src/Security/PunchOutVoter.php line 60

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/PunchOutVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Platform\Command\Command;
  16. use App\Entity\Security\Acl;
  17. use App\Entity\Security\AclPermission;
  18. use App\Services\Config\ModuleTools;
  20. class PunchOutVoter extends Voter
  21. {
  22.     //--------------------------------------------------------------------------------
  23.     // is_granted constants
  24.     const IS_ACTIVE "punchout_is_active";
  26.     const LIST_OWN "list_own_punchout_commands";
  28.     const APPROVE "approve_punchout_command";
  29.     const LIST_WAITING_VALIDATION "list_waiting_validation_punchout_commands";
  30.     const LIST_WAITING_VALIDATION_SOCIETY "list_waiting_validation_punchout_commands_society";
  31.     const LIST_WAITING_VALIDATION_ANY "list_waiting_validation_punchout_commands_any";
  33.     const DELETE "delete_punchout_command";
  35.     const IS_GRANTED_CONSTANTS = array(
  36.         self::IS_ACTIVE,
  37.         self::LIST_OWN,
  39.         self::APPROVE,
  40.         self::LIST_WAITING_VALIDATION,
  41.         self::LIST_WAITING_VALIDATION_SOCIETY,
  42.         self::LIST_WAITING_VALIDATION_ANY,
  44.         self::DELETE,
  45.     );
  47.     //--------------------------------------------------------------------------------
  48.     // acl constants
  50.     const ACL_PERM_DELETE_PUNCHOUT "punchout_command_delete";
  51.     const ACL_PERM_DELETE_PUNCHOUT_SOCIETY "punchout_command_delete_society";
  52.     const ACL_PERM_DELETE_PUNCHOUT_MANAGER "punchout_command_delete_manager";
  53.     const ACL_PERM_APPROVE_PUNCHOUT "punchout_command_approve";
  54.     const ACL_PERM_APPROVE_PUNCHOUT_SOCIETY "punchout_command_approve_society";
  56.     //--------------------------------------------------------------------------------
  58.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  59.     {
  60.         $this->em $doctrine->getManager();
  61.         $this->moduleTools $moduleTools;
  63.         $this->aclRepository $this->em->getRepository(Acl::class);
  64.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  65.     }
  67.     // Plan.io Task #4453 [See AccessVoter for details]
  68.     public function supportsAttribute(string $attribute): bool
  69.     {
  70.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  71.     }
  72.     
  73.     protected function supports(string $attribute$subject null): bool
  74.     {
  75.         // if the attribute isn't one we support, return false
  76.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  77.         {
  78.             return false;
  79.         }
  81.         // only vote on Command objects inside this voter
  82.         if ($subject !== null && !$subject instanceof Command)
  83.         {
  84.             return false;
  85.         }
  87.         return true;
  88.     }
  90.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  91.     {
  92.         $user $token->getUser();
  94.         if (!$user instanceof Access)
  95.         {
  96.             // the user must be logged in; if not, deny access
  97.             return false;
  98.         }
  100.         // The user must have a function; if not deny access
  101.         $function $user->getFunction();
  102.         if ($function === null)        return false;
  104.         // Plan.io Task #3710 : Get current group
  105.         $currentGroup $user->getSocietyGroup();
  106.         if ($currentGroup === null)
  107.             return false;
  109.         // Module activated ?
  110.         if ($attribute != self::LIST_OWN)
  111.         {
  112.             // Make an Exception for list own
  113.             if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_PUNCHOUT))
  114.             {
  115.                 return false;
  116.             }
  117.         }
  119.         // you know $subject is a Command object, thanks to supports
  120.         /** @var Command $command */
  121.         $command $subject;
  123.         // This Voter is for PunchOut Commands only
  124.         if ($command !== null)
  125.         {
  126.             if ($command->isNotPunchOut())
  127.             {
  128.                 return false;
  129.             }
  130.         }
  132.         // Check current group affectation
  133.         if ($subject !== null)
  134.         {
  135.             $subjectSociety $subject->getSociety();
  136.             if ($subjectSociety === null)
  137.                 return false;
  138.             $subjectGroup $subjectSociety->getGroup();
  139.             if ($subjectGroup === null)
  140.                 return false;
  141.             if (!$currentGroup->equals($subjectGroup))
  142.                 return false;
  143.         }
  145.         switch ($attribute)
  146.         {
  147.             // Check is done before, in the voteOnAttribute
  148.             case self::IS_ACTIVE:
  149.                 return true;
  151.             case self::LIST_OWN:
  152.                 return $this->canListOwn($user$function);
  154.             case self::LIST_WAITING_VALIDATION:
  155.                 return $this->canListWaitingValidation($user$function);
  157.             case self::LIST_WAITING_VALIDATION_SOCIETY:
  158.                 return $this->canListWaitingValidationSociety($user$function);
  160.             case self::LIST_WAITING_VALIDATION_ANY:
  161.                 return $this->canListWaitingValidationAny($user$function);
  163.             case self::APPROVE:
  164.                 return $this->canApprove($command$user$function);
  166.             case self::DELETE:
  167.                 return $this->canDelete($command$user$function);
  168.         }
  170.         throw new \LogicException('This code should not be reached!');
  171.     }
  173.     // $access is the user trying to load the resource
  174.     // $command is the resource being loaded
  176.     // Check if the Society of the resource
  177.     // belongs to the societies of the $access
  178.     private function checkSociety(Command $commandAccess $access)
  179.     {
  180.         // Get all the societies of the access
  181.         $societies $access->getSocieties();
  183.         // Get the Society of the Command
  184.         $commandSociety $command->getSociety();
  186.         if ($commandSociety === null)
  187.             return false;
  189.         $found false;
  190.         foreach ($societies as $society)
  191.         {
  192.             if ($society->getId() == $commandSociety->getId())
  193.             {
  194.                 $found true;
  195.                 break;
  196.             }
  197.         }
  198.         return $found;
  199.     }
  201.     // Check if the $access is the manager / author of the $command
  202.     private function checkManager(Command $commandAccess $access)
  203.     {
  204.         // Get manager
  205.         $manager $command->getManager();
  206.         $author $command->getAuthor();
  207.         $accessCommand $command->getAccess();
  209.         if ($manager === null && $author === null)
  210.             return false;
  212.         if ($manager !== null)
  213.             if ($manager->getId() === $access->getId())
  214.                 return true;
  216.         if ($author !== null)
  217.             if ($author->getId() === $access->getId())
  218.                 return true;
  220.         if ($accessCommand !== null)
  221.             if ($accessCommand->getId() === $access->getId())
  222.                 return true;
  224.         return false;
  225.     }
  227.     private function canListOwn(Access $userAccessFunction $function)
  228.     {
  229.         // $this->denyAccessUnlessGranted('punchout_is_active');
  230.         // Actually no ... display the list in the following cases
  231.         //        - module is active
  232.         //        - module is inactive, but the user has at least one PunchOutCommand
  234.         $userSocietyGroup $user->getSocietyGroup();
  235.         $nbPunchOutCommands intval($this->em->getRepository(Command::class)->countPunchOutForAuthor($userSocietyGroup$user));
  236.         if ($nbPunchOutCommands 0)
  237.         {
  238.             // If the user has at least one PunchOutCommand
  239.             // the list should be available
  240.             return true;
  241.         }
  242.         // If we are here it means that the user has no PunchOutCommands
  243.         // Decide access based on module activation
  244.         if ($this->moduleTools->isActiveByCode($userSocietyGroupModule::MODULE_PUNCHOUT))
  245.         {
  246.             return true;
  247.         }
  249.         // All hope is lost
  250.         return false;
  251.     }
  253.     private function canDelete(Command $commandAccess $userAccessFunction $function)
  254.     {
  255.         // Deny on all punchOut Commands that have already beed sent to the Supplier
  256.         if ($command->hasBeenSentToPunchOutSupplier())
  257.         {
  258.             return false;
  259.         }
  261.         // Allow Authors to delete their own commands
  262.         $author $command->getAuthor();
  263.         if ($user->equals($author))
  264.         {
  265.             return true;
  266.         }
  268.         // Three Acl_Permission may exist
  269.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_PUNCHOUT);
  270.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_PUNCHOUT_SOCIETY);
  271.         $aclPermManager $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_PUNCHOUT_MANAGER);
  273.         // If all are null, exit
  274.         if ($aclPerm === null && $aclPermSociety === null && $aclPermManager === null)
  275.             return false;
  277.         // Get First one
  278.         if ($aclPerm !== null)
  279.         {
  280.             $acl $this->aclRepository->findOneBy(array(
  281.                 'function'        =>    $function,
  282.                 'permission'    =>    $aclPerm
  283.             ));
  284.             if ($acl !== null)
  285.             {
  286.                 if ($acl->getValue())
  287.                 {
  288.                     // A single positive answer is enough
  289.                     return true;
  290.                 }
  291.             }
  292.         }
  293.         // If we are here it means that nothing good has been found
  294.         // Load second permission
  295.         if ($aclPermSociety !== null)
  296.         {
  297.             $acl $this->aclRepository->findOneBy(array(
  298.                 'function'        =>    $function,
  299.                 'permission'    =>    $aclPermSociety
  300.             ));
  301.             if ($acl !== null)
  302.             {
  303.                 if ($acl->getValue())
  304.                 {
  305.                     // A single positive answer is enough
  306.                     // In this case the good answer will be provided by the checkSociety
  307.                     return $this->checkSociety($command$user);
  308.                 }
  309.             }
  310.         }
  311.         // If we are here it means that nothing good has been found
  312.         // Load third permission
  313.         if ($aclPermManager !== null)
  314.         {
  315.             $acl $this->aclRepository->findOneBy(array(
  316.                 'function'        =>    $function,
  317.                 'permission'    =>    $aclPermManager
  318.             ));
  319.             if ($acl !== null)
  320.             {
  321.                 if ($acl->getValue())
  322.                 {
  323.                     // A single positive answer is enough
  324.                     // In this case the good answer will be provided by the checkOwn
  325.                     return $this->checkManager($command$user);
  326.                 }
  327.             }
  328.         }
  329.         // If we are here, all hope is lost
  330.         return false;
  331.     }
  333.     // Plan.io task #4261
  334.     public function canApprove(Command $commandAccess $userAccessFunction $function)
  335.     {
  336.         // Authorize approve only if command is waiting validation
  337.         if (!$command->isPunchOutValidation())
  338.         {
  339.             return false;
  340.         }
  342.         // Two Acl_Permission may exist
  343.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE_PUNCHOUT);
  344.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE_PUNCHOUT_SOCIETY);
  346.         // If all are null, exit
  347.         if ($aclPerm === null && $aclPermSociety === null)
  348.             return false;
  350.         // Get First one
  351.         if ($aclPerm !== null)
  352.         {
  353.             $acl $this->aclRepository->findOneBy(array(
  354.                 'function'        =>    $function,
  355.                 'permission'    =>    $aclPerm
  356.             ));
  357.             if ($acl !== null)
  358.             {
  359.                 if ($acl->getValue())
  360.                 {
  361.                     // A single positive answer is enough
  362.                     return true;
  363.                 }
  364.             }
  365.         }
  366.         // If we are here it means that nothing good has been found
  367.         // Load second permission
  368.         if ($aclPermSociety !== null)
  369.         {
  370.             $acl $this->aclRepository->findOneBy(array(
  371.                 'function'        =>    $function,
  372.                 'permission'    =>    $aclPermSociety
  373.             ));
  374.             if ($acl !== null)
  375.             {
  376.                 if ($acl->getValue())
  377.                 {
  378.                     // A single positive answer is enough
  379.                     // In this case the good answer will be provided by the checkSociety
  380.                     return $this->checkSociety($command$user);
  381.                 }
  382.             }
  383.         }
  385.         // If we are here, all hope is lost
  386.         return false;
  387.     }
  389.     // Plan.io task #4261
  390.     public function canListWaitingValidationAny(Access $userAccessFunction $function)
  391.     {
  392.         $canListWaitingValidation $this->canListWaitingValidation($user$function);
  393.         if ($canListWaitingValidation)
  394.         {
  395.             // Access granted
  396.             return true;
  397.         }
  399.         $canListWaitingValidationSociety $this->canListWaitingValidationSociety($user$function);
  400.         if ($canListWaitingValidationSociety)
  401.         {
  402.             // Access granted
  403.             return true;
  404.         }
  406.         // If we are here, all hope is lost
  407.         return false;
  408.     }
  410.     // Plan.io task #4261
  411.     public function canListWaitingValidation(Access $userAccessFunction $function)
  412.     {
  413.         // Get Acl_Permission
  414.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE_PUNCHOUT);
  415.         if ($aclPerm === null)        return false;
  417.         // Get Acl
  418.         $acl $this->aclRepository->findOneBy(array(
  419.             'function'        =>    $function,
  420.             'permission'    =>    $aclPerm
  421.         ));
  422.         if ($acl === null)        return false;
  424.         // Since only one acl type can exist
  425.         // we can return the result of the acl_permission
  426.         // Further filtering is done in the Controller
  427.         return $acl->getValue();
  428.     }
  430.     // Plan.io task #4261
  431.     public function canListWaitingValidationSociety(Access $userAccessFunction $function)
  432.     {
  433.         // Get Acl_Permission
  434.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_APPROVE_PUNCHOUT_SOCIETY);
  435.         if ($aclPerm === null)        return false;
  437.         // Get Acl
  438.         $acl $this->aclRepository->findOneBy(array(
  439.             'function'        =>    $function,
  440.             'permission'    =>    $aclPerm
  441.         ));
  442.         if ($acl === null)        return false;
  444.         // Since only one acl type can exist
  445.         // we can return the result of the acl_permission
  446.         // Further filtering is done in the Controller
  447.         return $acl->getValue();
  448.     }
  449. }