Symfony Profiler

<?php
//------------------------------------------------------------------------------
// src/Security/TaskVoter.php
//------------------------------------------------------------------------------
namespace App\Security;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Doctrine\Persistence\ManagerRegistry;
use App\Entity\Access;
use App\Entity\APIRest\AccessAPI;
use App\Entity\Config\Config;
use App\Entity\Config\Module;
use App\Entity\HR\AccessFunction;
use App\Entity\Planning\Task;
use App\Entity\Platform\Society;
use App\Entity\Mission\Mission;
use App\Entity\Security\Acl;
use App\Entity\Security\AclPermission;
use App\Entity\Security\AclPlanning;
use App\Services\LogTools;
use App\Services\Config\ModuleTools;
class TaskVoter extends Voter
{
//--------------------------------------------------------------------------------
// is_granted constants
const ADD = "add_task";
const VIEW = "view_task";
const EDIT = "edit_task";
const DELETE = "delete_task";
// There are used to set default permissions in the custom tables
// Plan.io Task #4089
const DECIDE_ADD_TYPE = "add_task_type";
const DECIDE_VIEW_TYPE_ALL = "view_task_type_all";
const DECIDE_VIEW_TYPE_SOCIETY = "view_task_type_society";
const DECIDE_VIEW_TYPE_OWN = "view_task_type_own";
const DECIDE_EDIT_TYPE_ALL = "edit_task_type_all";
const DECIDE_EDIT_TYPE_SOCIETY = "edit_task_type_society";
const DECIDE_EDIT_TYPE_OWN = "edit_task_type_own";
const DECIDE_DELETE_TYPE_ALL = "delete_task_type_all";
const DECIDE_DELETE_TYPE_SOCIETY = "delete_task_type_society";
const DECIDE_DELETE_TYPE_OWN = "delete_task_type_own";
// Plan.io Task #3534
const LISTING = "list_tasks";
const IS_GRANTED_CONSTANTS = array(
self::ADD,
self::VIEW,
self::EDIT,
self::DELETE,
self::LISTING,
self::DECIDE_ADD_TYPE,
self::DECIDE_VIEW_TYPE_ALL,
self::DECIDE_VIEW_TYPE_SOCIETY,
self::DECIDE_VIEW_TYPE_OWN,
self::DECIDE_EDIT_TYPE_ALL,
self::DECIDE_EDIT_TYPE_SOCIETY,
self::DECIDE_EDIT_TYPE_OWN,
self::DECIDE_DELETE_TYPE_ALL,
self::DECIDE_DELETE_TYPE_SOCIETY,
self::DECIDE_DELETE_TYPE_OWN,
);
//--------------------------------------------------------------------------------
// acl constants
const ACL_PERM_ADD = "task_add";
const ACL_PERM_VIEW = "task_view";
const ACL_PERM_VIEW_SOCIETY = "task_view_society";
const ACL_PERM_VIEW_OWN = "task_view_own";
const ACL_PERM_EDIT = "task_edit";
const ACL_PERM_EDIT_SOCIETY = "task_edit_society";
const ACL_PERM_EDIT_OWN = "task_edit_own";
const ACL_PERM_DELETE = "task_delete";
const ACL_PERM_DELETE_SOCIETY = "task_delete_society";
const ACL_PERM_DELETE_OWN = "task_delete_own";
//--------------------------------------------------------------------------------
public function __construct(AccessDecisionManagerInterface $accessDecisionManager, ManagerRegistry $doctrine, ModuleTools $moduleTools, LogTools $logTools)
{
$this->accessDecisionManager = $accessDecisionManager;
$this->em = $doctrine->getManager();
$this->moduleTools = $moduleTools;
$this->logTools = $logTools;
$this->aclRepository = $this->em->getRepository(Acl::class);
$this->aclPermissionRepository = $this->em->getRepository(AclPermission::class);
$this->aclPlanningRepository = $this->em->getRepository(AclPlanning::class);
}
// Plan.io Task #4453 [See AccessVoter for details]
public function supportsAttribute(string $attribute): bool
{
return in_array($attribute, self::IS_GRANTED_CONSTANTS, true);
}
protected function getAclPlanning($task, Access $access)
{
// Get the Society from the Task
if ($task !== null)
{
$society = $task->getSociety();
}
else
{
// Exception : Add mode
// For now ADD is global for all the Societies of the Access
$society = $access->getSociety();
}
if ($society === null)
{
return null;
}
$permission = $this->aclPlanningRepository->findOneBy(array(
'access' => $access,
'society' => $society,
));
return $permission;
}
// This is global to view and view_own
protected function checkViewConditions(Task $task, Access $access)
{
$mission = $task->getMission();
$viewerSocietyGroup = $access->getSocietyGroup();
// First of all, check if this is a SharedTask viewed from the Emitter.Side
// Plan.io Task #4024 #4091
// $currentGroup is the one trying to access the Task
if ($task->isSharedBy($viewerSocietyGroup))
{
if ($mission !== null)
{
// Task is shared by $currentGroup and has a Mission
// So the $currentGroup can view the Task
return true;
}
// Task is shared by $currentGroup and has no Mission
// This should be redirected to edit_shared
return false;
}
// All view conditions have been met
return true;
}
// This is global to edit and edit_own
protected function checkEditConditions(Task $task, Access $access)
{
// Deny edit on archivedRefused objects
$isArchivedRefused = $task->isArchivedRefused();
if ($isArchivedRefused)
{
return false;
}
// Task plan.io #3898 : Task with status IsInvoicedFinished
if ($task->isInvoicedFinished())
{
return false;
}
// Task plan.io #4118 : Deny if parent/task is readonly (TaskInfoRekto)
if ($task->getHelpParent() !== null)
{
$helpParent = $task->getHelpParent();
if ($helpParent->getTaskInfoRekto() !== null && $helpParent->getTaskInfoRekto()->getReadonlyTask())
{
return false;
}
}
else
{
if ($task->getTaskInfoRekto() !== null && $task->getTaskInfoRekto()->getReadonlyTask())
{
return false;
}
}
$mission = $task->getMission();
$viewerSocietyGroup = $access->getSocietyGroup();
// Plan.io Task #3260
// SharedTask : mission.author # mission.owner
// The author should only be able to view or delete its own tasks
if ($task->isShared() && $mission !== null)
{
if ($mission->getSocietyGroupOwner() !== null)
{
// The SocietyGroup viewing the Task is the Author, not the Owner
if (!$mission->getSocietyGroupOwner()->equals($viewerSocietyGroup))
{
return false;
}
}
}
// First of all, check if this is a SharedTask viewed from the Emitter.Side
// Plan.io Task #4024 #4091
// $currentGroup is the one trying to access the Task
if ($task->isSharedBy($viewerSocietyGroup))
{
if ($mission === null)
{
// Task is shared by $currentGroup and has a Mission
// So the $currentGroup can edit the Task
return true;
}
// Task is shared by $currentGroup and has a Mission
// Deny edit
return false;
}
// All view conditions have been met
return true;
}
// This is global to delete and delete_own
protected function checkDeleteConditions(Task $task, Access $access)
{
$mission = $task->getMission();
$viewerSocietyGroup = $access->getSocietyGroup();
// Deny delete on archivedRefused objects
$isArchivedRefused = $task->isArchivedRefused();
if ($isArchivedRefused)
{
return false;
}
// First of all, check if this is a SharedTask viewed from the Emitter.Side
// Plan.io Task #4024 #4091
// $currentGroup is the one trying to access the Task
if ($task->isSharedBy($viewerSocietyGroup))
{
if ($mission === null)
{
// Task is shared by $currentGroup and has no Mission
// So the $currentGroup can delete the Task
return true;
}
// Task is shared by $currentGroup and has a Mission
// Deny edit
return false;
}
// All view conditions have been met
return true;
}
protected function decide_canViewOwn(Task $task, Access $access)
{
$result = $this->checkViewConditions($task, $access);
if ($result === false)
{
return false;
}
$permission = $this->getAclPlanning($task, $access);
if ($permission === null)
{
return false;
}
if ($permission->canViewOwn())
{
return $this->checkOwn($task, $access);
}
return false;
}
protected function decide_canView(Task $task, Access $access)
{
$result = $this->checkViewConditions($task, $access);
if ($result === false)
{
return false;
}
$viewerSocietyGroup = $access->getSocietyGroup();
$mission = $task->getMission();
// The Task has ShareData, and we are viewing it from the Emitter side
if ($task->isSharedBy($viewerSocietyGroup))
{
if ($mission !== null)
{
return true;
// We have a Mission attached and we are viewing the task from the Emitter Side
// => Open Special View
// redirects to "icod_platform_task_view_shared_emitter_side"
// Shared Task with no Mission viewed from the Emitter Side
// Edit is granted
// Since Edit is Tested before View, this code should never be reached
// But just in case, return true
// Since view is a sub-permission of edit ;)
}
return true;
// We don't have a Mission attached and we are viewing the task from the Emitter Side
// => Open Special Edit
// redirects to "icod_platform_task_edit_shared_emitter_side"
}
$permission = $this->getAclPlanning($task, $access);
if ($permission === null)
{
return false;
}
if ($permission->canView())
{
return true;
}
// If the user has can_view_own and the task is its own,
// then this method should return true
if ($permission->canViewOwn())
{
return $this->checkOwn($task, $access);
}
return false;
}
protected function decide_canEditOwn(Task $task, Access $access)
{
$result = $this->checkEditConditions($task, $access);
if ($result === false)
{
return false;
}
// All global view conditions have been met
$permission = $this->getAclPlanning($task, $access);
if ($permission === null)
{
return false;
}
if ($permission->canEditOwn())
{
return $this->checkOwn($task, $access);
}
return false;
}
protected function decide_canEdit(Task $task, Access $access)
{
$result = $this->checkEditConditions($task, $access);
if ($result === false)
{
return false;
}
$viewerSocietyGroup = $access->getSocietyGroup();
$mission = $task->getMission();
// The Task has ShareData, and we are viewing it from the Emitter side
if ($task->isSharedBy($viewerSocietyGroup))
{
if ($mission !== null)
{
return false;
// We have a Mission attached and we are viewing the task from the Emitter Side
// => Open Special View
// redirects to "icod_platform_task_view_shared_emitter_side"
// Shared Task with a Mission attached viewed from the Emitter Side
// Edit is not granted
}
return true;
// We don't have a Mission attached and we are viewing the task from the Emitter Side
// => Open Special Edit
// redirects to "icod_platform_task_edit_shared_emitter_side"
}
// All global view conditions have been met
$permission = $this->getAclPlanning($task, $access);
if ($permission === null)
{
return false;
}
if ($permission->canEdit())
{
return true;
}
// If the user has can_edit_own and the task is its own,
// then this method should return true
if ($permission->canEditOwn())
{
return $this->checkOwn($task, $access);
}
return false;
}
protected function decide_canDeleteOwn(Task $task, Access $access)
{
$result = $this->checkDeleteConditions($task, $access);
if ($result === false)
{
return false;
}
// All global view conditions have been met
$permission = $this->getAclPlanning($task, $access);
if ($permission === null)
{
return false;
}
if ($permission->canDeleteOwn())
{
return $this->checkOwn($task, $access);
}
return false;
}
protected function decide_canDelete(Task $task, Access $access)
{
$result = $this->checkDeleteConditions($task, $access);
if ($result === false)
{
return false;
}
// All global view conditions have been met
$permission = $this->getAclPlanning($task, $access);
if ($permission === null)
{
return false;
}
if ($permission->canDelete())
{
return true;
}
// If the user has can_delete_own and the task is its own,
// then this method should return true
if ($permission->canDeleteOwn())
{
return $this->checkOwn($task, $access);
}
return false;
}
protected function supports(string $attribute, $subject = null): bool
{
// if the attribute isn't one we support, return false
if (!in_array($attribute, self::IS_GRANTED_CONSTANTS))
{
return false;
}
// Only vote on Task and Mission objects inside this voter
// Plan.io Task #4089 : Added $society for the ADD part
if ($subject !== null && !($subject instanceof Task || $subject instanceof Mission || $subject instanceof Society))
{
return false;
}
return true;
}
protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
{
$user = $token->getUser();
// Plan.io Task #3707
if ($user instanceof AccessAPI)
{
if ($user->getAccess() === null)
{
return false;
}
$user = $user->getAccess();
}
// Plan.io Task #3707
// At this point $user is an object of Access type
// even if the $token->getUser() is AccessAPI
if (!$user instanceof Access)
{
// the user must be logged in; if not, deny access
return false;
}
// The user must have a function; if not deny access
$function = $user->getFunction();
if ($function === null) return false;
// Plan.io Task #3710 : Get current group
$currentGroup = $user->getSocietyGroup();
if ($currentGroup === null)
return false;
// This is needed to check HumanResource Module in canLoadGloablPlanning
$this->currentGroup = $currentGroup;
// Module activated ?
if ($this->moduleTools->isInactiveByCode($currentGroup, Module::MODULE_PLANNING))
{
return false;
}
$task = null;
$mission = null;
if ($subject instanceof Task)
{
/** @var Task $task */
$task = $subject;
// Check current group affectation
if ($subject !== null)
{
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] ".$subject->displayForLog());
// Plan.io Task #4024
// Handle Shared Tasks
if ($subject->isSharedBy($currentGroup))
{
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] subject->isSharedBy(currentGroup)");
}
else
{
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] subject->isSharedBy(currentGroup) NOPE");
$subjectSociety = $subject->getSociety();
if ($subjectSociety === null)
{
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] subject->isSharedBy(currentGroup) NOPE: Die.Hard.001");
return false;
}
$subjectGroup = $subjectSociety->getGroup();
if ($subjectGroup === null)
{
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] subject->isSharedBy(currentGroup) NOPE: Die.Hard.002");
return false;
}
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] currentGroup = ".$currentGroup->displayForLog());
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] subjectGroup = ".$subjectGroup->displayForLog());
if (!$currentGroup->equals($subjectGroup))
{
// $this->logTools->ploopLog("[TaskVoter][voteOnAttribute] subject->isSharedBy(currentGroup) NOPE: Die.Hard.003");
return false;
}
}
}
}
else
{
if ($subject instanceof Mission)
{
/** @var Mission $mission */
$mission = $subject;
// Plan.io Task #3517, modified by #4453
if (!$this->accessDecisionManager->decide($token, ['view_mission'], $mission))
{
return false;
}
}
}
switch ($attribute)
{
// This is different from the Devis, because we can create a task outside a mission
// So the mission parameter is optional
// Plan.io Task #4089 : ADD $subject can be either Mission or Society
case self::ADD:
return $this->canAdd($user, $function, $subject);
case self::VIEW:
return $this->canView($task, $user);
case self::EDIT:
return $this->canEdit($task, $user);
case self::DELETE:
return $this->canDelete($task, $user);
case self::DECIDE_ADD_TYPE:
return $this->decideOn(self::DECIDE_ADD_TYPE, $function);
case self::DECIDE_VIEW_TYPE_ALL:
return $this->decideOn(self::DECIDE_VIEW_TYPE_ALL, $function);
case self::DECIDE_VIEW_TYPE_SOCIETY:
return $this->decideOn(self::DECIDE_VIEW_TYPE_SOCIETY, $function);
case self::DECIDE_VIEW_TYPE_OWN:
return $this->decideOn(self::DECIDE_VIEW_TYPE_OWN, $function);
case self::DECIDE_EDIT_TYPE_ALL:
return $this->decideOn(self::DECIDE_EDIT_TYPE_ALL, $function);
case self::DECIDE_EDIT_TYPE_SOCIETY:
return $this->decideOn(self::DECIDE_EDIT_TYPE_SOCIETY, $function);
case self::DECIDE_EDIT_TYPE_OWN:
return $this->decideOn(self::DECIDE_EDIT_TYPE_OWN, $function);
case self::DECIDE_DELETE_TYPE_ALL:
return $this->decideOn(self::DECIDE_DELETE_TYPE_ALL, $function);
case self::DECIDE_DELETE_TYPE_SOCIETY:
return $this->decideOn(self::DECIDE_DELETE_TYPE_SOCIETY, $function);
case self::DECIDE_DELETE_TYPE_OWN:
return $this->decideOn(self::DECIDE_DELETE_TYPE_OWN, $function);
case self::LISTING:
return $this->canList($user, $function);
}
throw new \LogicException('This code should not be reached!');
}
// $access is the user trying to load the resource
// $task is the resource being loaded
// Check if the Society of the resource
// belongs to the societies of the $access
private function checkSociety(Task $task, Access $access)
{
// Get all the societies of the access
$societies = $access->getSocieties();
// Get the Society of the Task
$taskSociety = $task->getSociety();
if ($taskSociety === null)
return false;
// Check if the original society is accepted
foreach ($societies as $society)
{
if ($society->getId() == $taskSociety->getId())
{
return true;
break;
}
}
// Next check the new societies
// Get resources
$resources = $task->getPlanningResources();
if ($resources === null || count($resources) < 1)
return false;
foreach ($resources as $res)
{
if ($res->getSociety() !== null)
{
foreach ($societies as $society)
{
if ($society->getId() == $res->getSociety()->getId())
{
return true;
break;
}
}
}
}
return false;
}
// Check if the $access is one of the resources of the $task
private function checkOwn(Task $task, Access $access)
{
// Get resources
$resources = $task->getPlanningResources();
if ($resources === null || count($resources) < 1)
return false;
foreach ($resources as $res)
{
if ($res->getAccess() !== null)
{
if ($res->getAccess()->getId() == $access->getId())
{
return true;
break;
}
}
}
return false;
}
private function decideOn($type, AccessFunction $function)
{
$aclPerm = null;
switch($type)
{
// Plan.io Task #4089
case self::DECIDE_ADD_TYPE:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
break;
}
case self::DECIDE_VIEW_TYPE_ALL:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
break;
}
case self::DECIDE_VIEW_TYPE_SOCIETY:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
break;
}
case self::DECIDE_VIEW_TYPE_OWN:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_OWN);
break;
}
case self::DECIDE_EDIT_TYPE_ALL:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
break;
}
case self::DECIDE_EDIT_TYPE_SOCIETY:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
break;
}
case self::DECIDE_EDIT_TYPE_OWN:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_OWN);
break;
}
case self::DECIDE_DELETE_TYPE_ALL:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
break;
}
case self::DECIDE_DELETE_TYPE_SOCIETY:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_SOCIETY);
break;
}
case self::DECIDE_DELETE_TYPE_OWN:
{
$aclPerm = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_OWN);
break;
}
}
if ($aclPerm === null) return false;
// Get Acl
$acl = $this->aclRepository->findOneBy(array(
'function' => $function,
'permission' => $aclPerm
));
if ($acl === null) return false;
return $acl->getValue();
}
// Plan.io Task #4089 : $subject can be either Mission or Society
private function canAdd(Access $access, AccessFunction $function, $subject = null)
{
if ($subject !== null)
{
if ($subject instanceof Mission)
{
$mission = $subject;
// When a mission is shared, the author cannot edit it
// Deny actions on archivedRefused objects
if ($mission->isArchivedRefused())
{
return false;
}
if ($mission->isShared())
{
if ($mission->isSharedBySocietyGroup($this->currentGroup))
{
return false;
}
}
}
}
/*
// Specific access permissions are prioritary
// Since we need the Society, get it from the Mission or the actual Society sent via the $subject
$society = $access->getSociety();
if ($subject !== null)
{
if ($subject instanceof Mission)
{
$society = $subject->getSociety();
// For now the only case where the $subject is a Mission for the ADD
// is when using maps
// So maybe replace this with the actual Society
// TODO : (also) check how this plays out
// in the context of adding tasks for shared missions, receiver side
}
else
{
if ($subject instanceof Society)
{
$society = $subject;
}
}
}
*/
// Check permission
// For now ADD is global for all the Societies of the Access
// Thus the third param set to true
$permission = $this->getAclPlanning(null, $access);
if ($permission === null)
{
return false;
}
if ($permission->canAdd())
{
return true;
}
// If we are here, all hope is lost
return false;
}
public function canView(Task $task, Access $access)
{
if ($this->decide_canView($task, $access))
{
return true;
}
if ($this->decide_canViewOwn($task, $access))
{
return true;
}
// If we are here, all hope is lost
return false;
}
public function canEdit(Task $task, Access $access)
{
if ($this->decide_canEdit($task, $access))
{
return true;
}
if ($this->decide_canEditOwn($task, $access))
{
return true;
}
// If we are here, all hope is lost
return false;
}
public function canDelete(Task $task, Access $access)
{
if ($this->decide_canDelete($task, $access))
{
return true;
}
if ($this->decide_canDeleteOwn($task, $access))
{
return true;
}
// If we are here, all hope is lost
return false;
}
// Plan.io Task #3534
// Can List is actually a mix of view and edit
private function canList(Access $access, AccessFunction $function)
{
$perms = array();
$perms[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
$perms[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
$perms[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
$perms[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
$perms[] = $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_OWN);
foreach ($perms as $perm)
{
if ($perm !== null)
{
$acl = $this->aclRepository->findOneBy(array(
'function' => $function,
'permission' => $perm
));
if ($acl !== null)
{
if ($acl->getValue())
{
// A single positive answer is enough
return true;
}
}
}
}
return false;
}
}

src/Security/TaskVoter.php line 102