src/Security/SupplierVoter.php line 73

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/SupplierVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Platform\Supplier;
  16. use App\Entity\Security\Acl;
  17. use App\Entity\Security\AclPermission;
  18. use App\Entity\SocietyGroup;
  19. use App\Services\Config\ModuleTools;
  21. class SupplierVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  25.     const IS_ACTIVE "supplier_is_active";
  27.     const ADD "add_supplier";
  29.     const LISTING "list_suppliers";
  30.     const LISTING_SOCIETY "list_suppliers_society";
  31.     const LISTING_ANY "list_suppliers_any";
  33.     const VIEW "view_supplier";
  34.     const EDIT "edit_supplier";
  36.     // Task plan.io #3879
  37.     const LINK_TO_HUMAN_RESOURCE "link_supplier_human_resource";
  39.     const IS_GRANTED_CONSTANTS = array(
  40.         self::IS_ACTIVE,
  41.         self::ADD,
  42.         self::LISTING,
  43.         self::LISTING_SOCIETY,
  44.         self::LISTING_ANY,
  45.         self::VIEW,
  46.         self::EDIT,
  47.         self::LINK_TO_HUMAN_RESOURCE,
  48.     );
  50.     //--------------------------------------------------------------------------------
  51.     // acl constants
  52.     const ACL_PERM_ADD "supplier_add";
  54.     const ACL_PERM_LISTING "supplier_list";
  55.     const ACL_PERM_LISTING_SOCIETY "supplier_list_society";
  57.     const ACL_PERM_VIEW "supplier_view";
  58.     const ACL_PERM_VIEW_SOCIETY "supplier_view_society";
  60.     const ACL_PERM_EDIT "supplier_edit";
  61.     const ACL_PERM_EDIT_SOCIETY "supplier_edit_society";
  63.     const ACL_PERM_LINK "supplier_link_human_resource";
  65.     //--------------------------------------------------------------------------------
  67.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  68.     {
  69.         $this->em $doctrine->getManager();
  70.         $this->moduleTools $moduleTools;
  72.         $this->aclRepository $this->em->getRepository(Acl::class);
  73.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  74.     }
  76.     // Plan.io Task #4453 [See AccessVoter for details]
  77.     public function supportsAttribute(string $attribute): bool
  78.     {
  79.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  80.     }
  81.     
  82.     protected function supports(string $attribute$subject null): bool
  83.     {
  84.         // if the attribute isn't one we support, return false
  85.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  86.         {
  87.             return false;
  88.         }
  90.         // only vote on Supplier objects inside this voter
  91.         if ($subject !== null && !$subject instanceof Supplier)
  92.         {
  93.             return false;
  94.         }
  96.         return true;
  97.     }
  99.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  100.     {
  101.         $user $token->getUser();
  103.         if (!$user instanceof Access)
  104.         {
  105.             // the user must be logged in; if not, deny access
  106.             return false;
  107.         }
  109.         // The user must have a function; if not deny access
  110.         $function $user->getFunction();
  111.         if ($function === null)        return false;
  113.         // Plan.io Task #3710 : Get current group
  114.         $currentGroup $user->getSocietyGroup();
  115.         if ($currentGroup === null)
  116.             return false;
  118.         // Module activated ?
  119.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_SUPPLIER))
  120.         {
  121.             return false;
  122.         }
  124.         // you know $subject is a Supplier object, thanks to supports
  125.         /** @var Supplier $supplier */
  126.         $supplier $subject;
  128.         // Check current group affectation
  129.         if ($subject !== null)
  130.         {
  131.             $subjectSociety $subject->getSociety();
  132.             if ($subjectSociety === null)
  133.                 return false;
  134.             $subjectGroup $subjectSociety->getGroup();
  135.             if ($subjectGroup === null)
  136.                 return false;
  137.             if (!$currentGroup->equals($subjectGroup))
  138.                 return false;
  139.         }
  141.         switch ($attribute)
  142.         {
  143.             case self::IS_ACTIVE:
  144.                 return true;
  146.             case self::ADD:
  147.                 return $this->canAdd($user$function);
  149.             case self::LISTING:
  150.                 return $this->canList($user$function);
  151.             case self::LISTING_SOCIETY:
  152.                 return $this->canListSociety($user$function);
  153.             case self::LISTING_ANY:
  154.                 return $this->canListAny($user$function);
  156.             case self::VIEW:
  157.                 return $this->canView($supplier$user$function);
  159.             case self::EDIT:
  160.                 return $this->canEdit($supplier$user$function);
  162.             case self::LINK_TO_HUMAN_RESOURCE:
  163.                 return $this->canLinkToHumanResource($currentGroup$user$function);
  164.         }
  166.         throw new \LogicException('This code should not be reached!');
  167.     }
  169.     // $access is the user trying to load the resource
  170.     // $supplier is the resource being loaded
  172.     // Check if the Society of the resource
  173.     // belongs to the societies of the $access
  174.     private function checkSociety(Supplier $supplierAccess $access)
  175.     {
  176.         // Get all the societies of the access
  177.         $societies $access->getSocieties();
  179.         // Get the Society of the Supplier
  180.         $supplierSociety $supplier->getSociety();
  182.         if ($supplierSociety === null)
  183.             return false;
  185.         $found false;
  186.         foreach ($societies as $society)
  187.         {
  188.             if ($society->getId() == $supplierSociety->getId())
  189.             {
  190.                 $found true;
  191.                 break;
  192.             }
  193.         }
  194.         return $found;
  195.     }
  197.     private function canAdd(Access $userAccessFunction $function)
  198.     {
  199.         // Get Acl_Permission
  200.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  201.         if ($aclPerm === null)        return false;
  203.         // Get Acl
  204.         $acl $this->aclRepository->findOneBy(array(
  205.             'function'        =>    $function,
  206.             'permission'    =>    $aclPerm
  207.         ));
  208.         if ($acl === null)        return false;
  210.         // Since only one acl type can exist
  211.         // we can return the result of the acl_permission
  212.         return $acl->getValue();
  213.     }
  215.     private function canList(Access $userAccessFunction $function)
  216.     {
  217.         // Get Acl_Permission
  218.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  219.         if ($aclPerm === null)        return false;
  221.         // Get Acl
  222.         $acl $this->aclRepository->findOneBy(array(
  223.             'function'        =>    $function,
  224.             'permission'    =>    $aclPerm
  225.         ));
  226.         if ($acl === null)        return false;
  228.         // Since only one acl type can exist
  229.         // we can return the result of the acl_permission
  230.         return $acl->getValue();
  231.     }
  233.     private function canListSociety(Access $userAccessFunction $function)
  234.     {
  235.         // Get Acl_Permission
  236.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  237.         if ($aclPerm === null)        return false;
  239.         // Get Acl
  240.         $acl $this->aclRepository->findOneBy(array(
  241.             'function'        =>    $function,
  242.             'permission'    =>    $aclPerm
  243.         ));
  244.         if ($acl === null)        return false;
  246.         // Since only one acl type can exist
  247.         // we can return the result of the acl_permission
  248.         // Further filtering is done in the Controller
  249.         return $acl->getValue();
  250.     }
  252.     private function canListAny(Access $userAccessFunction $function)
  253.     {
  254.         // Two Acl_Permission may exist
  255.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  256.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  258.         // If all are null, exit
  259.         if ($aclPerm === null && $aclPermSociety === null)
  260.             return false;
  262.         // Get First one
  263.         if ($aclPerm !== null)
  264.         {
  265.             $acl $this->aclRepository->findOneBy(array(
  266.                 'function'        =>    $function,
  267.                 'permission'    =>    $aclPerm
  268.             ));
  269.             if ($acl !== null)
  270.             {
  271.                 if ($acl->getValue())
  272.                 {
  273.                     // A single positive answer is enough
  274.                     return true;
  275.                 }
  276.             }
  277.         }
  278.         // If we are here it means that nothing good has been found
  279.         // Load second permission
  280.         if ($aclPermSociety !== null)
  281.         {
  282.             $acl $this->aclRepository->findOneBy(array(
  283.                 'function'        =>    $function,
  284.                 'permission'    =>    $aclPermSociety
  285.             ));
  286.             if ($acl !== null)
  287.             {
  288.                 if ($acl->getValue())
  289.                 {
  290.                     // A single positive answer is enough
  291.                     return true;
  292.                 }
  293.             }
  294.         }
  296.         // If we are here, all hope is lost
  297.         return false;
  298.     }
  300.     private function canView(Supplier $supplierAccess $userAccessFunction $function)
  301.     {
  302.         // Get Acl_Permissions
  303.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  304.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  306.         // If all are null, exit
  307.         if ($aclPerm === null && $aclPermSociety === null)
  308.             return false;
  310.         // Get First one
  311.         if ($aclPerm !== null)
  312.         {
  313.             $acl $this->aclRepository->findOneBy(array(
  314.                 'function'        =>    $function,
  315.                 'permission'    =>    $aclPerm
  316.             ));
  317.             if ($acl !== null)
  318.             {
  319.                 if ($acl->getValue())
  320.                 {
  321.                     // A single positive answer is enough
  322.                     return true;
  323.                 }
  324.             }
  325.         }
  327.         // If we are here it means that nothing good has been found
  328.         // Load second permission
  329.         if ($aclPermSociety !== null)
  330.         {
  331.             $acl $this->aclRepository->findOneBy(array(
  332.                 'function'        =>    $function,
  333.                 'permission'    =>    $aclPermSociety
  334.             ));
  335.             if ($acl !== null)
  336.             {
  337.                 if ($acl->getValue())
  338.                 {
  339.                     // A single positive answer is enough
  340.                     // In this case the good answer will be provided by the checkSociety
  341.                     return $this->checkSociety($supplier$user);
  342.                 }
  343.             }
  344.         }
  346.         // If we are here, all hope is lost
  347.         return false;
  348.     }
  350.     private function canEdit(Supplier $supplierAccess $userAccessFunction $function)
  351.     {
  352.         // Three Acl_Permission may exist
  353.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  354.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  356.         // If all are null, exit
  357.         if ($aclPerm === null && $aclPermSociety === null)
  358.             return false;
  362.         // Get First one
  363.         if ($aclPerm !== null)
  364.         {
  365.             $acl $this->aclRepository->findOneBy(array(
  366.                 'function'        =>    $function,
  367.                 'permission'    =>    $aclPerm
  368.             ));
  369.             if ($acl !== null)
  370.             {
  371.                 if ($acl->getValue())
  372.                 {
  373.                     // A single positive answer is enough
  374.                     return true;
  375.                 }
  376.             }
  377.         }
  378.         // If we are here it means that nothing good has been found
  379.         // Load second permission
  380.         if ($aclPermSociety !== null)
  381.         {
  382.             $acl $this->aclRepository->findOneBy(array(
  383.                 'function'        =>    $function,
  384.                 'permission'    =>    $aclPermSociety
  385.             ));
  386.             if ($acl !== null)
  387.             {
  388.                 if ($acl->getValue())
  389.                 {
  390.                     // A single positive answer is enough
  391.                     // In this case the good answer will be provided by the checkSociety
  392.                     return $this->checkSociety($supplier$user);
  393.                 }
  394.             }
  395.         }
  397.         // If we are here, all hope is lost
  398.         return false;
  399.     }
  401.     // Task plan.io #3879
  402.     private function canLinkToHumanResource(SocietyGroup $societyGroupAccess $userAccessFunction $function)
  403.     {
  404.         // Check module humanResource is active
  405.         if ($this->moduleTools->isInactiveByCode($societyGroupModule::MODULE_HUMAN_RESOURCE))
  406.         {
  407.             return false;
  408.         }
  410.         // Get Acl_Permission
  411.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LINK);
  412.         if ($aclPerm === null)        return false;
  414.         // Get Acl
  415.         $acl $this->aclRepository->findOneBy(array(
  416.             'function'        =>    $function,
  417.             'permission'    =>    $aclPerm
  418.         ));
  419.         if ($acl === null)        return false;
  421.         // Since only one acl type can exist
  422.         // we can return the result of the acl_permission
  423.         return $acl->getValue();
  424.     }
  425. }