src/Security/ProspectVoter.php line 75

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/ProspectVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\Client\Client;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Security\Acl;
  17. use App\Entity\Security\AclPermission;
  18. use App\Services\Config\ModuleTools;
  20. class ProspectVoter extends Voter
  21. {
  22.     //--------------------------------------------------------------------------------
  23.     // is_granted constants
  24.     const IS_ACTIVE "prospect_is_active";
  26.     const ADD "add_prospect";
  28.     const LISTING "list_prospects";
  29.     const LISTING_SOCIETY "list_prospects_society";
  30.     const LISTING_MANAGER "list_prospects_manager";
  31.     const LISTING_ANY "list_prospects_any";
  33.     const VIEW "view_prospect";
  35.     const EDIT "edit_prospect";
  37.     const CONVERT "convert_prospect";
  39.     const IS_GRANTED_CONSTANTS = array(
  40.         self::IS_ACTIVE,
  41.         self::ADD,
  42.         self::LISTING,
  43.         self::LISTING_SOCIETY,
  44.         self::LISTING_MANAGER,
  45.         self::LISTING_ANY,
  46.         self::VIEW,
  47.         self::EDIT,
  48.         self::CONVERT,
  49.     );
  51.     //--------------------------------------------------------------------------------
  52.     // acl constants
  53.     const ACL_PERM_ADD "prospect_add";
  55.     const ACL_PERM_LISTING "prospect_list";
  56.     const ACL_PERM_LISTING_SOCIETY "prospect_list_society";
  57.     const ACL_PERM_LISTING_MANAGER "prospect_list_manager";
  59.     const ACL_PERM_VIEW "prospect_view";
  60.     const ACL_PERM_VIEW_SOCIETY "prospect_view_society";
  61.     const ACL_PERM_VIEW_MANAGER "prospect_view_manager";
  63.     const ACL_PERM_EDIT "prospect_edit";
  64.     const ACL_PERM_EDIT_SOCIETY "prospect_edit_society";
  65.     const ACL_PERM_EDIT_MANAGER "prospect_edit_manager";
  67.     const ACL_PERM_CONVERT "prospect_convert";
  68.     const ACL_PERM_CONVERT_SOCIETY "prospect_convert_society";
  69.     const ACL_PERM_CONVERT_MANAGER "prospect_convert_manager";
  71.     //--------------------------------------------------------------------------------
  73.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  74.     {
  75.         $this->em $doctrine->getManager();
  76.         $this->moduleTools $moduleTools;
  78.         $this->aclRepository $this->em->getRepository(Acl::class);
  79.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  80.     }
  82.     // Plan.io Task #4453 [See AccessVoter for details]
  83.     public function supportsAttribute(string $attribute): bool
  84.     {
  85.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  86.     }
  88.     protected function supports(string $attribute$subject null): bool
  89.     {
  90.         // if the attribute isn't one we support, return false
  91.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  92.         {
  93.             return false;
  94.         }
  96.         // only vote on Client objects inside this voter
  97.         if ($subject !== null && !$subject instanceof Client)
  98.         {
  99.             return false;
  100.         }
  102.         return true;
  103.     }
  105.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  106.     {
  107.         $user $token->getUser();
  109.         if (!$user instanceof Access)
  110.         {
  111.             // the user must be logged in; if not, deny access
  112.             return false;
  113.         }
  115.         // The user must have a function; if not deny access
  116.         $function $user->getFunction();
  117.         if ($function === null)        return false;
  119.         // Plan.io Task #3710 : Get current group
  120.         $currentGroup $user->getSocietyGroup();
  121.         if ($currentGroup === null)
  122.             return false;
  124.         // Module activated ?
  125.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_PROSPECT))
  126.         {
  127.             return false;
  128.         }
  130.         // you know $subject is a Client object, thanks to supports
  131.         /** @var Client $prospect */
  132.         $prospect $subject;
  134.         // Really a prospect ?
  135.         if ($prospect !== null && ($prospect->isNotProspect() && $prospect->isNotOldProspect()))
  136.         {
  137.             return false;
  138.         }
  140.         // Check current group affectation
  141.         if ($subject !== null)
  142.         {
  143.             $subjectSociety $subject->getSociety();
  144.             if ($subjectSociety === null)
  145.                 return false;
  146.             $subjectGroup $subjectSociety->getGroup();
  147.             if ($subjectGroup === null)
  148.                 return false;
  149.             if (!$currentGroup->equals($subjectGroup))
  150.                 return false;
  151.         }
  153.         switch ($attribute)
  154.         {
  155.             case self::IS_ACTIVE:
  156.                 return true;
  158.             case self::ADD:
  159.                 return $this->canAdd($user$function);
  161.             case self::LISTING:
  162.                 return $this->canList($user$function);
  163.             case self::LISTING_SOCIETY:
  164.                 return $this->canListSociety($user$function);
  165.             case self::LISTING_MANAGER:
  166.                 return $this->canListManager($user$function);
  167.             case self::LISTING_ANY:
  168.                 return $this->canListAny($user$function);
  170.             case self::VIEW:
  171.                 return $this->canView($prospect$user$function);
  173.             case self::EDIT:
  174.                 return $this->canEdit($prospect$user$function);
  176.             case self::CONVERT:
  177.                 return $this->canConvert($prospect$user$function);
  178.         }
  180.         throw new \LogicException('This code should not be reached!');
  181.     }
  183.     // $access is the user trying to load the resource
  184.     // $prospect is the resource being loaded
  186.     // Check if the Society of the resource
  187.     // belongs to the societies of the $access
  188.     private function checkSociety(Client $prospectAccess $access)
  189.     {
  190.         // Get all the societies of the access
  191.         $societies $access->getSocieties();
  193.         // Get the Society of the Prospect
  194.         if ($prospect->getIndividual() === null)
  195.         {
  196.             return false;
  197.         }
  199.         $prospectSociety $prospect->getIndividual()->getSociety();
  200.         if ($prospectSociety === null)
  201.             return false;
  203.         $found false;
  204.         foreach ($societies as $society)
  205.         {
  206.             if ($society->getId() == $prospectSociety->getId())
  207.             {
  208.                 $found true;
  209.                 break;
  210.             }
  211.         }
  212.         return $found;
  213.     }
  215.     // Check if the $access is the manager / author of the $client
  216.     private function checkManager(Client $prospectAccess $access)
  217.     {
  218.         if ($prospect->getIndividual() === null)
  219.         {
  220.             return false;
  221.         }
  222.         $individual $prospect->getIndividual();
  224.         // Get manager and author
  225.         $manager $individual->getManager();
  226.         $author $individual->getAuthor();
  228.         if ($manager === null && $author === null)
  229.             return false;
  231.         if ($manager !== null)
  232.             if ($manager->getId() === $access->getId())
  233.                 return true;
  235.         if ($author !== null)
  236.             if ($author->getId() === $access->getId())
  237.                 return true;
  239.         return false;
  240.     }
  242.     private function canAdd(Access $userAccessFunction $function)
  243.     {
  244.         // Get AclPermission
  245.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  246.         if ($aclPerm === null)        return false;
  248.         // Get Acl
  249.         $acl $this->aclRepository->findOneBy(array(
  250.             'function'        =>    $function,
  251.             'permission'    =>    $aclPerm
  252.         ));
  253.         if ($acl === null)        return false;
  255.         // Since only one acl type can exist
  256.         // we can return the result of the acl_permission
  257.         return $acl->getValue();
  258.     }
  260.     private function canList(Access $userAccessFunction $function)
  261.     {
  262.         // Get AclPermission
  263.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  264.         if ($aclPerm === null)        return false;
  266.         // Get Acl
  267.         $acl $this->aclRepository->findOneBy(array(
  268.             'function'        =>    $function,
  269.             'permission'    =>    $aclPerm
  270.         ));
  271.         if ($acl === null)        return false;
  273.         // Since only one acl type can exist
  274.         // we can return the result of the acl_permission
  275.         return $acl->getValue();
  276.     }
  278.     private function canListSociety(Access $userAccessFunction $function)
  279.     {
  280.         // Get AclPermission
  281.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  282.         if ($aclPerm === null)        return false;
  284.         // Get Acl
  285.         $acl $this->aclRepository->findOneBy(array(
  286.             'function'        =>    $function,
  287.             'permission'    =>    $aclPerm
  288.         ));
  289.         if ($acl === null)        return false;
  291.         // Since only one acl type can exist
  292.         // we can return the result of the acl_permission
  293.         // Further filtering is done in the Controller
  294.         return $acl->getValue();
  295.     }
  297.     private function canListManager(Access $userAccessFunction $function)
  298.     {
  299.         // Get AclPermission
  300.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  301.         if ($aclPerm === null)        return false;
  303.         // Get Acl
  304.         $acl $this->aclRepository->findOneBy(array(
  305.             'function'        =>    $function,
  306.             'permission'    =>    $aclPerm
  307.         ));
  308.         if ($acl === null)        return false;
  310.         // Since only one acl type can exist
  311.         // we can return the result of the acl_permission
  312.         // Further filtering is done in the Controller
  313.         return $acl->getValue();
  314.     }
  316.     private function canListAny(Access $userAccessFunction $function)
  317.     {
  318.         // Several AclPermission may exist
  319.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  320.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  321.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_MANAGER);
  323.         // If all are null, exit
  324.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  325.             return false;
  327.         // Get First one
  328.         if ($aclPerm !== null)
  329.         {
  330.             $acl $this->aclRepository->findOneBy(array(
  331.                 'function'        =>    $function,
  332.                 'permission'    =>    $aclPerm
  333.             ));
  334.             if ($acl !== null)
  335.             {
  336.                 if ($acl->getValue())
  337.                 {
  338.                     // A single positive answer is enough
  339.                     return true;
  340.                 }
  341.             }
  342.         }
  343.         // If we are here it means that nothing good has been found
  344.         // Load second permission
  345.         if ($aclPermSociety !== null)
  346.         {
  347.             $acl $this->aclRepository->findOneBy(array(
  348.                 'function'        =>    $function,
  349.                 'permission'    =>    $aclPermSociety
  350.             ));
  351.             if ($acl !== null)
  352.             {
  353.                 if ($acl->getValue())
  354.                 {
  355.                     // A single positive answer is enough
  356.                     return true;
  357.                 }
  358.             }
  359.         }
  360.         // If we are here it means that nothing good has been found
  361.         // Load third permission
  362.         if ($aclPermManager !== null)
  363.         {
  364.             $acl $this->aclRepository->findOneBy(array(
  365.                 'function'        =>    $function,
  366.                 'permission'    =>    $aclPermManager
  367.             ));
  368.             if ($acl !== null)
  369.             {
  370.                 if ($acl->getValue())
  371.                 {
  372.                     // A single positive answer is enough
  373.                     return true;
  374.                 }
  375.             }
  376.         }
  377.         // If we are here, all hope is lost
  378.         return false;
  379.     }
  381.     private function canView(Client $prospectAccess $userAccessFunction $function)
  382.     {
  383.         // Several AclPermission may exist
  384.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  385.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  386.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_MANAGER);
  388.         // If all are null, exit
  389.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  390.             return false;
  392.         // Get First one
  393.         if ($aclPerm !== null)
  394.         {
  395.             $acl $this->aclRepository->findOneBy(array(
  396.                 'function'        =>    $function,
  397.                 'permission'    =>    $aclPerm
  398.             ));
  399.             if ($acl !== null)
  400.             {
  401.                 if ($acl->getValue())
  402.                 {
  403.                     // A single positive answer is enough
  404.                     return true;
  405.                 }
  406.             }
  407.         }
  408.         // If we are here it means that nothing good has been found
  409.         // Load second permission
  410.         if ($aclPermSociety !== null)
  411.         {
  412.             $acl $this->aclRepository->findOneBy(array(
  413.                 'function'        =>    $function,
  414.                 'permission'    =>    $aclPermSociety
  415.             ));
  416.             if ($acl !== null)
  417.             {
  418.                 if ($acl->getValue())
  419.                 {
  420.                     // A single positive answer is enough
  421.                     // In this case the good answer will be provided by the checkSociety
  422.                     return $this->checkSociety($prospect$user);
  423.                 }
  424.             }
  425.         }
  426.         // If we are here it means that nothing good has been found
  427.         // Load third permission
  428.         if ($aclPermManager !== null)
  429.         {
  430.             $acl $this->aclRepository->findOneBy(array(
  431.                 'function'        =>    $function,
  432.                 'permission'    =>    $aclPermManager
  433.             ));
  434.             if ($acl !== null)
  435.             {
  436.                 if ($acl->getValue())
  437.                 {
  438.                     // A single positive answer is enough
  439.                     // In this case the good answer will be provided by the checkSociety
  440.                     return $this->checkManager($prospect$user);
  441.                 }
  442.             }
  443.         }
  444.         // If we are here, all hope is lost
  445.         return false;
  446.     }
  448.     private function canEdit(Client $prospectAccess $userAccessFunction $function)
  449.     {
  450.         // Deny for prospects who have been converted to clients
  451.         if ($prospect->isNotProspect())
  452.         {
  453.             return false;
  454.         }
  456.         // Several AclPermission may exist
  457.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  458.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  459.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_MANAGER);
  461.         // If all are null, exit
  462.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  463.             return false;
  465.         // Get First one
  466.         if ($aclPerm !== null)
  467.         {
  468.             $acl $this->aclRepository->findOneBy(array(
  469.                 'function'        =>    $function,
  470.                 'permission'    =>    $aclPerm
  471.             ));
  472.             if ($acl !== null)
  473.             {
  474.                 if ($acl->getValue())
  475.                 {
  476.                     // A single positive answer is enough
  477.                     return true;
  478.                 }
  479.             }
  480.         }
  481.         // If we are here it means that nothing good has been found
  482.         // Load second permission
  483.         if ($aclPermSociety !== null)
  484.         {
  485.             $acl $this->aclRepository->findOneBy(array(
  486.                 'function'        =>    $function,
  487.                 'permission'    =>    $aclPermSociety
  488.             ));
  489.             if ($acl !== null)
  490.             {
  491.                 if ($acl->getValue())
  492.                 {
  493.                     // A single positive answer is enough
  494.                     // In this case the good answer will be provided by the checkSociety
  495.                     return $this->checkSociety($prospect$user);
  496.                 }
  497.             }
  498.         }
  499.         // If we are here it means that nothing good has been found
  500.         // Load third permission
  501.         if ($aclPermManager !== null)
  502.         {
  503.             $acl $this->aclRepository->findOneBy(array(
  504.                 'function'        =>    $function,
  505.                 'permission'    =>    $aclPermManager
  506.             ));
  507.             if ($acl !== null)
  508.             {
  509.                 if ($acl->getValue())
  510.                 {
  511.                     // A single positive answer is enough
  512.                     // In this case the good answer will be provided by the checkSociety
  513.                     return $this->checkManager($prospect$user);
  514.                 }
  515.             }
  516.         }
  517.         // If we are here, all hope is lost
  518.         return false;
  519.     }
  521.     private function canConvert(Client $prospectAccess $userAccessFunction $function)
  522.     {
  523.         // Deny for prospects who have been converted to clients
  524.         if ($prospect->isNotProspect())
  525.         {
  526.             return false;
  527.         }
  529.         // Several AclPermission may exist
  530.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_CONVERT);
  531.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_CONVERT_SOCIETY);
  532.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_CONVERT_MANAGER);
  534.         // If all are null, exit
  535.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  536.             return false;
  538.         // Get First one
  539.         if ($aclPerm !== null)
  540.         {
  541.             $acl $this->aclRepository->findOneBy(array(
  542.                 'function'        =>    $function,
  543.                 'permission'    =>    $aclPerm
  544.             ));
  545.             if ($acl !== null)
  546.             {
  547.                 if ($acl->getValue())
  548.                 {
  549.                     // A single positive answer is enough
  550.                     return true;
  551.                 }
  552.             }
  553.         }
  554.         // If we are here it means that nothing good has been found
  555.         // Load second permission
  556.         if ($aclPermSociety !== null)
  557.         {
  558.             $acl $this->aclRepository->findOneBy(array(
  559.                 'function'        =>    $function,
  560.                 'permission'    =>    $aclPermSociety
  561.             ));
  562.             if ($acl !== null)
  563.             {
  564.                 if ($acl->getValue())
  565.                 {
  566.                     // A single positive answer is enough
  567.                     // In this case the good answer will be provided by the checkSociety
  568.                     return $this->checkSociety($prospect$user);
  569.                 }
  570.             }
  571.         }
  572.         // If we are here it means that nothing good has been found
  573.         // Load third permission
  574.         if ($aclPermManager !== null)
  575.         {
  576.             $acl $this->aclRepository->findOneBy(array(
  577.                 'function'        =>    $function,
  578.                 'permission'    =>    $aclPermManager
  579.             ));
  580.             if ($acl !== null)
  581.             {
  582.                 if ($acl->getValue())
  583.                 {
  584.                     // A single positive answer is enough
  585.                     // In this case the good answer will be provided by the checkSociety
  586.                     return $this->checkManager($prospect$user);
  587.                 }
  588.             }
  589.         }
  590.         // If we are here, all hope is lost
  591.         return false;
  592.     }
  593. }