src/Security/PaymentVoter.php line 64

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/PaymentVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\APIRest\AccessAPI;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Platform\Devis\Devis;
  17. use App\Entity\Platform\Invoice\Invoice;
  18. use App\Entity\Security\Acl;
  19. use App\Entity\Security\AclPermission;
  20. use App\Services\Config\ModuleTools;
  22. class PaymentVoter extends Voter
  23. {
  24.     //--------------------------------------------------------------------------------
  25.     // is_granted constants
  26.     const IS_ACTIVE "payment_is_active";
  28.     const ADD_DEVIS "add_payment_devis";
  29.     const ADD_INVOICE "add_payment_invoice";
  31.     const LISTING "list_payments";
  32.     const LISTING_SOCIETY "list_payments_society";
  33.     const LISTING_ANY "list_payments_any";
  35.     const IS_GRANTED_CONSTANTS = array(
  36.         self::IS_ACTIVE,
  37.         self::ADD_DEVIS,
  38.         self::ADD_INVOICE,
  39.         self::LISTING,
  40.         self::LISTING_SOCIETY,
  41.         self::LISTING_ANY,
  42.     );
  44.     //--------------------------------------------------------------------------------
  45.     // acl constants
  47.     const ACL_PERM_ADD_DEVIS 'payment_devis_add';
  48.     const ACL_PERM_ADD_DEVIS_SOCIETY 'payment_devis_add_society';
  50.     const ACL_PERM_ADD_INVOICE 'payment_invoice_add';
  51.     const ACL_PERM_ADD_INVOICE_SOCIETY 'payment_invoice_add_society';
  53.     const ACL_PERM_LIST 'payment_list';
  54.     const ACL_PERM_LIST_SOCIETY 'payment_list_society';
  56.     //--------------------------------------------------------------------------------
  58.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  59.     {
  60.         $this->em $doctrine->getManager();
  61.         $this->moduleTools $moduleTools;
  63.         $this->aclRepository $this->em->getRepository(Acl::class);
  64.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  65.     }
  67.     // Plan.io Task #4453 [See AccessVoter for details]
  68.     public function supportsAttribute(string $attribute): bool
  69.     {
  70.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  71.     }
  72.     
  73.     protected function supports(string $attribute$subject null): bool
  74.     {
  75.         // if the attribute isn't one we support, return false
  76.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  77.         {
  78.             return false;
  79.         }
  81.         // only vote on Devis/Invoice objects inside this voter
  82.         if ($subject !== null && !($subject instanceof Devis || $subject instanceof Invoice))
  83.         {
  84.             return false;
  85.         }
  87.         return true;
  88.     }
  90.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  91.     {
  92.         $user $token->getUser();
  94.         // Plan.io Task #3707
  95.         if ($user instanceof AccessAPI)
  96.         {
  97.             if ($user->getAccess() === null)
  98.             {
  99.                 return false;
  100.             }
  101.             $user $user->getAccess();
  102.         }
  104.         // Plan.io Task #3707
  105.         // At this point $user is an object of Access type
  106.         // even if the $token->getUser() is AccessAPI
  107.         if (!$user instanceof Access)
  108.         {
  109.             // the user must be logged in; if not, deny access
  110.             return false;
  111.         }
  113.         // The user must have a function; if not deny access
  114.         $function $user->getFunction();
  115.         if ($function === null)        return false;
  117.         // Plan.io Task #3710 : Get current group
  118.         $currentGroup $user->getSocietyGroup();
  119.         if ($currentGroup === null)
  120.             return false;
  122.         // Module activated ?
  123.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_PAYMENT))
  124.         {
  125.             return false;
  126.         }
  128.         // Check current group affectation
  129.         if ($subject !== null)
  130.         {
  131.             $subjectSociety $subject->getSociety();
  132.             if ($subjectSociety === null)
  133.                 return false;
  134.             $subjectGroup $subjectSociety->getGroup();
  135.             if ($subjectGroup === null)
  136.                 return false;
  137.             if (!$currentGroup->equals($subjectGroup))
  138.                 return false;
  139.         }
  141.         switch ($attribute)
  142.         {
  143.             case self::IS_ACTIVE:
  144.                 return true;
  146.             case self::ADD_DEVIS:
  147.                 return $this->canAddForDevis($subject$user$function);
  148.             case self::ADD_INVOICE:
  149.                 return $this->canAddForInvoice($subject$user$function);
  151.             case self::LISTING:
  152.                 return $this->canList($user$function);
  153.             case self::LISTING_SOCIETY:
  154.                 return $this->canListSociety($user$function);
  155.             case self::LISTING_ANY:
  156.                 return $this->canListAny($user$function);
  157.         }
  159.         throw new \LogicException('This code should not be reached!');
  160.     }
  162.     // Check if the Society of the $subject
  163.     // belongs to the societies of the $access
  164.     private function checkSociety($subjectAccess $access)
  165.     {
  166.         // Get all the societies of the access
  167.         $societies $access->getSocieties();
  169.         // Get the Society of the subject
  170.         $subjectSociety $subject->getSociety();
  172.         if ($subjectSociety === null)
  173.             return false;
  175.         $found false;
  176.         foreach ($societies as $society)
  177.         {
  178.             if ($society->getId() == $subjectSociety->getId())
  179.             {
  180.                 $found true;
  181.                 break;
  182.             }
  183.         }
  184.         return $found;
  185.     }
  187.     private function canAddForDevis(Devis $devisAccess $userAccessFunction $function)
  188.     {
  189.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_DEVIS);
  190.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_DEVIS_SOCIETY);
  192.         if ($aclPerm === null && $aclPermSociety === null)        return false;
  194.         // Get First one
  195.         if ($aclPerm !== null)
  196.         {
  197.             $acl $this->aclRepository->findOneBy(array(
  198.                 'function'        =>    $function,
  199.                 'permission'    =>    $aclPerm
  200.             ));
  201.             if ($acl !== null)
  202.             {
  203.                 if ($acl->getValue())
  204.                 {
  205.                     // A single positive answer is enough
  206.                     return true;
  207.                 }
  208.             }
  209.         }
  211.         // If we are here it means that nothing good has been found
  212.         // Load second permission
  213.         if ($aclPermSociety !== null)
  214.         {
  215.             $acl $this->aclRepository->findOneBy(array(
  216.                 'function'        =>    $function,
  217.                 'permission'    =>    $aclPermSociety
  218.             ));
  219.             if ($acl !== null)
  220.             {
  221.                 if ($acl->getValue())
  222.                 {
  223.                     return $this->checkSociety($devis$user);
  224.                 }
  225.             }
  226.         }
  228.         // If we are here, all hope is lost
  229.         return false;
  230.     }
  232.     private function canAddForInvoice(Invoice $invoiceAccess $userAccessFunction $function)
  233.     {
  234.         // Plan.io Task #4326
  235.         // Deny on drafts
  236.         if ($invoice->isDraft())
  237.         {
  238.             return false;
  239.         }
  241.         // Get Acl_Perm
  242.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_INVOICE);
  243.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_INVOICE_SOCIETY);
  245.         if ($aclPerm === null && $aclPermSociety === null)        return false;
  247.         // Get First one
  248.         if ($aclPerm !== null)
  249.         {
  250.             $acl $this->aclRepository->findOneBy(array(
  251.                 'function'        =>    $function,
  252.                 'permission'    =>    $aclPerm
  253.             ));
  254.             if ($acl !== null)
  255.             {
  256.                 if ($acl->getValue())
  257.                 {
  258.                     // A single positive answer is enough
  259.                     return true;
  260.                 }
  261.             }
  262.         }
  264.         // If we are here it means that nothing good has been found
  265.         // Load second permission
  266.         if ($aclPermSociety !== null)
  267.         {
  268.             $acl $this->aclRepository->findOneBy(array(
  269.                 'function'        =>    $function,
  270.                 'permission'    =>    $aclPermSociety
  271.             ));
  272.             if ($acl !== null)
  273.             {
  274.                 if ($acl->getValue())
  275.                 {
  276.                     return $this->checkSociety($invoice$user);
  277.                 }
  278.             }
  279.         }
  281.         // If we are here, all hope is lost
  282.         return false;
  283.     }
  285.     private function canList(Access $userAccessFunction $function)
  286.     {
  287.         // If canView, then canList ;)
  288.         // Get Acl_Perm
  289.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  290.         if ($aclPerm === null)        return false;
  292.         // Get Acl
  293.         $acl $this->aclRepository->findOneBy(array(
  294.             'function'        =>    $function,
  295.             'permission'    =>    $aclPerm
  296.         ));
  297.         if ($acl === null)        return false;
  299.         // Since only one acl type can exist
  300.         // we can return the result of the acl_permission
  301.         return $acl->getValue();
  302.     }
  304.     private function canListSociety(Access $userAccessFunction $function)
  305.     {
  306.         // If canView, then canList ;)
  307.         // Get Acl_Perm
  308.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  309.         if ($aclPerm === null)        return false;
  311.         // Get Acl
  312.         $acl $this->aclRepository->findOneBy(array(
  313.             'function'        =>    $function,
  314.             'permission'    =>    $aclPerm
  315.         ));
  316.         if ($acl === null)        return false;
  318.         // Since only one acl type can exist
  319.         // we can return the result of the acl_permission
  320.         return $acl->getValue();
  321.     }
  323.     private function canListAny(Access $userAccessFunction $function)
  324.     {
  325.         // Three Acl_Perm may exist
  326.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  327.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  329.         // If all are null, exit
  330.         if ($aclPerm === null && $aclPermSociety === null)
  331.             return false;
  333.         // Get First one
  334.         if ($aclPerm !== null)
  335.         {
  336.             $acl $this->aclRepository->findOneBy(array(
  337.                 'function'        =>    $function,
  338.                 'permission'    =>    $aclPerm
  339.             ));
  340.             if ($acl !== null)
  341.             {
  342.                 if ($acl->getValue())
  343.                 {
  344.                     // A single positive answer is enough
  345.                     return true;
  346.                 }
  347.             }
  348.         }
  350.         // If we are here it means that nothing good has been found
  351.         // Load second permission
  352.         if ($aclPermSociety !== null)
  353.         {
  354.             $acl $this->aclRepository->findOneBy(array(
  355.                 'function'        =>    $function,
  356.                 'permission'    =>    $aclPermSociety
  357.             ));
  358.             if ($acl !== null)
  359.             {
  360.                 if ($acl->getValue())
  361.                 {
  362.                     // A single positive answer is enough
  363.                     return true;
  364.                 }
  365.             }
  366.         }
  368.         // If we are here, all hope is lost
  369.         return false;
  370.     }
  371. }