src/Security/SocietyGroupInvoiceVoter.php line 21

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/SocietyGroupInvoiceVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Platform\Devis\Devis;
  16. use App\Entity\Platform\SocietyGroup\SocietyGroupInvoice;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclPermission;
  19. use App\Services\Config\ModuleTools;
  21. class SocietyGroupInvoiceVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  25.     const ADD "add_society_group_invoice";
  27.     const VIEW "view_society_group_invoice";
  28.     const VIEW_PDF "view_pdf_society_group_invoice";
  30.     const EDIT "edit_society_group_invoice";
  31.     const EDIT_RECEIVER_SOCIETY "edit_society_group_invoice_receiver_society";
  33.     // This one is tricky
  34.     // We don't actually care for permissions here
  35.     // We just want to know if there is anything to display
  36.     // If the SocietyGroup has no SocietyGroupInvoices, there is no need to even show the tab
  37.     const LIST = "list_society_group_invoices";
  39.     const IS_GRANTED_CONSTANTS = array(
  40.         self::ADD,
  42.         self::VIEW,
  43.         self::VIEW_PDF,
  45.         self::EDIT,
  46.         self::EDIT_RECEIVER_SOCIETY,
  48.         self::LIST,
  49.     );
  51.     //--------------------------------------------------------------------------------
  52.     // acl constants
  54.     const ACL_PERM_VIEW "society_group_invoice_view";
  55.     const ACL_PERM_VIEW_PDF "society_group_invoice_view_pdf";
  56.     const ACL_PERM_EDIT "society_group_invoice_edit";
  57.     const ACL_PERM_LIST "society_group_invoice_list";
  59.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  60.     {
  61.         $this->em $doctrine->getManager();
  62.         $this->moduleTools $moduleTools;
  64.         $this->aclRepository $this->em->getRepository(Acl::class);
  65.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  66.     }
  68.     // Plan.io Task #4453 [See AccessVoter for details]
  69.     public function supportsAttribute(string $attribute): bool
  70.     {
  71.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  72.     }
  73.     
  74.     protected function supports(string $attribute$subject null): bool
  75.     {
  76.         // if the attribute isn't one we support, return false
  77.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  78.         {
  79.             return false;
  80.         }
  82.         // Only vote on Invoice / Devis objects inside this voter
  83.         if ($subject !== null && !($subject instanceof SocietyGroupInvoice || $subject instanceof Devis))
  84.         {
  85.             return false;
  86.         }
  88.         return true;
  89.     }
  91.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  92.     {
  93.         $user $token->getUser();
  95.         if (!$user instanceof Access)
  96.         {
  97.             // the user must be logged in; if not, deny access
  98.             return false;
  99.         }
  101.         // The user must have a function; if not deny access
  102.         $function $user->getFunction();
  103.         if ($function === null)        return false;
  105.         // Plan.io Task #3710 : Get current group
  106.         $currentGroup $user->getSocietyGroup();
  107.         if ($currentGroup === null)
  108.             return false;
  110.         $this->currentGroup $currentGroup;
  112.         $this->devis null;
  113.         $this->invoice null;
  114.         $this->emitter null;
  115.         $this->receiver null;
  117.         if ($subject instanceof SocietyGroupInvoice)
  118.         {
  119.             $this->invoice $subject;
  120.             $this->emitter $subject->getEmitter();
  121.             $this->receiver $subject->getReceiver();
  123.             if ($this->emitter === null || $this->receiver === null)
  124.             {
  125.                 return false;
  126.             }
  127.         }
  129.         switch ($attribute)
  130.         {
  131.             // canAdd : subject is Devis
  132.             case self::ADD:
  133.                 return $this->canAdd($subject);
  135.             case self::LIST:
  136.                 return $this->canList($user$function);
  138.             // for all those below : subject is Invoice
  139.             case self::VIEW:
  140.                 return $this->canView($subject$user$function);
  141.             case self::VIEW_PDF:
  142.                 return $this->canViewPdf($subject$user$function);
  144.             case self::EDIT:
  145.                 return $this->canEdit($subject$user$function);
  146.             case self::EDIT_RECEIVER_SOCIETY:
  147.                 return $this->canEditReceiverSociety($subject$user$function);
  148.         }
  150.         throw new \LogicException('This code should not be reached!');
  151.     }
  153.     private function canAdd(Devis $devis)
  154.     {
  155.         // Deny for annulled and refused
  156.         if ($devis->isAnnulled() || $devis->isRefused())
  157.         {
  158.             return false;
  159.         }
  161.         // Only JCAF SocietyGroup can add a SocietyGroupInvoice for now
  162.         if ($this->currentGroup->isNotJcaf())
  163.         {
  164.             return false;
  165.         }
  167.         // Only for JCAF Devis with commission
  168.         // Plan.io Task #3229 Commissions
  169.         $mission $devis->getMission();
  170.         if ($mission === null)
  171.         {
  172.             return false;
  173.         }
  175.         // Deny actions on archivedRefused objects
  176.         if ($mission->isArchivedRefused())
  177.         {
  178.             return false;
  179.         }
  181.         // Only for JCAF Devis with commission
  182.         // Plan.io Task #3229 Commissions
  184.         // Restrictions on Devis
  185.         if ($devis !== null)
  186.         {
  187.             if ($devis->isNotJcaf())
  188.             {
  189.                 return false;
  190.             }
  191.             if (empty($devis->getShareCommission()))
  192.             {
  193.                 return false;
  194.             }
  195.         }
  197.         // Do we already have a SocietyGroupInvoice for this Devis ?
  198.         $invoice $this->em->getRepository(SocietyGroupInvoice::class)->findOneByDevis($devis);
  199.         if ($invoice !== null)
  200.         {
  201.             return false;
  202.         }
  204.         // Restrictions on Mission
  205.         if ($mission !== null)
  206.         {
  207.             if ($mission->getSocietyGroupAuthor() === null)
  208.             {
  209.                 return false;
  210.             }
  211.             if ($mission->getSocietyGroupAuthor()->isNotJcaf())
  212.             {
  213.                 return false;
  214.             }
  215.             if (empty($mission->getCommissionAmount()) && empty($mission->getCommissionPercentage()))
  216.             {
  217.                 return false;
  218.             }
  219.         }
  221.         // If we are here all went well
  222.         return true;
  223.     }
  225.     private function canList(Access $userAccessFunction $function)
  226.     {
  227.         // Always show tab for JCAF SocietyGroup
  228.         if ($this->currentGroup->isJcaf())
  229.         {
  230.             return true;
  231.         }
  233.         // if ($this->currentGroup->isNotJcaf())
  234.         // {
  235.         //     $sql = "SELECT COUNT(*) as nb
  236.         //             FROM society_group_invoice
  237.         //             WHERE society_group_invoice.receiver_society_group_id = ".$this->currentGroup->getId();
  238.         //     $stmt = $this->em->getConnection()->prepare($sql);
  239.         //     $stmt->execute();
  240.         //     $result = $stmt->fetch()['nb'];
  241.         //     if ($result < 1)
  242.         //     {
  243.         //         return false;
  244.         //     }
  245.         // }
  247.         // If the current society group is not JCAF
  248.         // only show the society_group_invoice tab if at least one invoice is available
  249.         // Test receiver
  250.         $invoice $this->em->getRepository(SocietyGroupInvoice::class)->findOneByReceiver($this->currentGroup);
  251.         if ($invoice === null)
  252.         {
  253.             // None available, die hard
  254.             return false;
  255.         }
  257.         // If we are here it means that we have at least one invoice to show
  258.         // Test permissions
  260.         // Get Acl_Permission
  261.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  262.         if ($aclPerm === null)        return false;
  264.         // Get Acl
  265.         $acl $this->aclRepository->findOneBy(array(
  266.             'function'        =>    $function,
  267.             'permission'    =>    $aclPerm
  268.         ));
  269.         if ($acl === null)        return false;
  271.         // Since only one acl type can exist
  272.         // we can return the result of the acl_permission
  273.         return $acl->getValue();
  275.         // All hope is lost
  276.         return false;
  277.     }
  279.     private function canView(SocietyGroupInvoice $invoiceAccess $userAccessFunction $function)
  280.     {
  281.         // Both emitter and receiver can view society group invoices
  282.         if (!($this->currentGroup->equals($this->emitter) || $this->currentGroup->equals($this->receiver)))
  283.         {
  284.             return false;
  285.         }
  287.         // Get Acl_Permission
  288.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  289.         if ($aclPerm === null)        return false;
  291.         // Get Acl
  292.         $acl $this->aclRepository->findOneBy(array(
  293.             'function'        =>    $function,
  294.             'permission'    =>    $aclPerm
  295.         ));
  296.         if ($acl === null)        return false;
  298.         // Since only one acl type can exist
  299.         // we can return the result of the acl_permission
  300.         return $acl->getValue();
  302.         // All hope is lost
  303.         return false;
  304.     }
  306.     private function canViewPdf(SocietyGroupInvoice $invoiceAccess $userAccessFunction $function)
  307.     {
  308.         // Both emitter and receiver can view society group invoices
  309.         if (!($this->currentGroup->equals($this->emitter) || $this->currentGroup->equals($this->receiver)))
  310.         {
  311.             return false;
  312.         }
  314.         // Get Acl_Permission
  315.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_PDF);
  316.         if ($aclPerm === null)        return false;
  318.         // Get Acl
  319.         $acl $this->aclRepository->findOneBy(array(
  320.             'function'        =>    $function,
  321.             'permission'    =>    $aclPerm
  322.         ));
  323.         if ($acl === null)        return false;
  325.         // Since only one acl type can exist
  326.         // we can return the result of the acl_permission
  327.         return $acl->getValue();
  329.         // All hope is lost
  330.         return false;
  331.     }
  333.     private function canEdit(SocietyGroupInvoice $invoiceAccess $userAccessFunction $function)
  334.     {
  335.         // Only the emitter of a SocietyGroupInvoice can edit it
  336.         // For now the emitter is always Jcaf ;)
  337.         if (!$this->currentGroup->equals($this->emitter))
  338.         {
  339.             return false;
  340.         }
  342.         // Plan.io Task #3229 Commissions
  343.         // Only JCAF SocietyGroup can edit a SocietyGroupInvoice for now
  344.         if ($this->currentGroup->isNotJcaf())
  345.         {
  346.             return false;
  347.         }
  349.         $mission $invoice->getMission();
  350.         if ($mission === null)
  351.         {
  352.             return false;
  353.         }
  355.         // Deny edit on archivedRefused objects
  356.         if ($mission->isArchivedRefused())
  357.         {
  358.             return false;
  359.         }
  361.         // No edditing on annulled invoices
  362.         if ($invoice->isAnnulled())
  363.         {
  364.             return false;
  365.         }
  367.         // No edditing on invoices that have been "annuled" (with credit)
  368.         // $credit = $this->em->getRepository('IcodPlatformBundle:Invoice')
  369.         //     ->findOneByCreditInvoice($invoice);
  370.         // if ($credit !== null)
  371.         //     return false;
  373.         // Get Acl_Permission
  374.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  375.         if ($aclPerm === null)        return false;
  377.         // Get Acl
  378.         $acl $this->aclRepository->findOneBy(array(
  379.             'function'        =>    $function,
  380.             'permission'    =>    $aclPerm
  381.         ));
  382.         if ($acl === null)        return false;
  384.         // Since only one acl type can exist
  385.         // we can return the result of the acl_permission
  386.         return $acl->getValue();
  388.         // All hope is lost
  389.         return false;
  390.     }
  392.     private function canEditReceiverSociety(SocietyGroupInvoice $invoiceAccess $userAccessFunction $function)
  393.     {
  394.         // Plan.io Task #3229 Commissions
  395.         // Only the receiver of a SocietyGroupInvoice can edit its receiver
  396.         if (!$this->currentGroup->equals($this->receiver))
  397.         {
  398.             return false;
  399.         }
  401.         $mission $invoice->getMission();
  402.         if ($mission === null)
  403.         {
  404.             return false;
  405.         }
  407.         // Deny edit on archivedRefused objects
  408.         if ($mission->isArchivedRefused())
  409.         {
  410.             return false;
  411.         }
  413.         // No edditing on annulled invoices
  414.         if ($invoice->isAnnulled())
  415.         {
  416.             return false;
  417.         }
  418.         // No edditing on invoices that have been "annuled" (with credit)
  419.         // $credit = $this->em->getRepository('IcodPlatformBundle:Invoice')
  420.         //     ->findOneByCreditInvoice($invoice);
  421.         // if ($credit !== null)
  422.         //     return false;
  424.         // Get Acl_Permission
  425.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  426.         if ($aclPerm === null)        return false;
  428.         // Get Acl
  429.         $acl $this->aclRepository->findOneBy(array(
  430.             'function'        =>    $function,
  431.             'permission'    =>    $aclPerm
  432.         ));
  433.         if ($acl === null)        return false;
  435.         // Since only one acl type can exist
  436.         // we can return the result of the acl_permission
  437.         return $acl->getValue();
  439.         // All hope is lost
  440.         return false;
  441.     }
  442. }