src/Security/PlanningResourceVoter.php line 64

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/PlanningResourceVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Planning\PlanningResource;
  16. use App\Entity\Security\Acl;
  17. use App\Entity\Security\AclPermission;
  18. use App\Services\Config\ModuleTools;
  20. class PlanningResourceVoter extends Voter
  21. {
  22.     //--------------------------------------------------------------------------------
  23.     // is_granted constants
  24.     const ADD "add_planning_resource";
  25.     const ADD_SOCIETY "add_planning_resource_society";
  26.     const ADD_ANY "add_planning_resource_any";
  28.     const LISTING "list_planning_resources";
  29.     const LISTING_SOCIETY "list_planning_resources_society";
  30.     const LISTING_ANY "list_planning_resources_any";
  32.     const EDIT "edit_planning_resource";
  33.     // Needed for altering the order of the planning resources
  34.     const EDIT_ANY "edit_planning_resource_any";
  36.     const IS_GRANTED_CONSTANTS = array(
  37.         self::ADD,
  38.         self::ADD_SOCIETY,
  39.         self::ADD_ANY,
  40.         self::LISTING,
  41.         self::LISTING_SOCIETY,
  42.         self::LISTING_ANY,
  43.         self::EDIT,
  44.         self::EDIT_ANY,
  45.     );
  47.     //--------------------------------------------------------------------------------
  48.     // acl constants
  49.     const ACL_PERM_ADD "planning_resource_add";
  50.     const ACL_PERM_ADD_SOCIETY "planning_resource_add_society";
  52.     const ACL_PERM_LISTING "planning_resource_list";
  53.     const ACL_PERM_LISTING_SOCIETY "planning_resource_list_society";
  55.     const ACL_PERM_EDIT "planning_resource_edit";
  56.     const ACL_PERM_EDIT_SOCIETY "planning_resource_edit_society";
  57.     //--------------------------------------------------------------------------------
  59.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  60.     {
  61.         $this->em $doctrine->getManager();
  62.         $this->moduleTools $moduleTools;
  64.         $this->aclRepository $this->em->getRepository(Acl::class);
  65.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  66.     }
  68.     // Plan.io Task #4453 [See AccessVoter for details]
  69.     public function supportsAttribute(string $attribute): bool
  70.     {
  71.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  72.     }
  73.     
  74.     protected function supports(string $attribute$subject): bool
  75.     {
  76.         // if the attribute isn't one we support, return false
  77.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  78.         {
  79.             return false;
  80.         }
  82.         // only vote on PlanningResource objects inside this voter
  83.         if ($subject !== null && !$subject instanceof PlanningResource)
  84.         {
  85.             return false;
  86.         }
  88.         return true;
  89.     }
  91.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  92.     {
  93.         $user $token->getUser();
  95.         if (!$user instanceof Access)
  96.         {
  97.             // the user must be logged in; if not, deny access
  98.             return false;
  99.         }
  101.         // The user must have a function; if not deny access
  102.         $function $user->getFunction();
  103.         if ($function === null)        return false;
  105.         // Plan.io Task #3710 : Get current group
  106.         $currentGroup $user->getSocietyGroup();
  107.         if ($currentGroup === null)
  108.             return false;
  110.         // you know $subject is a PlanningResource object, thanks to supports
  111.         /** @var PlanningResource $planningResource */
  112.         $planningResource $subject;
  114.         // Check current group affectation
  115.         if ($subject !== null)
  116.         {
  117.             $subjectSociety $subject->getSociety();
  118.             if ($subjectSociety === null)
  119.                 return false;
  120.             $subjectGroup $subjectSociety->getGroup();
  121.             if ($subjectGroup === null)
  122.                 return false;
  123.             if (!$currentGroup->equals($subjectGroup))
  124.                 return false;
  125.         }
  127.         switch ($attribute)
  128.         {
  129.             case self::ADD:
  130.                 return $this->canAdd($user$function);
  131.             case self::ADD_SOCIETY:
  132.                 return $this->canAddSociety($user$function);
  133.             case self::ADD_ANY:
  134.                 return $this->canAddAny($user$function);
  136.             case self::LISTING:
  137.                 return $this->canList($user$function);
  138.             case self::LISTING_SOCIETY:
  139.                 return $this->canListSociety($user$function);
  140.             case self::LISTING_ANY:
  141.                 return $this->canListAny($user$function);
  143.             case self::EDIT:
  144.                 return $this->canEdit($planningResource$user$function);
  145.             case self::EDIT_ANY:
  146.                 return $this->canEditAny($user$function);
  147.         }
  149.         throw new \LogicException('This code should not be reached!');
  150.     }
  152.     // $access is the user trying to load the resource
  153.     // $planningResource is the resource being loaded
  155.     // Check if the Society of the resource
  156.     // belongs to the societies of the $access
  157.     private function checkSociety(PlanningResource $planningResourceAccess $access)
  158.     {
  159.         // Get all the societies of the access
  160.         $societies $access->getSocieties();
  162.         // Get the Society of the PlanningResource
  163.         $planningResourceSociety $planningResource->getSociety();
  164.         if ($planningResourceSociety === null)
  165.             return false;
  167.         $found false;
  168.         foreach ($societies as $society)
  169.         {
  170.             if ($society->getId() == $planningResourceSociety->getId())
  171.             {
  172.                 $found true;
  173.                 break;
  174.             }
  175.         }
  176.         return $found;
  177.     }
  179.     private function canAdd(Access $userAccessFunction $function)
  180.     {
  181.         // Get AclPermission
  182.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  183.         if ($aclPerm === null)        return false;
  185.         // Get Acl
  186.         $acl $this->aclRepository->findOneBy(array(
  187.             'function'        =>    $function,
  188.             'permission'    =>    $aclPerm
  189.         ));
  190.         if ($acl === null)        return false;
  192.         // Since only one acl type can exist
  193.         // we can return the result of the acl_permission
  194.         return $acl->getValue();
  195.     }
  197.     private function canAddSociety(Access $userAccessFunction $function)
  198.     {
  199.         // Get AclPermission
  200.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_SOCIETY);
  201.         if ($aclPerm === null)        return false;
  203.         // Get Acl
  204.         $acl $this->aclRepository->findOneBy(array(
  205.             'function'        =>    $function,
  206.             'permission'    =>    $aclPerm
  207.         ));
  208.         if ($acl === null)        return false;
  210.         // Since only one acl type can exist
  211.         // we can return the result of the acl_permission
  212.         // Further filtering is done in the Controller
  213.         return $acl->getValue();
  214.     }
  216.     private function canAddAny(Access $userAccessFunction $function)
  217.     {
  218.         // Two AclPermission may exist
  219.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  220.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_SOCIETY);
  221.         // If both are null, exit
  222.         if ($aclPerm === null && $aclPermSociety === null)
  223.             return false;
  225.         // Get First one
  226.         if ($aclPerm !== null)
  227.         {
  228.             $acl $this->aclRepository->findOneBy(array(
  229.                 'function'        =>    $function,
  230.                 'permission'    =>    $aclPerm
  231.             ));
  232.             if ($acl !== null)
  233.             {
  234.                 if ($acl->getValue())
  235.                 {
  236.                     // A single positive answer is enough
  237.                     return true;
  238.                 }
  239.             }
  240.         }
  241.         // If we are here it means that nothing good has been found
  242.         // Load second permission
  243.         if ($aclPermSociety !== null)
  244.         {
  245.             $acl $this->aclRepository->findOneBy(array(
  246.                 'function'        =>    $function,
  247.                 'permission'    =>    $aclPermSociety
  248.             ));
  249.             if ($acl !== null)
  250.             {
  251.                 if ($acl->getValue())
  252.                 {
  253.                     // A single positive answer is enough
  254.                     return true;
  255.                 }
  256.             }
  257.         }
  258.         // If we are here, all hope is lost
  259.         return false;
  260.     }
  262.     private function canList(Access $userAccessFunction $function)
  263.     {
  264.         // Get AclPermission
  265.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  266.         if ($aclPerm === null)        return false;
  268.         // Get Acl
  269.         $acl $this->aclRepository->findOneBy(array(
  270.             'function'        =>    $function,
  271.             'permission'    =>    $aclPerm
  272.         ));
  273.         if ($acl === null)        return false;
  275.         // Since only one acl type can exist
  276.         // we can return the result of the acl_permission
  277.         return $acl->getValue();
  278.     }
  280.     private function canListSociety(Access $userAccessFunction $function)
  281.     {
  282.         // Get AclPermission
  283.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  284.         if ($aclPerm === null)        return false;
  286.         // Get Acl
  287.         $acl $this->aclRepository->findOneBy(array(
  288.             'function'        =>    $function,
  289.             'permission'    =>    $aclPerm
  290.         ));
  291.         if ($acl === null)        return false;
  293.         // Since only one acl type can exist
  294.         // we can return the result of the acl_permission
  295.         // Further filtering is done in the Controller
  296.         return $acl->getValue();
  297.     }
  299.     private function canListAny(Access $userAccessFunction $function)
  300.     {
  301.         // Two AclPermission may exist
  302.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  303.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  304.         // If both are null, exit
  305.         if ($aclPerm === null && $aclPermSociety === null)
  306.             return false;
  308.         // Get First one
  309.         if ($aclPerm !== null)
  310.         {
  311.             $acl $this->aclRepository->findOneBy(array(
  312.                 'function'        =>    $function,
  313.                 'permission'    =>    $aclPerm
  314.             ));
  315.             if ($acl !== null)
  316.             {
  317.                 if ($acl->getValue())
  318.                 {
  319.                     // A single positive answer is enough
  320.                     return true;
  321.                 }
  322.             }
  323.         }
  324.         // If we are here it means that nothing good has been found
  325.         // Load second permission
  326.         if ($aclPermSociety !== null)
  327.         {
  328.             $acl $this->aclRepository->findOneBy(array(
  329.                 'function'        =>    $function,
  330.                 'permission'    =>    $aclPermSociety
  331.             ));
  332.             if ($acl !== null)
  333.             {
  334.                 if ($acl->getValue())
  335.                 {
  336.                     // A single positive answer is enough
  337.                     return true;
  338.                 }
  339.             }
  340.         }
  341.         // If we are here, all hope is lost
  342.         return false;
  343.     }
  345.     private function canEdit(PlanningResource $planningResource nullAccess $userAccessFunction $function)
  346.     {
  347.         // Two AclPermission may exist
  348.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  349.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  350.         // If both are null, exit
  351.         if ($aclPerm === null && $aclPermSociety === null)
  352.             return false;
  354.         // Get First one
  355.         if ($aclPerm !== null)
  356.         {
  357.             $acl $this->aclRepository->findOneBy(array(
  358.                 'function'        =>    $function,
  359.                 'permission'    =>    $aclPerm
  360.             ));
  361.             if ($acl !== null)
  362.             {
  363.                 if ($acl->getValue())
  364.                 {
  365.                     // A single positive answer is enough
  366.                     return true;
  367.                 }
  368.             }
  369.         }
  370.         // If we are here it means that nothing good has been found
  371.         // Load second permission
  372.         if ($aclPermSociety !== null)
  373.         {
  374.             $acl $this->aclRepository->findOneBy(array(
  375.                 'function'        =>    $function,
  376.                 'permission'    =>    $aclPermSociety
  377.             ));
  378.             if ($acl !== null)
  379.             {
  380.                 if ($acl->getValue())
  381.                 {
  382.                     // A single positive answer is enough
  383.                     // In this case the good answer will be provided by the checkSociety
  384.                     return $this->checkSociety($planningResource$user);
  385.                 }
  386.             }
  387.         }
  388.         // If we are here, all hope is lost
  389.         return false;
  390.     }
  392.     private function canEditAny(Access $userAccessFunction $function)
  393.     {
  394.         // Two AclPermission may exist
  395.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  396.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  397.         // If both are null, exit
  398.         if ($aclPerm === null && $aclPermSociety === null)
  399.             return false;
  401.         // Get First one
  402.         if ($aclPerm !== null)
  403.         {
  404.             $acl $this->aclRepository->findOneBy(array(
  405.                 'function'        =>    $function,
  406.                 'permission'    =>    $aclPerm
  407.             ));
  408.             if ($acl !== null)
  409.             {
  410.                 if ($acl->getValue())
  411.                 {
  412.                     // A single positive answer is enough
  413.                     return true;
  414.                 }
  415.             }
  416.         }
  417.         // If we are here it means that nothing good has been found
  418.         // Load second permission
  419.         if ($aclPermSociety !== null)
  420.         {
  421.             $acl $this->aclRepository->findOneBy(array(
  422.                 'function'        =>    $function,
  423.                 'permission'    =>    $aclPermSociety
  424.             ));
  425.             if ($acl !== null)
  426.             {
  427.                 if ($acl->getValue())
  428.                 {
  429.                     // A single positive answer is enough
  430.                     return true;
  431.                 }
  432.             }
  433.         }
  434.         // If we are here, all hope is lost
  435.         return false;
  436.     }
  437. }