src/Security/Voter/AccountVoter.php line 16

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use Doctrine\ORM\EntityManagerInterface;
  6. use MedBrief\MSR\Entity\Account;
  7. use MedBrief\MSR\Entity\Firm;
  8. use MedBrief\MSR\Entity\User;
  9. use MedBrief\MSR\Repository\UserInternalRepository;
  10. use Override;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  14. use Symfony\Component\Security\Core\User\UserInterface;
  16. class AccountVoter extends Voter
  17. {
  18. public const CREATE = 'CREATE';
  19. public const READ = 'READ';
  20. public const UPDATE = 'UPDATE';
  21. public const DELETE = 'DELETE';
  22. public const ADMINISTRATION = 'ADMINISTRATION';
  24. public const USER_ADMINISTRATION = 'USER_ADMINISTRATION';
  25. public const SORTING_SETTINGS_ADMINISTRATION = 'SORTING_SETTINGS_ADMINISTRATION';
  26. public const MATTER_REQUEST_DEFAULTS_ADMINISTRATION = 'MATTER_REQUEST_DEFAULTS_ADMINISTRATION';
  27. public const INDEX_HEADER_ADMINISTRATION = 'INDEX_HEADER_ADMINISTRATION';
  28. public const TECHNICAL_ADMINISTRATION = 'TECHNICAL_ADMINISTRATION';
  29. public const UPDATE_PHYSICAL_ADDRESS = 'UPDATE_PHYSICAL_ADDRESS';
  30. public const ADD_OFFICE = 'ADD_OFFICE';
  31. public const ADD_MATTER_REQUEST = 'ADD_MATTER_REQUEST';
  32. public const ADD_LICENCE_RENEWAL_TERM = 'ADD_LICENCE_RENEWAL_TERM';
  34. public const ACCESS_GRANTED = true;
  35. public const ACCESS_DENIED = false;
  37. public function __construct(
  38. private readonly AuthorizationCheckerInterface $authorizationChecker,
  39. private readonly UserInternalRepository $userInternalRepository,
  40. private readonly EntityManagerInterface $entityManager
  41. ) {
  42. }
  44. #[Override]
  45. protected function supports($attribute, $subject)
  46. {
  47. return in_array($attribute, [
  48. self::CREATE,
  49. self::READ,
  50. self::UPDATE,
  51. self::DELETE,
  52. self::ADMINISTRATION,
  53. self::USER_ADMINISTRATION,
  54. self::SORTING_SETTINGS_ADMINISTRATION,
  55. self::MATTER_REQUEST_DEFAULTS_ADMINISTRATION,
  56. self::INDEX_HEADER_ADMINISTRATION,
  57. self::UPDATE_PHYSICAL_ADDRESS,
  58. self::ADD_OFFICE,
  59. self::TECHNICAL_ADMINISTRATION,
  60. self::ADD_MATTER_REQUEST,
  61. self::ADD_LICENCE_RENEWAL_TERM,
  62. ])
  63. && ($subject instanceof Account || is_subclass_of($subject, Account::class));
  64. }
  66. #[Override]
  67. protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
  68. {
  69. /** @var User $user */
  70. $user = $token->getUser();
  72. // if the user is anonymous, do not grant access
  73. if (!$user instanceof UserInterface) {
  74. return self::ACCESS_DENIED;
  75. }
  77. if ($user instanceof Firm && $user->getClientAreas()->contains($subject)) {
  78. return self::ACCESS_GRANTED;
  79. }
  81. // Super Admin and Admin users can add/edit terms
  82. if ($attribute === self::ADD_LICENCE_RENEWAL_TERM) {
  83. return $this->canCreate();
  84. }
  86. // Super Admin users can do everything
  87. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  88. return self::ACCESS_GRANTED;
  89. }
  91. // Only Super Admins may create, delete Accounts or have full administration rights
  92. if ($attribute === self::MATTER_REQUEST_DEFAULTS_ADMINISTRATION) {
  93. return self::ACCESS_DENIED;
  94. }
  96. // Attributes that only internal users (MedBrief staff) can perform
  97. $internalOnlyAttributes = [
  98. self::CREATE,
  99. self::DELETE,
  100. self::ADMINISTRATION,
  101. self::SORTING_SETTINGS_ADMINISTRATION,
  102. self::UPDATE,
  103. ];
  105. // Attributes that both internal users and client administrators can perform
  106. $internalAndClientAdminAttributes = [
  107. self::UPDATE_PHYSICAL_ADDRESS,
  108. self::ADD_OFFICE,
  109. ];
  111. // Internal users (MedBrief staff) can update any account
  112. if ($user instanceof User
  113. && $user->isUserInternal($this->userInternalRepository, $this->entityManager)
  114. && (in_array($attribute, array_merge($internalOnlyAttributes, $internalAndClientAdminAttributes)))) {
  115. return self::ACCESS_GRANTED;
  116. }
  118. // For client users, deny by default and only allow if user has specific account permissions
  119. // This will be evaluated by the role checks below (ADMINISTRATOR or SUPERADMINISTRATOR for this account)
  121. // If this user is a Client Super Administrator for the Account then they can
  122. // do everything else
  123. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $subject->getId() . '_SUPERADMINISTRATOR')
  124. && !in_array($attribute, $internalOnlyAttributes)
  125. ) {
  126. return self::ACCESS_GRANTED;
  127. }
  129. // Otherwise if this user is a Client Administrator for the Account then they can
  130. // do everything else except for User Administration and Technical Admin
  131. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $subject->getId() . '_ADMINISTRATOR')
  132. && !in_array($attribute, array_merge([
  133. self::USER_ADMINISTRATION,
  134. self::TECHNICAL_ADMINISTRATION,
  135. ], $internalOnlyAttributes))
  136. ) {
  137. return self::ACCESS_GRANTED;
  138. }
  140. // A Client technical administrator may perform technical administration as well as other duties
  141. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $subject->getId() . '_TECHNICAL_ADMIN')
  142. && in_array($attribute, array_merge([
  143. self::READ,
  144. self::TECHNICAL_ADMINISTRATION,
  145. self::ADD_MATTER_REQUEST,
  146. ], $internalAndClientAdminAttributes))) {
  147. return self::ACCESS_GRANTED;
  148. }
  150. return self::ACCESS_DENIED;
  151. }
  153. private function canCreate(): bool
  154. {
  155. return $this->authorizationChecker->isGranted('ROLE_ADMIN');
  156. }
  157. }