src/Security/Voter/AiFeedbackMatchVoter.php line 22

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\AiFeedbackMatch;
  6. use MedBrief\MSR\Entity\User;
  7. use MedBrief\MSR\Repository\ProjectRepository;
  8. use Override;
  9. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  11. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  12. use Symfony\Component\Security\Core\User\UserInterface;
  14. /**
  15. * Voter for AiFeedbackMatch entity CRUD permissions.
  16. *
  17. * - CREATE: requires MATCH_VIEW_FIRM access on the related project
  18. * - READ: requires MATCH_VIEW_FIRM access on the related project
  19. * - UPDATE: only the user who created the feedback may update it
  20. * - DELETE: requires ROLE_ADMIN
  21. */
  22. class AiFeedbackMatchVoter extends Voter
  23. {
  24. public const CREATE = 'AI_FEEDBACK_MATCH_CREATE';
  25. public const READ = 'AI_FEEDBACK_MATCH_READ';
  26. public const UPDATE = 'AI_FEEDBACK_MATCH_UPDATE';
  27. public const DELETE = 'AI_FEEDBACK_MATCH_DELETE';
  29. public function __construct(
  30. private readonly AuthorizationCheckerInterface $auth,
  31. private readonly ProjectRepository $projectRepository,
  32. ) {
  33. }
  35. #[Override]
  36. protected function supports(string $attribute, mixed $subject): bool
  37. {
  38. return \in_array($attribute, [self::CREATE, self::READ, self::UPDATE, self::DELETE], true)
  39. && $subject instanceof AiFeedbackMatch;
  40. }
  42. #[Override]
  43. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  44. {
  45. $user = $token->getUser();
  46. if (!$user instanceof UserInterface) {
  47. return false;
  48. }
  50. /** @var AiFeedbackMatch $feedback */
  51. $feedback = $subject;
  53. return match ($attribute) {
  54. self::CREATE => $this->canCreate($feedback),
  55. self::READ => $this->canRead($feedback),
  56. self::UPDATE => $this->canUpdate($feedback, $user),
  57. self::DELETE => $this->canDelete(),
  58. default => false,
  59. };
  60. }
  62. /**
  63. * CREATE: user must have MATCH_VIEW_FIRM access on the related project.
  64. *
  65. * @param AiFeedbackMatch $feedback
  66. */
  67. private function canCreate(AiFeedbackMatch $feedback): bool
  68. {
  69. $project = $this->projectRepository->find($feedback->getMatterId());
  70. if ($project === null) {
  71. return false;
  72. }
  74. return $this->auth->isGranted(MatchVoter::VIEW_FIRM, $project);
  75. }
  77. /**
  78. * READ: user must have MATCH_VIEW_FIRM access on the related project.
  79. *
  80. * @param AiFeedbackMatch $feedback
  81. */
  82. private function canRead(AiFeedbackMatch $feedback): bool
  83. {
  84. $project = $this->projectRepository->find($feedback->getMatterId());
  85. if ($project === null) {
  86. return false;
  87. }
  89. return $this->auth->isGranted(MatchVoter::VIEW_FIRM, $project);
  90. }
  92. /**
  93. * UPDATE: only the user who created the feedback may update it.
  94. *
  95. * @param AiFeedbackMatch $feedback
  96. * @param UserInterface $user
  97. */
  98. private function canUpdate(AiFeedbackMatch $feedback, UserInterface $user): bool
  99. {
  100. if (!$user instanceof User) {
  101. return false;
  102. }
  104. return $feedback->getUserId() !== null && $feedback->getUserId() === $user->getId();
  105. }
  107. /**
  108. * DELETE: only MB admins.
  109. */
  110. private function canDelete(): bool
  111. {
  112. return $this->auth->isGranted('ROLE_ADMIN');
  113. }
  114. }