src/Security/NoteVoter.php line 61

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/NoteVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  10. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  12. use App\Entity\Access;
  13. use App\Entity\Client\Client;
  14. use App\Entity\Config\Config;
  15. use App\Entity\Config\Module;
  16. use App\Entity\HR\AccessFunction;
  17. use App\Entity\Mission\Mission;
  18. use App\Entity\Platform\Note;
  19. use App\Entity\Security\Acl;
  20. use App\Entity\Security\AclPermission;
  21. use App\Services\AccessClient\AccessClientTools;
  22. use App\Services\Config\ModuleTools;
  24. class NoteVoter extends Voter
  25. {
  26.     const ADD "add_note";
  27.     const ADD_CLIENT_VISIBLE "add_note_client_visible";
  28.     const EDIT "edit_note";
  29.     const HIDE "hide_note";
  30.     const DELETE "delete_note";
  32.     const IS_GRANTED_CONSTANTS = array(
  33.         self::ADD,
  34.         self::ADD_CLIENT_VISIBLE,
  35.         self::EDIT,
  36.         self::HIDE,
  37.         self::DELETE,
  38.     );
  40.     //--------------------------------------------------------------------------------
  41.     // acl constants
  43.     const ACL_PERM_ADD "note_add";
  44.     const ACL_PERM_ADD_SOCIETY "note_add_society";
  45.     const ACL_PERM_ADD_MANAGER "note_add_manager";
  47.     const ACL_PERM_EDIT "note_edit";
  48.     const ACL_PERM_EDIT_SOCIETY "note_edit_society";
  49.     const ACL_PERM_EDIT_MANAGER "note_edit_manager";
  51.     const ACL_PERM_HIDE "note_hide";
  52.     const ACL_PERM_HIDE_SOCIETY "note_hide_society";
  53.     const ACL_PERM_HIDE_MANAGER "note_hide_manager";
  55.     const ACL_PERM_DELETE "note_delete";
  56.     const ACL_PERM_DELETE_SOCIETY "note_delete_society";
  57.     const ACL_PERM_DELETE_MANAGER "note_delete_manager";
  59.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrineAccessClientTools $accessClientToolsModuleTools $moduleTools)
  60.     {
  61.         $this->accessDecisionManager $accessDecisionManager;
  62.         $this->em $doctrine->getManager();
  63.         $this->accessClientTools $accessClientTools;
  64.         $this->moduleTools $moduleTools;
  66.         $this->aclRepository $this->em->getRepository(Acl::class);
  67.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  68.     }
  70.     // Plan.io Task #4453 [See AccessVoter for details]
  71.     public function supportsAttribute(string $attribute): bool
  72.     {
  73.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  74.     }
  75.     
  76.     protected function supports(string $attribute$subject): bool
  77.     {
  78.         // if the attribute isn't one we support, return false
  79.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  80.         {
  81.             return false;
  82.         }
  84.         // Only vote on Note objects or Client objects inside this voter
  85.         if ($subject !== null && !($subject instanceof Note || $subject instanceof Client || $subject instanceof Mission))
  86.         {
  87.             return false;
  88.         }
  90.         return true;
  91.     }
  93.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  94.     {
  95.         $user $token->getUser();
  97.         if (!$user instanceof Access)
  98.         {
  99.             // the user must be logged in; if not, deny access
  100.             return false;
  101.         }
  103.         // The user must have a function; if not deny access
  104.         $function $user->getFunction();
  105.         if ($function === null)        return false;
  107.         // Plan.io Task #3710 : Get current group
  108.         $currentGroup $user->getSocietyGroup();
  109.         if ($currentGroup === null)
  110.             return false;
  112.         // For this voter, the subject cannot be null
  113.         if ($subject === null)
  114.             return false;
  116.         // Check current group affectation
  117.         // This also includes mission sharing
  118.         //        mission.society.group = currentGroup
  119.         //        OR
  120.         //        mission.getSocietyGroupOwner = currentGroup
  121.         $societyGroupOwner null;
  123.         if ($subject !== null)
  124.         {
  125.             $subjectGroup null;
  126.             if ($subject instanceof Note)
  127.             {
  128.                 $subjectGroup $subject->getSocietyGroup();
  130.                 // Try to fecth the societyGroupOwner from the mission
  131.                 if ($subject->getMission() !== null)
  132.                 {
  133.                     $societyGroupOwner $subject->getMission()->getSocietyGroupOwner();
  134.                 }
  135.             }
  136.             else
  137.             {
  138.                 if ($subject instanceof Mission)
  139.                 {
  140.                     $client $subject->getReceiver();
  141.                     if ($client === null)
  142.                         return false;
  143.                     $subjectGroup $client->getSocietyGroup();
  145.                     // Try to fecth the societyGroupOwner from the mission
  146.                     $societyGroupOwner $subject->getSocietyGroupOwner();
  147.                 }
  148.                 else
  149.                 {
  150.                     $client $subject;
  151.                     if ($client === null)
  152.                         return false;
  153.                     $subjectGroup $client->getSocietyGroup();
  155.                     // Try to fetch the societyGroupOwner from the client
  156.                     $societyGroupOwner null;
  157.                 }
  158.             }
  160.             if ($subjectGroup === null)
  161.             {
  162.                 return false;
  163.             }
  165.             if ($subjectGroup === null)
  166.                 return false;
  168.             // Checking ...
  169.             if ($societyGroupOwner !== null)
  170.             {
  171.                 if (!$currentGroup->equals($subjectGroup) && !$currentGroup->equals($societyGroupOwner))
  172.                 {
  173.                     return false;
  174.                 }
  175.             }
  176.             else
  177.             {
  178.                 if (!$currentGroup->equals($subjectGroup))
  179.                 {
  180.                     return false;
  181.                 }
  182.             }
  183.         }
  185.         switch ($attribute)
  186.         {
  187.             case self::ADD:
  188.             {
  189.                 // $subject should be instanceof Client or Mission
  190.                 return $this->canAdd($subject$user$function);
  191.             }
  192.             case self::ADD_CLIENT_VISIBLE:
  193.             {
  194.                 // $subject should be instanceof Mission
  195.                 if ($subject instanceof Mission)
  196.                 {
  197.                     return $this->canAddClientVisible($subject$user$function);
  198.                 }
  199.                 else
  200.                 {
  201.                     return false;
  202.                 }
  203.             }
  204.             case self::EDIT:
  205.             {
  206.                 // $subject should be instanceof Note
  207.                 $note $subject;
  208.                 return $this->canEdit($note$user$function);
  209.             }
  210.             case self::HIDE:
  211.             {
  212.                 // $subject should be instanceof Note
  213.                 $note $subject;
  214.                 return $this->canHide($note$user$function);
  215.             }
  216.             case self::DELETE:
  217.             {
  218.                 // $subject should be instanceof Note
  219.                 $note $subject;
  220.                 return $this->canDelete($note$user$function$token);
  221.             }
  222.         }
  224.         throw new \LogicException('This code should not be reached!');
  225.     }
  227.     // $access is the user trying to load the resource
  228.     // $client is the resource being loaded
  230.     // Check if the Society of the resource
  231.     // belongs to the societies of the $access
  232.     private function checkSociety(Client $clientAccess $access)
  233.     {
  234.         if ($client === null)
  235.             return false;
  237.         $individual $client->getIndividual();
  238.         if ($individual === null)
  239.             return false;
  241.         $clientSociety $individual->getSociety();
  242.         if ($clientSociety === null)
  243.             return false;
  245.         // Get all the societies of the access
  246.         $societies $access->getSocieties();
  248.         foreach ($societies as $society)
  249.         {
  250.             if ($society->equals($clientSociety))
  251.             {
  252.                 return true;
  253.             }
  254.         }
  255.         return false;
  256.     }
  258.     // $access is the user trying to load the resource
  259.     // $client is the resource being loaded
  261.     // Check if the Society of the resource
  262.     // belongs to the societies of the $access
  263.     private function checkManager(Client $clientAccess $access)
  264.     {
  265.         if ($client === null)
  266.             return false;
  268.         $individual $client->getIndividual();
  269.         if ($individual === null)
  270.             return false;
  272.         $clientManager $individual->getManager();
  273.         if ($clientManager === null)
  274.             return false;
  276.         if ($clientManager->equals($access))
  277.             return true;
  278.         return false;
  279.     }
  281.     private function canAdd($subjectAccess $accessAccessFunction $function)
  282.     {
  283.         if ($subject instanceof Mission)
  284.         {
  285.             // Deny edit on archivedRefused objects
  286.             if ($subject->isArchivedRefused())
  287.             {
  288.                 return false;
  289.             }
  290.         }
  292.         // Three AclPermission may exist
  293.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  294.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_SOCIETY);
  295.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_MANAGER);
  297.         // If all are null, exit
  298.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  299.             return false;
  301.         // Get First one
  302.         if ($aclPerm !== null)
  303.         {
  304.             $acl $this->aclRepository->findOneBy(array(
  305.                 'function'        =>    $function,
  306.                 'permission'    =>    $aclPerm
  307.             ));
  308.             if ($acl !== null)
  309.             {
  310.                 if ($acl->getValue())
  311.                 {
  312.                     // A single positive answer is enough
  313.                     return true;
  314.                 }
  315.             }
  316.         }
  318.         if ($subject instanceof Mission)
  319.             $client $subject->getReceiver();
  320.         else
  321.             if ($subject instanceof Client)
  322.                 $client $subject;
  323.             else
  324.                 return false;
  326.         // If we are here it means that nothing good has been found
  327.         // Load second permission
  328.         if ($aclPermSociety !== null)
  329.         {
  330.             $acl $this->aclRepository->findOneBy(array(
  331.                 'function'        =>    $function,
  332.                 'permission'    =>    $aclPermSociety
  333.             ));
  334.             if ($acl !== null)
  335.             {
  336.                 if ($acl->getValue())
  337.                 {
  338.                     // A single positive answer is enough
  339.                     // In this case the good answer will be provided by the checkSociety
  340.                     return $this->checkSociety($client$access);
  341.                 }
  342.             }
  343.         }
  345.         // If we are here it means that nothing good has been found
  346.         // Load third permission
  347.         if ($aclPermManager !== null)
  348.         {
  349.             $acl $this->aclRepository->findOneBy(array(
  350.                 'function'        =>    $function,
  351.                 'permission'    =>    $aclPermManager
  352.             ));
  353.             if ($acl !== null)
  354.             {
  355.                 if ($acl->getValue())
  356.                 {
  357.                     // A single positive answer is enough
  358.                     // In this case the good answer will be provided by the checkManager
  359.                     return $this->checkManager($client$access);
  360.                 }
  361.             }
  362.         }
  363.         // If we are here, all hope is lost
  364.         return false;
  365.     }
  367.     private function canAddClientVisible(Mission $missionAccess $accessAccessFunction $function)
  368.     {
  369.         // Deny edit on archivedRefused objects
  370.         if ($mission->isArchivedRefused())
  371.         {
  372.             return false;
  373.         }
  375.         $receiver $mission->getReceiver();
  376.         if ($receiver === null)
  377.         {
  378.             // This should not happen
  379.             return false;
  380.         }
  382.         // Deny if mission.receiver has not activated its account
  383.         // Plan.io Task #4327 : Add Client Account, and remove JCAF
  384.         // Does the Receiver have an AccessClientRecord ?
  385.         $accessClientIsActive $this->accessClientTools->accessClientIsActiveForClient($receiver);
  386.         if (!$accessClientIsActive)
  387.         {
  388.             return false;
  389.         }
  391.         // Three AclPermission may exist
  392.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  393.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_SOCIETY);
  394.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_MANAGER);
  396.         // If all are null, exit
  397.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  398.             return false;
  400.         // Get First one
  401.         if ($aclPerm !== null)
  402.         {
  403.             $acl $this->aclRepository->findOneBy(array(
  404.                 'function'        =>    $function,
  405.                 'permission'    =>    $aclPerm
  406.             ));
  407.             if ($acl !== null)
  408.             {
  409.                 if ($acl->getValue())
  410.                 {
  411.                     // A single positive answer is enough
  412.                     return true;
  413.                 }
  414.             }
  415.         }
  417.         $client $mission->getReceiver();
  419.         // If we are here it means that nothing good has been found
  420.         // Load second permission
  421.         if ($aclPermSociety !== null)
  422.         {
  423.             $acl $this->aclRepository->findOneBy(array(
  424.                 'function'        =>    $function,
  425.                 'permission'    =>    $aclPermSociety
  426.             ));
  427.             if ($acl !== null)
  428.             {
  429.                 if ($acl->getValue())
  430.                 {
  431.                     // A single positive answer is enough
  432.                     // In this case the good answer will be provided by the checkSociety
  433.                     return $this->checkSociety($client$access);
  434.                 }
  435.             }
  436.         }
  438.         // If we are here it means that nothing good has been found
  439.         // Load third permission
  440.         if ($aclPermManager !== null)
  441.         {
  442.             $acl $this->aclRepository->findOneBy(array(
  443.                 'function'        =>    $function,
  444.                 'permission'    =>    $aclPermManager
  445.             ));
  446.             if ($acl !== null)
  447.             {
  448.                 if ($acl->getValue())
  449.                 {
  450.                     // A single positive answer is enough
  451.                     // In this case the good answer will be provided by the checkManager
  452.                     return $this->checkManager($client$access);
  453.                 }
  454.             }
  455.         }
  456.         // If we are here, all hope is lost
  457.         return false;
  458.     }
  460.     private function canEdit(Note $noteAccess $accessAccessFunction $function)
  461.     {
  462.         // Deny edit on archivedRefused objects
  463.         if ($note->isArchivedRefused())
  464.         {
  465.             return false;
  466.         }
  468.         if ($note->isReadonly())
  469.         {
  470.             return false;
  471.         }
  473.         // Plan.io Task #4071 : Deny parent mission actions on child item
  474.         if ($note->getMission() !== null && $note->getMission()->getParent() !== null)
  475.         {
  476.             if ($note->belongsToChildOf($note->getMission()->getParent()))
  477.             {
  478.                 return false;
  479.             }
  480.         }
  482.         // Deny edit on notes that have been successfully sent to Jcaf
  483.         if (!empty($note->getRemoteJcafId()))
  484.         {
  485.             return false;
  486.         }
  487.         // Deny edit on notes that have been successfully sent to Rekto
  488.         if (!empty($note->getRemoteRektoId()))
  489.         {
  490.             return false;
  491.         }
  493.         // Allways allow authors to edit their own notes
  494.         if ($note->getAuthor() !== null && $note->getAuthor()->equals($access))
  495.             return true;
  497.         $client $note->getClient();
  498.         if ($client === null)
  499.         {
  500.             $mission $note->getMission();
  501.             if ($mission === null)
  502.                 return false;
  503.             $client $mission->getReceiver();
  504.             if ($client === null)
  505.                 return null;
  506.         }
  508.         // Three AclPermission may exist
  509.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  510.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  511.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_MANAGER);
  513.         // If all are null, exit
  514.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  515.             return false;
  517.         // Get First one
  518.         if ($aclPerm !== null)
  519.         {
  520.             $acl $this->aclRepository->findOneBy(array(
  521.                 'function'        =>    $function,
  522.                 'permission'    =>    $aclPerm
  523.             ));
  524.             if ($acl !== null)
  525.             {
  526.                 if ($acl->getValue())
  527.                 {
  528.                     // A single positive answer is enough
  529.                     return true;
  530.                 }
  531.             }
  532.         }
  534.         // If we are here it means that nothing good has been found
  535.         // Load second permission
  536.         if ($aclPermSociety !== null)
  537.         {
  538.             $acl $this->aclRepository->findOneBy(array(
  539.                 'function'        =>    $function,
  540.                 'permission'    =>    $aclPermSociety
  541.             ));
  542.             if ($acl !== null)
  543.             {
  544.                 if ($acl->getValue())
  545.                 {
  546.                     // A single positive answer is enough
  547.                     // In this case the good answer will be provided by the checkSociety
  548.                     return $this->checkSociety($client$access);
  549.                 }
  550.             }
  551.         }
  553.         // If we are here it means that nothing good has been found
  554.         // Load third permission
  555.         if ($aclPermManager !== null)
  556.         {
  557.             $acl $this->aclRepository->findOneBy(array(
  558.                 'function'        =>    $function,
  559.                 'permission'    =>    $aclPermManager
  560.             ));
  561.             if ($acl !== null)
  562.             {
  563.                 if ($acl->getValue())
  564.                 {
  565.                     // A single positive answer is enough
  566.                     // In this case the good answer will be provided by the checkManager
  567.                     return $this->checkManager($client$access);
  568.                 }
  569.             }
  570.         }
  571.         // If we are here, all hope is lost
  572.         return false;
  573.     }
  575.     private function canHide(Note $noteAccess $accessAccessFunction $function)
  576.     {
  577.         // Allways allow authors to edit their own notes
  578.         if ($note->getAuthor() !== null && $note->getAuthor()->equals($access))
  579.             return true;
  581.         $client $note->getClient();
  582.         if ($client === null)
  583.         {
  584.             $mission $note->getMission();
  585.             if ($mission === null)
  586.                 return false;
  587.             $client $mission->getReceiver();
  588.             if ($client === null)
  589.                 return null;
  590.         }
  592.         // Three AclPermission may exist
  593.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_HIDE);
  594.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_HIDE_SOCIETY);
  595.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_HIDE_MANAGER);
  597.         // If all are null, exit
  598.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  599.             return false;
  601.         // Get First one
  602.         if ($aclPerm !== null)
  603.         {
  604.             $acl $this->aclRepository->findOneBy(array(
  605.                 'function'        =>    $function,
  606.                 'permission'    =>    $aclPerm
  607.             ));
  608.             if ($acl !== null)
  609.             {
  610.                 if ($acl->getValue())
  611.                 {
  612.                     // A single positive answer is enough
  613.                     return true;
  614.                 }
  615.             }
  616.         }
  618.         // If we are here it means that nothing good has been found
  619.         // Load second permission
  620.         if ($aclPermSociety !== null)
  621.         {
  622.             $acl $this->aclRepository->findOneBy(array(
  623.                 'function'        =>    $function,
  624.                 'permission'    =>    $aclPermSociety
  625.             ));
  626.             if ($acl !== null)
  627.             {
  628.                 if ($acl->getValue())
  629.                 {
  630.                     // A single positive answer is enough
  631.                     // In this case the good answer will be provided by the checkSociety
  632.                     return $this->checkSociety($client$access);
  633.                 }
  634.             }
  635.         }
  637.         // If we are here it means that nothing good has been found
  638.         // Load third permission
  639.         if ($aclPermManager !== null)
  640.         {
  641.             $acl $this->aclRepository->findOneBy(array(
  642.                 'function'        =>    $function,
  643.                 'permission'    =>    $aclPermManager
  644.             ));
  645.             if ($acl !== null)
  646.             {
  647.                 if ($acl->getValue())
  648.                 {
  649.                     // A single positive answer is enough
  650.                     // In this case the good answer will be provided by the checkManager
  651.                     return $this->checkManager($client$access);
  652.                 }
  653.             }
  654.         }
  655.         // If we are here, all hope is lost
  656.         return false;
  657.     }
  659.     private function canDelete(Note $noteAccess $accessAccessFunction $function$token)
  660.     {
  661.         // Plan.io Task #4383, modified by #4453
  662.         // Temporarly allow admins to delete any Note
  663.         // if ($this->security->isGranted('rekapp_admin'))
  664.         if ($this->accessDecisionManager->decide($token, ['rekapp_admin']))
  665.         {
  666.             return true;
  667.         }
  669.         // Deny edit on archivedRefused objects
  670.         if ($note->isArchivedRefused())
  671.         {
  672.             return false;
  673.         }
  675.         if ($note->isReadonly())
  676.         {
  677.             return false;
  678.         }
  680.         // Plan.io Task #4071 : Deny parent mission actions on child item
  681.         if ($note->getMission() !== null && $note->getMission()->getParent() !== null)
  682.         {
  683.             if ($note->belongsToChildOf($note->getMission()->getParent()))
  684.             {
  685.                 return false;
  686.             }
  687.         }
  689.         // Deny delete on notes that have been successfully sent to Jcaf
  690.         if (!empty($note->getRemoteJcafId()))
  691.         {
  692.             return false;
  693.         }
  694.         // Deny delete on notes that have been successfully sent to Rekto
  695.         if (!empty($note->getRemoteRektoId()))
  696.         {
  697.             return false;
  698.         }
  700.         // Allways allow authors to edit their own notes
  701.         if ($note->getAuthor() !== null && $note->getAuthor()->equals($access))
  702.             return true;
  704.         $client $note->getClient();
  705.         if ($client === null)
  706.         {
  707.             $mission $note->getMission();
  708.             if ($mission === null)
  709.                 return false;
  710.             $client $mission->getReceiver();
  711.             if ($client === null)
  712.                 return null;
  713.         }
  715.         // Three AclPermission may exist
  716.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
  717.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_SOCIETY);
  718.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_MANAGER);
  720.         // If all are null, exit
  721.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  722.             return false;
  724.         // Get First one
  725.         if ($aclPerm !== null)
  726.         {
  727.             $acl $this->aclRepository->findOneBy(array(
  728.                 'function'        =>    $function,
  729.                 'permission'    =>    $aclPerm
  730.             ));
  731.             if ($acl !== null)
  732.             {
  733.                 if ($acl->getValue())
  734.                 {
  735.                     // A single positive answer is enough
  736.                     return true;
  737.                 }
  738.             }
  739.         }
  741.         // If we are here it means that nothing good has been found
  742.         // Load second permission
  743.         if ($aclPermSociety !== null)
  744.         {
  745.             $acl $this->aclRepository->findOneBy(array(
  746.                 'function'        =>    $function,
  747.                 'permission'    =>    $aclPermSociety
  748.             ));
  749.             if ($acl !== null)
  750.             {
  751.                 if ($acl->getValue())
  752.                 {
  753.                     // A single positive answer is enough
  754.                     // In this case the good answer will be provided by the checkSociety
  755.                     return $this->checkSociety($client$access);
  756.                 }
  757.             }
  758.         }
  760.         // If we are here it means that nothing good has been found
  761.         // Load third permission
  762.         if ($aclPermManager !== null)
  763.         {
  764.             $acl $this->aclRepository->findOneBy(array(
  765.                 'function'        =>    $function,
  766.                 'permission'    =>    $aclPermManager
  767.             ));
  768.             if ($acl !== null)
  769.             {
  770.                 if ($acl->getValue())
  771.                 {
  772.                     // A single positive answer is enough
  773.                     // In this case the good answer will be provided by the checkManager
  774.                     return $this->checkManager($client$access);
  775.                 }
  776.             }
  777.         }
  778.         // If we are here, all hope is lost
  779.         return false;
  780.     }
  783. }