         self::ADD_OR_CONVERT,
  65.         self::LISTING,
  66.         self::LISTING_SOCIETY,
  67.         self::LISTING_AUTHOR,
  68.         self::LISTING_ANY,
  70.         self::VIEW,
  71.         self::EDIT,
  72.         self::EDIT_SOCIETY,
  73.         self::EDIT_MANAGER,
  75.         self::SHARE,
  76.         self::PAY_OWNER,
  77.         self::ADD_CHILD,
  79.         self::MERGE,
  80.         self::MERGE_TOOL,
  81.     );
  83.     //--------------------------------------------------------------------------------
  84.     // acl constants
  86.     const ACL_PERM_ADD 'mission_add';
  88.     const ACL_PERM_LIST 'mission_list';
  89.     const ACL_PERM_LIST_SOCIETY 'mission_list_society';
  90.     const ACL_PERM_LIST_AUTHOR 'mission_list_author';
  92.     const ACL_PERM_VIEW 'mission_view';
  93.     const ACL_PERM_VIEW_SOCIETY 'mission_view_society';
  94.     const ACL_PERM_VIEW_AUTHOR 'mission_view_author';
  95.     const ACL_PERM_VIEW_TASK 'mission_view_task';
  97.     const ACL_PERM_EDIT 'mission_edit';
  98.     const ACL_PERM_EDIT_SOCIETY 'mission_edit_society';
  99.     const ACL_PERM_EDIT_AUTHOR 'mission_edit_author';
  100.     const ACL_PERM_EDIT_TASK 'mission_edit_task';
  102.     const ACL_PERM_SOCIETY_EDIT 'mission_society_edit';
  103.     const ACL_PERM_SOCIETY_EDIT_SOCIETY 'mission_society_edit_society';
  104.     const ACL_PERM_SOCIETY_EDIT_AUTHOR 'mission_society_edit_author';
  106.     const ACL_PERM_SHARE 'mission_share';
  107.     const ACL_PERM_SHARE_SOCIETY 'mission_share_society';
  108.     const ACL_PERM_SHARE_AUTHOR 'mission_share_author';
  110.     const ACL_PERM_MANAGER_EDIT 'mission_edit_manager';
  111.     const ACL_PERM_MANAGER_EDIT_SOCIETY 'mission_edit_manager_society';
  112.     const ACL_PERM_MANAGER_EDIT_AUTHOR 'mission_edit_manager_author';
  114.     // Plan.io Task #4247
  115.     const ACL_PERM_MERGE "mission_merge";
  116.     const ACL_PERM_MERGE_SOCIETY "mission_merge_society";
  118.     //--------------------------------------------------------------------------------
  120.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrineModuleTools $moduleToolsLogTools $logToolsMissionSecurityTools $missionSecurityTools)
  121.     {
  122.         $this->accessDecisionManager $accessDecisionManager;
  123.         $this->em $doctrine->getManager();
  124.         $this->moduleTools $moduleTools;
  125.         $this->logTools $logTools;
  126.         $this->missionSecurityTools $missionSecurityTools;
  128.         $this->aclRepository $this->em->getRepository(Acl::class);
  129.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  130.     }
  132.     // Plan.io Task #4453 [See AccessVoter for details]
  133.     public function supportsAttribute(string $attribute): bool
  134.     {
  135.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  136.     }
  138.     protected function supports(string $attribute$subject): bool
  139.     {
  140.         // $this->logTools->ploopLog("[MissionVoter][supports] attribute = $attribute");
  142.         // if the attribute isn't one we support, return false
  143.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  144.         {
  145.             return false;
  146.         }
  148.         // Only vote on Mission and Client objects inside this voter
  149.         if ($subject !== null && !($subject instanceof Mission || $subject instanceof Client))
  150.         {
  151.             return false;
  152.         }
  154.         return true;
  155.     }
  157.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  158.     {
  159.         $user $token->getUser();
  161.         // Plan.io Task #3707
  162.         if ($user instanceof AccessAPI)
  163.         {
  164.             if ($user->getAccess() === null)
  165.             {
  166.                 return false;
  167.             }
  168.             $user $user->getAccess();
  169.         }
  171.         // Plan.io Task #3707
  172.         // At this point $user is an object of Access type
  173.         // even if the $token->getUser() is AccessAPI
  174.         if (!$user instanceof Access)
  175.         {
  176.             // the user must be logged in; if not, deny access
  177.             return false;
  178.         }
  180.         // The user must have a function; if not deny access
  181.         $function $user->getFunction();
  182.         if ($function === null)
  183.         {
  184.             return false;
  185.         }
  187.         // Plan.io Task #3710 : Get current group
  188.         $currentGroup $user->getSocietyGroup();
  189.         if ($currentGroup === null)
  190.             return false;
  192.         $this->currentGroup $currentGroup;
  194.         // Module activated ?
  195.         if (
  196.             $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_MISSION) &&
  197.             $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_MISSION_LIGHT) &&
  198.             $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_MISSION_PLUS)
  199.             )
  200.         {
  201.             return false;
  202.         }
  204.         // This one also needs clients or clients light
  205.         if (
  206.             $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_CLIENT) &&
  207.             $this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_CLIENT_LIGHT)
  208.             )
  209.         {
  210.             return false;
  211.         }
  213.         $client null;
  214.         $mission null;
  216.         if ($subject instanceof Mission)
  217.         {
  218.             // you know $subject is a Mission object, thanks to supports
  219.             /** @var Mission $mission */
  220.             $mission $subject;
  222.             // Check current group affectation
  223.             // This also includes mission sharing
  224.             //        mission.society.group = currentGroup
  225.             //        OR
  226.             //        mission.getSocietyGroupOwner = currentGroup
  227.             if ($mission !== null)
  228.             {
  229.                 $missionSociety $mission->getSociety();
  231.                 if ($missionSociety === null)
  232.                 {
  233.                     return false;
  234.                 }
  236.                 $missionSocietyGroup $missionSociety->getGroup();
  237.                 if ($missionSocietyGroup === null)
  238.                 {
  239.                     return false;
  240.                 }
  242.                 $missionSocietyGroupOwner $mission->getSocietyGroupOwner();
  243.                 if ($missionSocietyGroupOwner === null)
  244.                 {
  245.                     return false;
  246.                 }
  248.                 // Checking ...
  249.                 if (!$currentGroup->equals($missionSocietyGroup) && !$currentGroup->equals($missionSocietyGroupOwner))
  250.                 {
  251.                     return false;
  252.                 }
  254.                 // Special case of archived missions
  255.                 // This should only be visible by owner, since the owner is the one who archived them
  256.                 if ($mission->isArchivedRefused())
  257.                 {
  258.                     if (!$currentGroup->equals($missionSocietyGroupOwner))
  259.                     {
  260.                         return false;
  261.                     }
  262.                 }
  263.             }
  264.         }
  265.         else
  266.         {
  267.             if ($subject instanceof Client)
  268.             {
  269.                 /** @var Client $client */
  270.                 $client $subject;
  271.             }
  272.         }
  274.         switch ($attribute)
  275.         {
  276.             case self::IS_ACTIVE:
  277.             {
  278.                 return true;
  279.             }
  281.             case self::IS_ACTIVE_SHARING:
  282.             {
  283.                 if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_MISSION_PLUS))
  284.                 {
  285.                     return false;
  286.                 }
  287.                 return true;
  288.             }
  290.             // We can create a mission without a client
  291.             // (the client can be created at the same time as the mission)
  292.             // So the client parameter is optional
  293.             case self::ADD:
  294.                 return $this->canAdd($user$function$client);
  295.             case self::ADD_OR_CONVERT:
  296.                 return $this->canAddOrConvert($user$function$token$client);
  298.             case self::ADD_CHILD:
  299.             {
  300.                 if ($mission === null) return false;
  301.                 return $this->canAddChild($mission$user$function);
  302.             }
  304.             case self::VIEW:
  305.                 return $this->canView($mission$user$function);
  307.             case self::EDIT:
  308.                 return $this->canEdit($mission$user$function);
  310.             case self::EDIT_SOCIETY:
  311.                 return $this->canEditSociety($mission$user$function);
  313.             case self::EDIT_MANAGER:
  314.                 return $this->canEditManager($mission$user$function);
  316.             case self::SHARE:
  317.                 return $this->canShare($mission$user$function);
  319.             case self::PAY_OWNER:
  320.                 return $this->canPayMissionOwner($mission);
  322.             case self::LISTING:
  323.                 return $this->canList($user$function);
  324.             case self::LISTING_SOCIETY:
  325.                 return $this->canListSociety($user$function);
  326.             case self::LISTING_AUTHOR:
  327.                 return $this->canListAuthor($user$function);
  328.             case self::LISTING_ANY:
  329.                 return $this->canListAny($user$function);
  331.             case self::MERGE:
  332.                 return $this->canMerge($mission$user$function);
  334.             case self::MERGE_TOOL:
  335.                 return $this->canUseMergeTool($user$function);
  336.         }
  338.         throw new \LogicException('This code should not be reached!');
  339.     }
  341.     // $access is the user trying to load the resource
  342.     // $mission is the resource being loaded
  344.     // Check if the Author of the Mission is the Access
  345.     private function checkAuthor(Mission $missionAccess $access)
  346.     {
  347.         // Get the Society of the Mission
  348.         $missionAuthor $mission->getAuthor();
  350.         if ($missionAuthor === null)
  351.             return false;
  353.         if ($access->getId() == $missionAuthor->getId())
  354.             return true;
  356.         return false;
  357.     }
  359.     // Check if the $access is connected to any task of the mission
  360.     private function checkTask(Mission $missionAccess $access)
  361.     {
  362.         if (empty($mission->getTasks()))
  363.             return false;
  365.         foreach ($mission->getTasks() as $task)
  366.         {
  367.             foreach ($task->getPlanningResources() as $resource)
  368.             {
  369.                 if ($resource->getAccess() !== null)
  370.                 {
  371.                     if ($access->equals($resource->getAccess()))
  372.                     {
  373.                         return true;
  374.                     }
  375.                 }
  376.             }
  377.         }
  379.         return false;
  380.     }
  382.     // Check if the Society of the Mission
  383.     // belongs to the societies of the $access
  384.     private function checkSociety(Mission $missionAccess $access)
  385.     {
  386.         // Get all the societies of the access
  387.         $societies $access->getSocieties();
  389.         // Get the Society of the Mission
  390.         // If the mission was created by the currentGroup, get the mission.society
  391.         // If the mission was shared with the currentGroup, get the mission.societyOwner
  392.         $missionSociety $mission->getSociety();
  394.         if ($missionSociety === null)
  395.             return false;
  397.         $found false;
  398.         foreach ($societies as $society)
  399.         {
  400.             if ($society->getId() == $missionSociety->getId())
  401.             {
  402.                 $found true;
  403.                 break;
  404.             }
  405.         }
  406.         return $found;
  407.     }
  409.     // Check if the Society of the Mission
  410.     // belongs to the societies of the $access
  411.     private function checkSocietyOwner(Mission $missionAccess $access)
  412.     {
  413.         // Get all the societies of the access
  414.         $societies $access->getSocieties();
  416.         // Get the Society of the Mission
  417.         // If the mission was created by the currentGroup, get the mission.society
  418.         // If the mission was shared with the currentGroup, get the mission.societyOwner
  419.         $missionSociety $mission->getSocietyOwner();
  421.         if ($missionSociety === null)
  422.             return false;
  424.         $found false;
  425.         foreach ($societies as $society)
  426.         {
  427.             if ($society->getId() == $missionSociety->getId())
  428.             {
  429.                 $found true;
  430.                 break;
  431.             }
  432.         }
  433.         return $found;
  434.     }
  436.     private function canAdd(Access $userAccessFunction $function$client null)
  437.     {
  438.         // We can create a mission without a client
  439.         // (the client can be created at the same time as the mission)
  440.         // So the client parameter is optional
  441.         if ($client !== null)
  442.         {
  443.             // Individuals only for now
  444.             $individual $client->getIndividual();
  445.             if ($individual !== null)
  446.             {
  447.                 // Only allow creating missions for the individuals who belong tp the current group
  448.                 if (!$individual->getSocietyGroup()->equals($this->currentGroup))
  449.                 {
  450.                     return false;
  451.                 }
  452.             }
  453.             else
  454.             {
  455.                 // Plan.io Task #3582 : No Stores as Receivers for now
  456.                 return false;
  457.             }
  458.         }
  460.         // Module activated ?
  461.         // MISSION_LIGHT cannot add Missions
  462.         if ($this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION) && $this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_PLUS))
  463.         {
  464.             return false;
  465.         }
  467.         // Get Acl_Permission
  468.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  469.         if ($aclPerm === null)        return false;
  471.         // Get Acl
  472.         $acl $this->aclRepository->findOneBy(array(
  473.             'function'        =>    $function,
  474.             'permission'    =>    $aclPerm
  475.         ));
  476.         if ($acl === null)        return false;
  478.         // Since only one acl type can exist
  479.         // we can return the result of the acl_permission
  480.         return $acl->getValue();
  481.     }
  483.     private function canAddOrConvert(Access $userAccessFunction $function$token$client null)
  484.     {
  485.         if ($this->canAdd($user$function$client))
  486.         {
  487.             return true;
  488.         }
  490.         if ($this->accessDecisionManager->decide($token, ['convert_devis_simulation']))
  491.         {
  492.             return true;
  493.         }
  495.         return false;
  496.     }
  498.     private function canAddChild(Mission $parentAccess $userAccessFunction $function)
  499.     {
  500.         // Check object restrictions because they are simpler
  501.         $reason $parent->whyCannotAddChildren();
  502.         if ($reason 0)
  503.         {
  504.             // $this->logTools->errorLog("[MissionVoter][canAddChild] The reason we cannot add a child for ".$parent->displayForLog()." is ".$reason);
  505.         }
  507.         if (!$parent->canAddChild())
  508.         {
  509.             return false;
  510.         }
  512.         // Decide based on Add permissions
  513.         return $this->canAdd($user$function$parent->getReceiver());
  514.     }
  516.     private function canView(Mission $missionAccess $userAccessFunction $function)
  517.     {
  518.         // Get Acl_Permissions
  519.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  520.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  521.         $aclPermAuthor $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_AUTHOR);
  522.         $aclPermTask $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_TASK);
  524.         // If all are null, exit
  525.         if ($aclPerm === null && $aclPermSociety === null && $aclPermAuthor === null && $aclPermTask === null)
  526.             return false;
  528.         // Get First one
  529.         if ($aclPerm !== null)
  530.         {
  531.             $acl $this->aclRepository->findOneBy(array(
  532.                 'function'        =>    $function,
  533.                 'permission'    =>    $aclPerm
  534.             ));
  535.             if ($acl !== null)
  536.             {
  537.                 if ($acl->getValue())
  538.                 {
  539.                     // A single positive answer is enough
  540.                     return true;
  541.                 }
  542.             }
  543.         }
  545.         // If we are here it means that nothing good has been found
  546.         // Load second permission
  547.         if ($aclPermSociety !== null)
  548.         {
  549.             $acl $this->aclRepository->findOneBy(array(
  550.                 'function'        =>    $function,
  551.                 'permission'    =>    $aclPermSociety
  552.             ));
  553.             if ($acl !== null)
  554.             {
  555.                 if ($acl->getValue())
  556.                 {
  557.                     // Check Society : also check author
  558.                     // Les missions appartenant Ã  ses sociétés (et celles dont il est l'auteur)
  559.                     if ($this->checkAuthor($mission$user))
  560.                     {
  561.                         return true;
  562.                     }
  564.                     // When a mission is shared, the author can still view it
  565.                     if ($this->checkSociety($mission$user) || $this->checkSocietyOwner($mission$user))
  566.                     {
  567.                         return true;
  568.                     }
  569.                 }
  570.             }
  571.         }
  572.         // If we are here it means that nothing good has been found
  573.         // Load third permission
  574.         if ($aclPermAuthor !== null)
  575.         {
  576.             $acl $this->aclRepository->findOneBy(array(
  577.                 'function'        =>    $function,
  578.                 'permission'    =>    $aclPermAuthor
  579.             ));
  580.             if ($acl !== null)
  581.             {
  582.                 if ($acl->getValue())
  583.                 {
  584.                     // A single positive answer is enough
  585.                     // In this case the good answer will be provided by the checkSociety
  586.                     return $this->checkAuthor($mission$user);
  587.                 }
  588.             }
  589.         }
  591.         // If we are here it means that nothing good has been found
  592.         // Load fourth permission
  593.         if ($aclPermTask !== null)
  594.         {
  595.             $acl $this->aclRepository->findOneBy(array(
  596.                 'function'        =>    $function,
  597.                 'permission'    =>    $aclPermTask,
  598.             ));
  599.             if ($acl !== null)
  600.             {
  601.                 if ($acl->getValue())
  602.                 {
  603.                     // A single positive answer is enough
  604.                     // In this case the good answer will be provided by the checkSociety
  605.                     return $this->checkTask($mission$user);
  606.                 }
  607.             }
  608.         }
  610.         // If we are here, all hope is lost
  611.         return false;
  612.     }
  614.     private function canEdit(Mission $missionAccess $userAccessFunction $function)
  615.     {
  616.         // Plan.io Task #4071 : Deny on children
  617.         // Not anymore ;)
  618.         // if ($mission->isChild())
  619.         // {
  620.         //     return false;
  621.         // }
  623.         // Deny edit on archivedRefused objects
  624.         if ($mission->isArchivedRefused())
  625.         {
  626.             return false;
  627.         }
  629.         // Get Acl_Permissions
  630.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  631.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  632.         $aclPermAuthor $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_AUTHOR);
  633.         $aclPermTask $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_TASK);
  635.         // If all are null, exit
  636.         if ($aclPerm === null && $aclPermSociety === null && $aclPermAuthor === null && $aclPermTask === null)
  637.             return false;
  639.         // Get First one
  640.         if ($aclPerm !== null)
  641.         {
  642.             $acl $this->aclRepository->findOneBy(array(
  643.                 'function'        =>    $function,
  644.                 'permission'    =>    $aclPerm
  645.             ));
  646.             if ($acl !== null)
  647.             {
  648.                 if ($acl->getValue())
  649.                 {
  650.                     // Both author and owner can edit
  651.                     return true;
  653.                     // // When a mission is shared, the author cannot edit it
  654.                     // if (!$mission->isShared())
  655.                     // {
  656.                     //     // Not shared
  657.                     //     return true;
  658.                     // }
  659.                     // else
  660.                     // {
  661.                     //     // Shared
  662.                     //     // The author cannot edit / The owner can edit
  663.                     //     if ($mission->isSharedWithSocietyGroup($this->currentGroup))
  664.                     //     {
  665.                     //         return true;
  666.                     //     }
  667.                     // }
  668.                 }
  669.             }
  670.         }
  672.         // If we are here it means that nothing good has been found
  673.         // Load second permission
  674.         if ($aclPermSociety !== null)
  675.         {
  676.             $acl $this->aclRepository->findOneBy(array(
  677.                 'function'        =>    $function,
  678.                 'permission'    =>    $aclPermSociety
  679.             ));
  680.             if ($acl !== null)
  681.             {
  682.                 if ($acl->getValue())
  683.                 {
  684.                     // Check Society : also check author
  685.                     // Les missions appartenant Ã  ses sociétés (et celles dont il est l'auteur)
  686.                     if ($this->checkAuthor($mission$user))
  687.                     {
  688.                         return true;
  689.                     }
  691.                     // Both author and owner can edit
  692.                     // However, if the mission is shared,
  693.                     // we are filtering using societyOwner instead of society
  694.                     // Only one of the two conditions below can be true at a time
  695.                     if ($this->checkSociety($mission$user) || $this->checkSocietyOwner($mission$user))
  696.                     {
  697.                         return true;
  698.                     }
  700.                     // // When a mission is shared, the author cannot edit it
  701.                     // if (!$mission->isShared())
  702.                     // {
  703.                     //     // Not shared : check society
  704.                     //     if ($this->checkSociety($mission, $user))
  705.                     //     {
  706.                     //         return true;
  707.                     //     }
  708.                     // }
  709.                     // else
  710.                     // {
  711.                     //     // Shared
  712.                     //     // The author cannot edit / The owner can edit
  713.                     //     if ($mission->isSharedWithSocietyGroup($this->currentGroup))
  714.                     //     {
  715.                     //         if ($this->checkSocietyOwner($mission, $user))
  716.                     //         {
  717.                     //             return true;
  718.                     //         }
  719.                     //     }
  720.                     // }
  721.                 }
  722.             }
  723.         }
  724.         // If we are here it means that nothing good has been found
  725.         // Load third permission
  726.         if ($aclPermAuthor !== null)
  727.         {
  728.             $acl $this->aclRepository->findOneBy(array(
  729.                 'function'        =>    $function,
  730.                 'permission'    =>    $aclPermAuthor
  731.             ));
  732.             if ($acl !== null)
  733.             {
  734.                 if ($acl->getValue())
  735.                 {
  736.                     // A single positive answer is enough
  737.                     // In this case the good answer will be provided by the checkSociety
  738.                     return $this->checkAuthor($mission$user);
  739.                 }
  740.             }
  741.         }
  743.         // If we are here it means that nothing good has been found
  744.         // Load fourth permission
  745.         if ($aclPermTask !== null)
  746.         {
  747.             $acl $this->aclRepository->findOneBy(array(
  748.                 'function'        =>    $function,
  749.                 'permission'    =>    $aclPermTask,
  750.             ));
  751.             if ($acl !== null)
  752.             {
  753.                 if ($acl->getValue())
  754.                 {
  755.                     // A single positive answer is enough
  756.                     // In this case the good answer will be provided by the checkSociety
  757.                     return $this->checkTask($mission$user);
  758.                 }
  759.             }
  760.         }
  762.         // If we are here, all hope is lost
  763.         return false;
  764.     }
  766.     private function canEditSociety(Mission $missionAccess $userAccessFunction $function)
  767.     {
  768.         // Deny edit on archivedRefused objects
  769.         if ($mission->isArchivedRefused())
  770.         {
  771.             return false;
  772.         }
  774.         // Get Acl_Permissions
  775.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT);
  776.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT_SOCIETY);
  777.         $aclPermAuthor $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT_AUTHOR);
  779.         // If all are null, exit
  780.         if ($aclPerm === null && $aclPermSociety === null && $aclPermAuthor === null)
  781.             return false;
  783.         // Get First one
  784.         if ($aclPerm !== null)
  785.         {
  786.             $acl $this->aclRepository->findOneBy(array(
  787.                 'function'        =>    $function,
  788.                 'permission'    =>    $aclPerm
  789.             ));
  790.             if ($acl !== null)
  791.             {
  792.                 if ($acl->getValue())
  793.                 {
  794.                     // Both author and owner can edit
  795.                     return true;
  796.                 }
  797.             }
  798.         }
  800.         // If we are here it means that nothing good has been found
  801.         // Load second permission
  802.         if ($aclPermSociety !== null)
  803.         {
  804.             $acl $this->aclRepository->findOneBy(array(
  805.                 'function'        =>    $function,
  806.                 'permission'    =>    $aclPermSociety
  807.             ));
  808.             if ($acl !== null)
  809.             {
  810.                 if ($acl->getValue())
  811.                 {
  812.                     // Check Society : also check author
  813.                     // Les missions appartenant Ã  ses sociétés (et celles dont il est l'auteur)
  814.                     if ($this->checkAuthor($mission$user))
  815.                     {
  816.                         return true;
  817.                     }
  819.                     // Both author and owner can edit
  820.                     // However, if the mission is shared,
  821.                     // we are filtering using societyOwner instead of society
  822.                     // Only one of the two conditions below can be true at a time
  823.                     if ($this->checkSociety($mission$user) || $this->checkSocietyOwner($mission$user))
  824.                     {
  825.                         return true;
  826.                     }
  827.                 }
  828.             }
  829.         }
  830.         // If we are here it means that nothing good has been found
  831.         // Load third permission
  832.         if ($aclPermAuthor !== null)
  833.         {
  834.             $acl $this->aclRepository->findOneBy(array(
  835.                 'function'        =>    $function,
  836.                 'permission'    =>    $aclPermAuthor
  837.             ));
  838.             if ($acl !== null)
  839.             {
  840.                 if ($acl->getValue())
  841.                 {
  842.                     // A single positive answer is enough
  843.                     // In this case the good answer will be provided by the checkSociety
  844.                     return $this->checkAuthor($mission$user);
  845.                 }
  846.             }
  847.         }
  849.         // If we are here, all hope is lost
  850.         return false;
  851.     }
  853.     private function canEditManager($missionAccess $userAccessFunction $function)
  854.     {
  856.         // Deny edit on archivedRefused objects
  857.         if ($mission !== null && $mission->isArchivedRefused())
  858.         {
  859.             return false;
  860.         }
  862.         // Get Acl_Permissions
  863.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_MANAGER_EDIT);
  864.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_MANAGER_EDIT_SOCIETY);
  865.         $aclPermAuthor $this->aclPermissionRepository->findOneByName(self::ACL_PERM_MANAGER_EDIT_AUTHOR);
  867.         // If all are null, exit
  868.         if ($aclPerm === null && $aclPermSociety === null && $aclPermAuthor === null)
  869.             return false;
  871.         // Get First one
  872.         if ($aclPerm !== null)
  873.         {
  874.             $acl $this->aclRepository->findOneBy(array(
  875.                 'function'        =>    $function,
  876.                 'permission'    =>    $aclPerm
  877.             ));
  878.             if ($acl !== null)
  879.             {
  880.                 if ($acl->getValue())
  881.                 {
  882.                     // Both author and owner can edit
  883.                     return true;
  884.                 }
  885.             }
  886.         }
  888.         // If we are here it means that nothing good has been found
  889.         // Load second permission
  890.         if ($aclPermSociety !== null)
  891.         {
  892.             $acl $this->aclRepository->findOneBy(array(
  893.                 'function'        =>    $function,
  894.                 'permission'    =>    $aclPermSociety
  895.             ));
  896.             if ($acl !== null)
  897.             {
  898.                 if ($acl->getValue())
  899.                 {
  900.                     if ($mission !== null)
  901.                     {
  902.                         // Check Society : also check author
  903.                         // Les missions appartenant Ã  ses sociétés (et celles dont il est l'auteur)
  904.                         if ($this->checkAuthor($mission$user))
  905.                         {
  906.                             return true;
  907.                         }
  909.                         // Both author and owner can edit
  910.                         // However, if the mission is shared,
  911.                         // we are filtering using societyOwner instead of society
  912.                         // Only one of the two conditions below can be true at a time
  913.                         if ($this->checkSociety($mission$user) || $this->checkSocietyOwner($mission$user))
  914.                         {
  915.                             return true;
  916.                         }
  917.                     }
  918.                     else
  919.                     {
  920.                         return $acl->getValue();
  921.                     }
  923.                 }
  924.             }
  925.         }
  927.         // If we are here it means that nothing good has been found
  928.         // Load third permission
  929.         if ($aclPermAuthor !== null)
  930.         {
  931.             $acl $this->aclRepository->findOneBy(array(
  932.                 'function'        =>    $function,
  933.                 'permission'    =>    $aclPermAuthor
  934.             ));
  935.             if ($acl !== null)
  936.             {
  937.                 if ($acl->getValue())
  938.                 {
  939.                     if ($mission !== null)
  940.                     {
  941.                         // A single positive answer is enough
  942.                         // In this case the good answer will be provided by the checkSociety
  943.                         return $this->checkAuthor($mission$user);
  944.                     }
  945.                     else
  946.                     {
  947.                         return $acl->getValue();
  948.                     }
  949.                 }
  951.             }
  952.         }
  954.         // If we are here, all hope is lost
  955.         return false;
  956.     }
  958.     private function canShare(Mission $missionAccess $userAccessFunction $function)
  959.     {
  960.         // Module activated ?
  961.         if ($this->moduleTools->isInactiveByCode($this->currentGroupModule::MODULE_MISSION_PLUS))
  962.         {
  963.             return false;
  964.         }
  966.         // Plan.io Task #4031 #4024 #4071
  967.         if ($this->missionSecurityTools->cannotBeShared($mission))
  968.         {
  969.             return false;
  970.         }
  972.         // Get Acl_Permissions
  973.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SHARE);
  974.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SHARE_SOCIETY);
  975.         $aclPermAuthor $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SHARE_AUTHOR);
  977.         // If all are null, exit
  978.         if ($aclPerm === null && $aclPermSociety === null && $aclPermAuthor === null)
  979.             return false;
  981.         // Get First one
  982.         if ($aclPerm !== null)
  983.         {
  984.             $acl $this->aclRepository->findOneBy(array(
  985.                 'function'        =>    $function,
  986.                 'permission'    =>    $aclPerm
  987.             ));
  988.             if ($acl !== null)
  989.             {
  990.                 if ($acl->getValue())
  991.                 {
  992.                     // A single positive answer is enough
  993.                     return true;
  994.                 }
  995.             }
  996.         }
  998.         // If we are here it means that nothing good has been found
  999.         // Load second permission
  1000.         if ($aclPermSociety !== null)
  1001.         {
  1002.             $acl $this->aclRepository->findOneBy(array(
  1003.                 'function'        =>    $function,
  1004.                 'permission'    =>    $aclPermSociety
  1005.             ));
  1006.             if ($acl !== null)
  1007.             {
  1008.                 if ($acl->getValue())
  1009.                 {
  1010.                     // Check Society : also check author
  1011.                     // Les missions appartenant Ã  ses sociétés (et celles dont il est l'auteur)
  1012.                     if ($this->checkSociety($mission$user))
  1013.                     {
  1014.                         return true;
  1015.                     }
  1016.                     else
  1017.                     {
  1018.                         $this->checkAuthor($mission$user);
  1019.                     }
  1020.                 }
  1021.             }
  1022.         }
  1023.         // If we are here it means that nothing good has been found
  1024.         // Load third permission
  1025.         if ($aclPermAuthor !== null)
  1026.         {
  1027.             $acl $this->aclRepository->findOneBy(array(
  1028.                 'function'        =>    $function,
  1029.                 'permission'    =>    $aclPermAuthor
  1030.             ));
  1031.             if ($acl !== null)
  1032.             {
  1033.                 if ($acl->getValue())
  1034.                 {
  1035.                     // A single positive answer is enough
  1036.                     // In this case the good answer will be provided by the checkSociety
  1037.                     return $this->checkAuthor($mission$user);
  1038.                 }
  1039.             }
  1040.         }
  1042.         // If we are here, all hope is lost
  1043.         return false;
  1044.     }
  1046.     private function canPayMissionOwner(Mission $mission)
  1047.     {
  1048.         // Plan.io Task #3304
  1050.         // Not paid, obviously :)
  1051.         if ($mission->ownerWasPaid())
  1052.         {
  1053.             return false;
  1054.         }
  1056.         // Restricted to JCAF society group
  1057.         if ($this->currentGroup->isNotJcaf())
  1058.         {
  1059.             return false;
  1060.         }
  1062.         // Restricted to JCAF missions
  1063.         if ($mission->authorIsNotJcaf())
  1064.         {
  1065.             return false;
  1066.         }
  1067.         if ($mission->isNotJcaf())
  1068.         {
  1069.             return false;
  1070.         }
  1072.         // Mission should be shared
  1073.         if ($mission->isNotShared())
  1074.         {
  1075.             return false;
  1076.         }
  1078.         // The mission should have a finished RFI not requiring another intervention
  1079.         $docs $this->em->getRepository(Document::class)
  1080.             ->findByMission($mission);
  1081.         if (count($docs) < 1)
  1082.         {
  1083.             return false;
  1084.         }
  1086.         $found false;
  1087.         foreach ($docs as $doc)
  1088.         {
  1089.             if ($doc->getRfi() !== null)
  1090.             {
  1091.                 if ($doc->getRfi()->doesNotRequireReintervention())
  1092.                 {
  1093.                     $found true;
  1094.                     break;
  1095.                 }
  1096.             }
  1097.         }
  1099.         if (!$found)
  1100.         {
  1101.             return false;
  1102.         }
  1104.         // All looks good
  1105.         return true;
  1106.     }
  1108.     private function canList(Access $userAccessFunction $function)
  1109.     {
  1110.         // If canView, then canList ;)
  1111.         // Get Acl_Permission
  1112.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  1113.         if ($aclPerm === null)        return false;
  1115.         // Get Acl
  1116.         $acl $this->aclRepository->findOneBy(array(
  1117.             'function'        =>    $function,
  1118.             'permission'    =>    $aclPerm
  1119.         ));
  1120.         if ($acl === null)        return false;
  1122.         // Since only one acl type can exist
  1123.         // we can return the result of the acl_permission
  1124.         return $acl->getValue();
  1125.     }
  1127.     private function canListSociety(Access $userAccessFunction $function)
  1128.     {
  1129.         // If canView, then canList ;)
  1130.         // Get Acl_Permission
  1131.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  1132.         if ($aclPerm === null)        return false;
  1134.         // Get Acl
  1135.         $acl $this->aclRepository->findOneBy(array(
  1136.             'function'        =>    $function,
  1137.             'permission'    =>    $aclPerm
  1138.         ));
  1139.         if ($acl === null)        return false;
  1141.         // Since only one acl type can exist
  1142.         // we can return the result of the acl_permission
  1143.         return $acl->getValue();
  1144.     }
  1146.     private function canListAuthor(Access $userAccessFunction $function)
  1147.     {
  1148.         // If canView, then canList ;)
  1149.         // Get Acl_Permission
  1150.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_AUTHOR);
  1151.         if ($aclPerm === null)        return false;
  1153.         // Get Acl
  1154.         $acl $this->aclRepository->findOneBy(array(
  1155.             'function'        =>    $function,
  1156.             'permission'    =>    $aclPerm
  1157.         ));
  1158.         if ($acl === null)        return false;
  1160.         // Since only one acl type can exist
  1161.         // we can return the result of the acl_permission
  1162.         return $acl->getValue();
  1163.     }
  1165.     private function canListAny(Access $userAccessFunction $function)
  1166.     {
  1167.         // Three Acl_Permission may exist
  1168.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  1169.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  1170.         $aclPermAuthor $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_AUTHOR);
  1172.         // If all are null, exit
  1173.         if ($aclPerm === null && $aclPermSociety === null && $aclPermAuthor === null)
  1174.             return false;
  1176.         // Get First one
  1177.         if ($aclPerm !== null)
  1178.         {
  1179.             $acl $this->aclRepository->findOneBy(array(
  1180.                 'function'        =>    $function,
  1181.                 'permission'    =>    $aclPerm
  1182.             ));
  1183.             if ($acl !== null)
  1184.             {
  1185.                 if ($acl->getValue())
  1186.                 {
  1187.                     // A single positive answer is enough
  1188.                     return true;
  1189.                 }
  1190.             }
  1191.         }
  1193.         // If we are here it means that nothing good has been found
  1194.         // Load second permission
  1195.         if ($aclPermSociety !== null)
  1196.         {
  1197.             $acl $this->aclRepository->findOneBy(array(
  1198.                 'function'        =>    $function,
  1199.                 'permission'    =>    $aclPermSociety
  1200.             ));
  1201.             if ($acl !== null)
  1202.             {
  1203.                 if ($acl->getValue())
  1204.                 {
  1205.                     // A single positive answer is enough
  1206.                     return true;
  1207.                 }
  1208.             }
  1209.         }
  1211.         // If we are here it means that nothing good has been found
  1212.         // Load third permission
  1213.         if ($aclPermAuthor !== null)
  1214.         {
  1215.             $acl $this->aclRepository->findOneBy(array(
  1216.                 'function'        =>    $function,
  1217.                 'permission'    =>    $aclPermAuthor
  1218.             ));
  1219.             if ($acl !== null)
  1220.             {
  1221.                 if ($acl->getValue())
  1222.                 {
  1223.                     // A single positive answer is enough
  1224.                     return true;
  1225.                 }
  1226.             }
  1227.         }
  1229.         // If we are here, all hope is lost
  1230.         return false;
  1231.     }
  1233.     // Plan.io Task #4247
  1234.     private function canMerge(Mission $missionAccess $userAccessFunction $accessFunction)
  1235.     {
  1236.         // Two Acl_Permission may exist
  1237.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_MERGE);
  1238.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_MERGE_SOCIETY);
  1240.         // If all are null, exit
  1241.         if ($aclPerm === null && $aclPermSociety === null)
  1242.             return false;
  1244.         // Get First one
  1245.         if ($aclPerm !== null)
  1246.         {
  1247.             $acl $this->aclRepository->findOneBy(array(
  1248.                 'function'        =>    $accessFunction,
  1249.                 'permission'    =>    $aclPerm
  1250.             ));
  1251.             if ($acl !== null)
  1252.             {
  1253.                 if ($acl->getValue())
  1254.                 {
  1255.                     // A single positive answer is enough
  1256.                     return true;
  1257.                 }
  1258.             }
  1259.         }
  1261.         // If we are here it means that nothing good has been found
  1262.         // Load second permission
  1263.         if ($aclPermSociety !== null)
  1264.         {
  1265.             $acl $this->aclRepository->findOneBy(array(
  1266.                 'function'        =>    $accessFunction,
  1267.                 'permission'    =>    $aclPermSociety
  1268.             ));
  1269.             if ($acl !== null)
  1270.             {
  1271.                 if ($acl->getValue())
  1272.                 {
  1273.                     // A single positive answer is enough
  1274.                     // In this case the good answer will be provided by the checkSociety
  1275.                     return $this->checkSociety($mission$user);
  1276.                 }
  1277.             }
  1278.         }
  1280.         // If we are here, all hope is lost
  1281.         return false;
  1282.     }
  1284.     // Plan.io Task #4247
  1285.     // We need to know if the user can access the merge tool
  1286.     // Specific merge permissions will be checked later
  1287.     private function canUseMergeTool(Access $userAccessFunction $accessFunction)
  1288.     {
  1289.         // Two Acl_Permission may exist
  1290.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_MERGE);
  1291.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_MERGE_SOCIETY);
  1293.         // If all are null, exit
  1294.         if ($aclPerm === null && $aclPermSociety === null)
  1295.             return false;
  1297.         // Get First one
  1298.         if ($aclPerm !== null)
  1299.         {
  1300.             $acl $this->aclRepository->findOneBy(array(
  1301.                 'function'        =>    $accessFunction,
  1302.                 'permission'    =>    $aclPerm
  1303.             ));
  1304.             if ($acl !== null)
  1305.             {
  1306.                 if ($acl->getValue())
  1307.                 {
  1308.                     // A single positive answer is enough
  1309.                     return true;
  1310.                 }
  1311.             }
  1312.         }
  1314.         // If we are here it means that nothing good has been found
  1315.         // Load second permission
  1316.         if ($aclPermSociety !== null)
  1317.         {
  1318.             $acl $this->aclRepository->findOneBy(array(
  1319.                 'function'        =>    $accessFunction,
  1320.                 'permission'    =>    $aclPermSociety
  1321.             ));
  1322.             if ($acl !== null)
  1323.             {
  1324.                 if ($acl->getValue())
  1325.                 {
  1326.                     // A single positive answer is enough
  1327.                     return true;
  1328.                 }
  1329.             }
  1330.         }
  1332.         // If we are here, all hope is lost
  1333.         return false;
  1334.     }
  1335. }