src/Security/Voter/AccountVoter.php line 14

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\Account;
  6. use MedBrief\MSR\Entity\Firm;
  7. use MedBrief\MSR\Entity\User;
  8. use Override;
  9. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  11. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  12. use Symfony\Component\Security\Core\User\UserInterface;
  14. class AccountVoter extends Voter
  15. {
  16. public const CREATE = 'CREATE';
  17. public const READ = 'READ';
  18. public const UPDATE = 'UPDATE';
  19. public const DELETE = 'DELETE';
  20. public const ADMINISTRATION = 'ADMINISTRATION';
  22. public const USER_ADMINISTRATION = 'USER_ADMINISTRATION';
  23. public const SORTING_SETTINGS_ADMINISTRATION = 'SORTING_SETTINGS_ADMINISTRATION';
  24. public const MATTER_REQUEST_DEFAULTS_ADMINISTRATION = 'MATTER_REQUEST_DEFAULTS_ADMINISTRATION';
  25. public const INDEX_HEADER_ADMINISTRATION = 'INDEX_HEADER_ADMINISTRATION';
  26. public const TECHNICAL_ADMINISTRATION = 'TECHNICAL_ADMINISTRATION';
  27. public const UPDATE_PHYSICAL_ADDRESS = 'UPDATE_PHYSICAL_ADDRESS';
  28. public const ADD_OFFICE = 'ADD_OFFICE';
  29. public const ADD_MATTER_REQUEST = 'ADD_MATTER_REQUEST';
  30. public const ADD_LICENCE_RENEWAL_TERM = 'ADD_LICENCE_RENEWAL_TERM';
  32. public const ACCESS_GRANTED = true;
  33. public const ACCESS_DENIED = false;
  35. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker)
  36. {
  37. }
  39. #[Override]
  40. protected function supports($attribute, $subject)
  41. {
  42. return in_array($attribute, [
  43. self::CREATE,
  44. self::READ,
  45. self::UPDATE,
  46. self::DELETE,
  47. self::ADMINISTRATION,
  48. self::USER_ADMINISTRATION,
  49. self::SORTING_SETTINGS_ADMINISTRATION,
  50. self::MATTER_REQUEST_DEFAULTS_ADMINISTRATION,
  51. self::INDEX_HEADER_ADMINISTRATION,
  52. self::UPDATE_PHYSICAL_ADDRESS,
  53. self::ADD_OFFICE,
  54. self::TECHNICAL_ADMINISTRATION,
  55. self::ADD_MATTER_REQUEST,
  56. self::ADD_LICENCE_RENEWAL_TERM,
  57. ])
  58. && ($subject instanceof Account || is_subclass_of($subject, Account::class));
  59. }
  61. #[Override]
  62. protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
  63. {
  64. $user = $token->getUser();
  66. // if the user is anonymous, do not grant access
  67. if (!$user instanceof UserInterface) {
  68. return self::ACCESS_DENIED;
  69. }
  71. if ($user instanceof Firm && $user->getClientAreas()->contains($subject)) {
  72. return self::ACCESS_GRANTED;
  73. }
  75. // Super Admin and Admin users can add/edit terms
  76. if ($attribute === self::ADD_LICENCE_RENEWAL_TERM) {
  77. return $this->canCreate();
  78. }
  80. // Super Admin users can do everything
  81. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  82. return self::ACCESS_GRANTED;
  83. }
  85. switch ($attribute) {
  86. case self::CREATE:
  87. case self::DELETE:
  88. case self::ADMINISTRATION:
  89. case self::SORTING_SETTINGS_ADMINISTRATION:
  90. case self::MATTER_REQUEST_DEFAULTS_ADMINISTRATION:
  91. // Only Super Admins may create, delete Accounts or have full administration rights
  92. return self::ACCESS_DENIED;
  93. case self::UPDATE:
  94. // If not an internal user, deny updating
  95. return $user->isUserTypeInternal();
  96. }
  98. // If this user is a Client Super Administrator for the Account then they can
  99. // do everything else
  100. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $subject->getId() . '_SUPERADMINISTRATOR')) {
  101. return self::ACCESS_GRANTED;
  102. }
  104. // Otherwise if this user is a Client Administrator for the Account then they can
  105. // do everything else except for User Administration and Technical Admin
  106. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $subject->getId() . '_ADMINISTRATOR') && !in_array($attribute, [
  107. self::USER_ADMINISTRATION,
  108. self::TECHNICAL_ADMINISTRATION,
  109. ])) {
  110. return self::ACCESS_GRANTED;
  111. }
  113. // A Client technical administrator may perform technical administration as well as other duties
  114. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $subject->getId() . '_TECHNICAL_ADMIN') && in_array($attribute, [
  115. self::READ,
  116. self::TECHNICAL_ADMINISTRATION,
  117. self::ADD_MATTER_REQUEST,
  118. ])) {
  119. return self::ACCESS_GRANTED;
  120. }
  122. return self::ACCESS_DENIED;
  123. }
  125. private function canCreate(): bool
  126. {
  127. return $this->authorizationChecker->isGranted('ROLE_ADMIN');
  128. }
  129. }