src/Security/ProjectManagerVoter.php line 64

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/ProjectManagerVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Doctrine\Persistence\ManagerRegistry;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  10. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use App\Entity\Access;
  13. use App\Entity\APIRest\AccessAPI;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Mission\Mission;
  17. use App\Entity\ProjectManager\Blueprint;
  18. use App\Entity\ProjectManager\BlueprintPdf;
  19. use App\Entity\ProjectManager\ProjectNotebook;
  20. use App\Entity\Security\Acl;
  21. use App\Entity\Security\AclPermission;
  23. use App\Services\Config\ModuleTools;
  25. class ProjectManagerVoter extends Voter
  26. {
  27.     const IS_ACTIVE "project_manager_is_active";    
  28.     const CAN_ACCESS "can_access_project_manager";
  29.     const LIST = "list_project_manager_notebooks";
  30.     
  31.     const VIEW_PDF_CLIENT "view_project_manager_notebook_pdf_client";
  32.     const VIEW_PDF_IKEA "view_project_manager_notebook_pdf_ikea";
  33.     const VIEW_PDF_INSTALLER "view_project_manager_notebook_pdf_installer";    
  34.     
  35.     const DELETE "delete_project_manager_notebook";
  36.     
  37.     // Same as CAN_ACCESS if mission !== null
  38.     // If mission === null checks isGranted('rekapp_admin')
  39.     const DELETE_KP "delete_kitchen_planner_project";
  41.     const IS_GRANTED_CONSTANTS = array(
  42.         self::IS_ACTIVE,
  43.         self::CAN_ACCESS,    
  45.         self::VIEW_PDF_CLIENT,        
  46.         self::VIEW_PDF_IKEA,        
  47.         self::VIEW_PDF_INSTALLER,                
  48.         
  49.         self::LIST,        
  50.         self::DELETE,        
  51.         self::DELETE_KP,        
  52.     );
  54.     //--------------------------------------------------------------------------------
  55.     // acl constants
  56.     //--------------------------------------------------------------------------------
  57.     const ACL_PERM_CAN_ACCESS "project_manager_can_access";
  58.     const ACL_PERM_LIST "project_manager_notebook_list";
  59.     
  60.     const ACL_PERM_VIEW_PDF_CLIENT "project_manager_notebook_view_pdf_client";
  61.     const ACL_PERM_VIEW_PDF_IKEA "project_manager_notebook_view_pdf_ikea";
  62.     const ACL_PERM_VIEW_PDF_INSTALLER "project_manager_notebook_view_pdf_installer";    
  64.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrine,
  65.         ModuleTools $moduleTools)
  66.     {
  67.         $this->accessDecisionManager $accessDecisionManager;
  68.         $this->em $doctrine->getManager();
  69.         $this->moduleTools $moduleTools;
  71.         $this->aclRepository $this->em->getRepository(Acl::class);
  72.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  73.     }
  75.     // Plan.io Task #4453 [See AccessVoter for details]
  76.     public function supportsAttribute(string $attribute): bool
  77.     {
  78.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  79.     }
  81.     protected function supports(string $attribute$subject): bool
  82.     {
  83.         // if the attribute isn't one we support, return false
  84.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  85.         {
  86.             return false;
  87.         }
  89.         // only vote on Mission|ProjectNotebook objects inside this voter
  90.         if ($subject !== null && !$subject instanceof Mission && !$subject instanceof ProjectNotebook)
  91.         {
  92.             return false;
  93.         }
  95.         return true;
  96.     }
  98.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  99.     {
  100.         $user $token->getUser();
  102.         $originalUserIsAccess true;
  104.         // Plan.io Task #3707
  105.         if ($user instanceof AccessAPI)
  106.         {
  107.             if ($user->getAccess() === null)
  108.             {
  109.                 return false;
  110.             }
  111.             $user $user->getAccess();
  112.             $originalUserIsAccess false;
  113.         }
  115.         // Plan.io Task #3707
  116.         // At this point $user is an object of Access type
  117.         // even if the $token->getUser() is AccessAPI
  118.         if (!$user instanceof Access)
  119.         {
  120.             // the user must be logged in; if not, deny access
  121.             return false;
  122.         }
  124.         // The user must have a function; if not deny access
  125.         $function $user->getFunction();
  126.         if ($function === null)        return false;
  128.         // Plan.io Task #3710 : Get current group
  129.         $currentGroup $user->getSocietyGroup();
  130.         if ($currentGroup === null)
  131.             return false;
  133.         $this->currentGroup $currentGroup;
  135.         // Module activated ?
  136.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_PROJECT_MANAGER))
  137.         {
  138.             return false;
  139.         }        
  141.         $mission null;
  142.         $notebook null;
  143.         $subjectGroup null;
  145.         if ($subject !== null)
  146.         {
  147.             if ($subject instanceof Mission)
  148.             {
  149.                 $mission $subject;
  150.                 $notebook $mission->getProjectNotebook();
  151.                 $subjectGroup $mission->getSocietyGroupAuthor();
  152.             }
  153.             elseif ($subject instanceof ProjectNotebook)
  154.             {
  155.                 $mission $subject->getMission();
  156.                 $notebook $subject;
  157.                 $subjectGroup $notebook->getSocietyGroup();
  158.             }
  159.         }
  161.         // Deny for shared missions for now
  162.         if ($mission !== null && $mission->isShared())
  163.         {
  164.             return false;
  165.         }
  167.         // Check current group affectation
  168.         if ($subjectGroup !== null)
  169.         {            
  170.             if (!$currentGroup->equals($subjectGroup))
  171.             {
  172.                 return false;
  173.             }
  174.         }        
  176.         switch ($attribute)
  177.         {
  178.             case self::IS_ACTIVE:
  179.                 return true;
  181.             case self::CAN_ACCESS:
  182.                 return $this->canAccess($mission$user$function);
  184.             case self::LIST:
  185.                 return $this->canList($user$function);
  187.             case self::VIEW_PDF_CLIENT:
  188.             {
  189.                 if ($mission === null || $notebook === null)
  190.                 {
  191.                     return false;
  192.                 }
  193.                 return $this->canViewPdf($mission$notebook$user$function$tokenBlueprintPdf::pdf_type_client);
  194.             }
  196.             case self::VIEW_PDF_IKEA:
  197.             {
  198.                 if ($mission === null || $notebook === null)
  199.                 {
  200.                     return false;
  201.                 }
  202.                 return $this->canViewPdf($mission$notebook$user$function$tokenBlueprintPdf::pdf_type_ikea);
  203.             }
  204.             
  205.             case self::VIEW_PDF_INSTALLER:
  206.             {
  207.                 if ($mission === null || $notebook === null)
  208.                 {
  209.                     return false;
  210.                 }
  211.                 return $this->canViewPdf($mission$notebook$user$function$tokenBlueprintPdf::pdf_type_installer);
  212.             }
  213.             
  214.             case self::DELETE:
  215.                 return $this->canDelete($token);
  216.             
  217.             case self::DELETE_KP:
  218.                 return $this->canDeleteKp($mission$user$function$token);
  219.         }
  221.         throw new \LogicException('This code should not be reached!');
  222.     }
  224.     private function canAccess(?Mission $missionAccess $userAccessFunction $function)
  225.     {
  226.         if ($mission === null)
  227.         {
  228.             // This should not happen
  229.             return false;
  230.         }        
  232.         // Get AclPermission
  233.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_CAN_ACCESS);
  234.         if ($aclPerm === null)        return false;
  236.         // Get Acl
  237.         $acl $this->aclRepository->findOneBy(array(
  238.             'function'        =>    $function,
  239.             'permission'    =>    $aclPerm
  240.         ));
  241.         if ($acl === null)        return false;
  243.         // Since only one acl type can exist
  244.         // we can return the result of the acl_permission
  245.         return $acl->getValue();
  246.         
  247.         // If we are here, all hope is lost
  248.         return false;
  249.     }
  251.     private function canList(Access $userAccessFunction $function)
  252.     {
  253.         // Get AclPermission
  254.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  255.         if ($aclPerm === null)        return false;
  257.         // Get Acl
  258.         $acl $this->aclRepository->findOneBy(array(
  259.             'function'        =>    $function,
  260.             'permission'    =>    $aclPerm
  261.         ));
  262.         if ($acl === null)        return false;
  264.         // Since only one acl type can exist
  265.         // we can return the result of the acl_permission
  266.         return $acl->getValue();
  267.         
  268.         // If we are here, all hope is lost
  269.         return false;
  270.     }
  272.     private function canViewPdf(Mission $missionProjectNotebook $projectNotebookAccess $userAccessFunction $function$token$type)
  273.     {
  274.         // If the user can access the ProjectManager => It can view the PDFs
  275.         if ($this->canAccess($mission$user$function))
  276.         {
  277.             return true;
  278.         }
  279.         // If the user can access the Mission => It can view the PDFs
  280.         $mission $projectNotebook->getMission();
  281.         if ($this->accessDecisionManager->decide($token, ['view_mission'], $mission))
  282.         {
  283.             return true;
  284.         }
  286.         // Load correct permission based on type
  287.         switch ($type) {
  288.             case BlueprintPdf::pdf_type_client:
  289.                 $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_CLIENT);
  290.                 break;
  291.             case BlueprintPdf::pdf_type_ikea:
  292.                 $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_IKEA);
  293.                 break;
  294.             case BlueprintPdf::pdf_type_installer:
  295.                 $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF_INSTALLER);
  296.                 break;
  297.             
  298.             default:
  299.                 return false;
  300.                 break;
  301.         }    
  302.         
  303.         // If all are null, exit
  304.         if ($aclPerm === null)
  305.             return false;
  307.         // Get First one
  308.         if ($aclPerm !== null)
  309.         {
  310.             $acl $this->aclRepository->findOneBy(array(
  311.                 'function'        =>    $function,
  312.                 'permission'    =>    $aclPerm
  313.             ));
  314.             if ($acl !== null)
  315.             {
  316.                 if ($acl->getValue())
  317.                 {
  318.                     // A single positive answer is enough
  319.                     return true;
  320.                 }
  321.             }
  322.         }
  323.         // If we are here, all hope is lost
  324.         return false;
  325.     }
  327.     private function canDelete($token)
  328.     {
  329.         return $this->accessDecisionManager->decide($token, ['rekapp_admin']);
  330.     }
  332.     private function canDeleteKp(?Mission $missionAccess $userAccessFunction $function$token)
  333.     {
  334.         if ($mission === null)
  335.         {
  336.             // This should not happen
  337.             return $this->accessDecisionManager->decide($token, ['rekapp_admin']);
  338.         }
  339.         
  340.         return $this->canAccess($mission$user$function);
  341.     }
  342. }