src/Security/Voter/AttributeOnlyVoter.php line 21

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Account;
  7. use MedBrief\MSR\Entity\Firm;
  8. use MedBrief\MSR\Entity\User;
  9. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  10. use Override;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  14. use Symfony\Component\Security\Core\User\UserInterface;
  16. /**
  17. * This Voter handles the voting on checks that don't involve a specific
  18. * entity. Things like checking if a user can do some task like add a new
  19. * Account, or Project etc
  20. */
  21. class AttributeOnlyVoter implements VoterInterface
  22. {
  23. // these should be expanded over time as we need them
  24. public const CREATE_ACCOUNT = 'CREATE_ACCOUNT';
  25. public const CREATE_PROJECT = 'CREATE_PROJECT';
  26. public const CREATE_SERVICE_OPTION = 'CREATE_SERVICE_OPTION';
  27. public const CREATE_BILLING_ITEM = 'CREATE_BILLING_ITEM';
  28. public const CREATE_INVOICE = 'CREATE_INVOICE';
  29. public const CREATE_SORTING_MEMO_PHRASE = 'CREATE_SORTING_MEMO_PHRASE';
  30. public const CREATE_MATTER_REQUEST = 'CREATE_MATTER_REQUEST';
  31. public const CREATE_RECORDS_REQUEST_CENTRE_PARENT = 'CREATE_RECORDS_REQUEST_CENTRE_PARENT';
  32. public const CREATE_RECORDS_REQUEST_CENTRE_CHILD = 'CREATE_RECORDS_REQUEST_CENTRE_CHILD';
  33. public const CREATE_RECORDS_REQUEST_CENTRE_CONTACT = 'CREATE_RECORDS_REQUEST_CENTRE_CONTACT';
  34. public const CREATE_RECORDS_REQUEST_LETTER_TEMPLATE = 'CREATE_RECORDS_REQUEST_LETTER_TEMPLATE';
  35. public const CREATE_FIRM = 'CREATE_FIRM';
  37. // Manage records request centre contact
  38. public const MANAGE_RECORDS_REQUEST_CENTRE_CONTACT = 'MANAGE_RECORDS_REQUEST_CENTRE_CONTACT';
  40. public const LIST_ACCOUNT = 'LIST_ACCOUNT';
  41. public const LIST_PROJECT = 'LIST_PROJECT';
  42. public const LIST_PROJECT_CLOSED = 'LIST_PROJECT_CLOSED';
  43. public const LIST_USER = 'LIST_USER';
  44. public const LIST_SERVICE_OPTION = 'LIST_SERVICE_OPTION';
  45. public const LIST_BILLING_ITEM = 'LIST_BILLING_ITEM';
  46. public const LIST_PENDING_INVOICE = 'LIST_PENDING_INVOICE';
  47. public const LIST_INVOICE = 'LIST_INVOICE';
  48. public const LIST_SORTING_MEMO_PHRASE = 'LIST_SORTING_MEMO_PHRASE';
  49. public const LIST_MATTER_REQUEST = 'LIST_MATTER_REQUEST';
  50. public const LIST_RECORDS_REQUEST_CENTRE_PARENT = 'LIST_RECORDS_REQUEST_CENTRE_PARENT';
  51. public const LIST_RECORDS_REQUEST_CENTRE_CHILD = 'LIST_RECORDS_REQUEST_CENTRE_CHILD';
  52. public const LIST_RECORDS_REQUEST_CENTRE_ARCHIVED = 'LIST_RECORDS_REQUEST_CENTRE_ARCHIVED';
  53. public const LIST_RECORDS_REQUEST_LETTER_TEMPLATE = 'LIST_RECORDS_REQUEST_LETTER_TEMPLATE';
  54. public const LIST_FIRM = 'LIST_FIRM';
  55. public const LIST_PROJECT_TYPE = 'LIST_PROJECT_TYPE';
  56. public const LIST_PROJECT_RENEWALS = 'LIST_PROJECT_RENEWALS';
  58. public const USER_ADMINISTRATION = 'USER_ADMINISTRATION'; // indicates full user administration rights (CRUD)
  59. public const HUMAN_RESOURCE_ADMINISTRATION = 'HUMAN_RESOURCE_ADMINISTRATION'; // indicates full human resource administration rights (CRUD)
  60. public const USER_HELP_ADMINISTRATION = 'USER_HELP_ADMINISTRATION'; // indicates user Help Guide administration rights (CRUD)
  62. public const PRIORITISE_DISCS = 'PRIORITISE_DISCS';
  64. // Allow specific Users to mark stuffs as billed
  65. public const MARK_AS_BILLED = 'MARK_AS_BILLED';
  67. // Grants access to the 'Advanced' fields of all ServiceableInterface entities.
  68. public const SERVICE_REQUEST_ADVANCED = 'SERVICE_REQUEST_ADVANCED';
  70. public const ALLOW_USER_TYPE_CHANGE = 'ALLOW_USER_TYPE_CHANGE';
  72. // Migrated from ReportsBundle
  73. public const CREATE_REPORT = 'CREATE_REPORT';
  74. public const LIST_REPORT = 'LIST_REPORT';
  75. public const DOWNLOAD_REPORT = 'DOWNLOAD_REPORT';
  77. // Download Lists
  78. public const DOWNLOAD_PROJECT_LIST = 'DOWNLOAD_PROJECT_LIST';
  80. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker, private readonly UserHelper $userHelper)
  81. {
  82. }
  84. public function supportsAttribute($attribute): bool
  85. {
  86. return in_array($attribute, [
  87. self::CREATE_ACCOUNT,
  88. self::CREATE_PROJECT,
  89. self::LIST_ACCOUNT,
  90. self::LIST_PROJECT,
  91. self::LIST_USER,
  92. self::USER_ADMINISTRATION,
  93. self::USER_HELP_ADMINISTRATION,
  94. self::LIST_PROJECT_CLOSED,
  95. self::PRIORITISE_DISCS,
  96. self::LIST_SERVICE_OPTION,
  97. self::CREATE_SERVICE_OPTION,
  98. self::LIST_BILLING_ITEM,
  99. self::CREATE_BILLING_ITEM,
  100. self::CREATE_INVOICE,
  101. self::LIST_PENDING_INVOICE,
  102. self::LIST_INVOICE,
  103. self::HUMAN_RESOURCE_ADMINISTRATION,
  104. self::SERVICE_REQUEST_ADVANCED,
  105. self::MARK_AS_BILLED,
  106. self::CREATE_SORTING_MEMO_PHRASE,
  107. self::LIST_SORTING_MEMO_PHRASE,
  108. self::LIST_MATTER_REQUEST,
  109. self::CREATE_MATTER_REQUEST,
  110. self::CREATE_RECORDS_REQUEST_CENTRE_PARENT,
  111. self::LIST_RECORDS_REQUEST_CENTRE_PARENT,
  112. self::CREATE_RECORDS_REQUEST_CENTRE_CHILD,
  113. self::LIST_RECORDS_REQUEST_CENTRE_CHILD,
  114. self::CREATE_RECORDS_REQUEST_CENTRE_CONTACT,
  115. self::MANAGE_RECORDS_REQUEST_CENTRE_CONTACT,
  116. self::LIST_RECORDS_REQUEST_CENTRE_ARCHIVED,
  117. self::CREATE_RECORDS_REQUEST_LETTER_TEMPLATE,
  118. self::LIST_RECORDS_REQUEST_LETTER_TEMPLATE,
  119. self::ALLOW_USER_TYPE_CHANGE,
  120. self::CREATE_REPORT,
  121. self::LIST_REPORT,
  122. self::DOWNLOAD_REPORT,
  123. self::DOWNLOAD_PROJECT_LIST,
  124. self::LIST_FIRM,
  125. self::CREATE_FIRM,
  126. self::LIST_PROJECT_TYPE,
  127. self::LIST_PROJECT_RENEWALS,
  128. 'EA_EXECUTE_ACTION',
  129. ]);
  130. }
  132. public function supportsClass($class): bool
  133. {
  134. // the class is inconsequential for this Voter
  135. return true;
  136. }
  138. /**
  139. *
  140. * @param mixed $entity
  141. */
  142. #[Override]
  143. public function vote(TokenInterface $token, $entity, array $attributes)
  144. {
  145. /**
  146. * START: This is common code for all Voter::vote() methods
  147. */
  148. // check if class of this object is supported by this voter
  149. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  150. return VoterInterface::ACCESS_ABSTAIN;
  151. }
  153. // set the attribute to check against
  154. $attribute = $attributes[0];
  156. // check if the given attribute is covered by this voter
  157. if (!$this->supportsAttribute($attribute)) {
  158. return VoterInterface::ACCESS_ABSTAIN;
  159. }
  161. // check if the voter is used correct, only allow one attribute
  162. // this isn't a requirement, it's just one easy way for you to
  163. // design your voter
  164. if (1 !== count($attributes)) {
  165. throw new InvalidArgumentException(
  166. 'Only one attribute is allowed for medbrief Voters.'
  167. );
  168. }
  170. // get current logged in user
  171. /** @var User $user */
  172. $user = $token->getUser();
  174. // make sure there is a user object (i.e. that the user is logged in)
  175. if (!$user instanceof UserInterface) {
  176. return VoterInterface::ACCESS_DENIED;
  177. }
  179. // Universally disable this for now, as we will launch without the ability to add new ones.
  180. if ($attribute === self::CREATE_SORTING_MEMO_PHRASE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  181. return VoterInterface::ACCESS_DENIED;
  182. }
  184. // Only ROLE_ADMIN and ROLE_SUPER_ADMIN can PRIORITISE_DISCS at this stage.
  185. if ($attribute === self::PRIORITISE_DISCS && $this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  186. return VoterInterface::ACCESS_GRANTED;
  187. }
  189. // Only ROLE_HR_ADMIN can HUMAN_RESOURCE_ADMINISTRATION at this stage.
  190. // The ROLE_HR_ADMIN role can only be added via a command.
  191. if ($attribute === self::HUMAN_RESOURCE_ADMINISTRATION && (!$this->authorizationChecker->isGranted('ROLE_HR_ADMIN') || $this->authorizationChecker->isGranted('IS_IMPERSONATOR'))) {
  192. return VoterInterface::ACCESS_DENIED;
  193. }
  195. // Only SUPER_ADMIN can CREATE_SERVICE_OPTION at this stage.
  196. if ($attribute === self::CREATE_SERVICE_OPTION && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  197. return VoterInterface::ACCESS_DENIED;
  198. }
  200. // Only SUPER_ADMIN can CREATE_BILLING_ITEM at this stage.
  201. if ($attribute === self::CREATE_BILLING_ITEM && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  202. return VoterInterface::ACCESS_DENIED;
  203. }
  205. // Only SUPER_ADMIN can CREATE_RECORDS_REQUEST_LETTER_TEMPLATE.
  206. if ($attribute === self::CREATE_RECORDS_REQUEST_LETTER_TEMPLATE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  207. return VoterInterface::ACCESS_DENIED;
  208. }
  210. // Only SUPER_ADMIN can LIST_RECORDS_REQUEST_LETTER_TEMPLATE.
  211. if ($attribute === self::LIST_RECORDS_REQUEST_LETTER_TEMPLATE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  212. return VoterInterface::ACCESS_DENIED;
  213. }
  215. // Only Super Admins and those with isBillingAdmin can mark ServiceRequests as billed.
  216. if ($attribute === self::MARK_AS_BILLED) {
  217. if ($this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN') || $user->isBillingAdmin()) {
  218. return VoterInterface::ACCESS_GRANTED;
  219. }
  220. return VoterInterface::ACCESS_DENIED;
  221. }
  223. // Only Help Guide Admins can create, edit or delete.
  224. if ($attribute === self::USER_HELP_ADMINISTRATION) {
  225. if ($this->authorizationChecker->isGranted('ROLE_HELP_ADMIN')) {
  226. return VoterInterface::ACCESS_GRANTED;
  227. }
  228. return VoterInterface::ACCESS_DENIED;
  229. }
  231. // Super Admin users can do everything
  232. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  233. return VoterInterface::ACCESS_GRANTED;
  234. }
  236. /**
  237. * END: Common code for all Voter:vote() methods. Put custom logic below.
  238. */
  239. $this->userHelper->setUser($user);
  241. // if we are looking if the user may create a matter ('Classic' matter creation process)
  242. // if the user is a client administrator for at least one account
  243. if ($attribute == self::CREATE_PROJECT && ($user->isAccountAdministrator() || $user->isAccountProjectManager())) {
  244. // Grab all accounts that the user has a role on
  245. $accountsWithRole = $this->userHelper->getAccountsWithAnyRole();
  246. foreach ($accountsWithRole as $account) {
  247. if ($account->hasAccessToClassicMatterCreation()) {
  248. // Look for at least one account that has access to the 'Classic' matter creation form
  249. return VoterInterface::ACCESS_GRANTED;
  250. }
  251. }
  252. }
  254. // If the User is a Super Admin, Admin, Client SuperAdmin, Client Admin, Client PM, Matter PM
  255. if ($attribute == self::LIST_PROJECT_RENEWALS && ($user->isAccountAdministrator() || $user->isAccountProjectManager() || $user->isProjectManager())) {
  256. return VoterInterface::ACCESS_GRANTED;
  257. }
  259. // if we are looking if the user may create a matter ('Standard' matter creation process)
  260. if ($attribute === self::CREATE_MATTER_REQUEST || $attribute === self::LIST_MATTER_REQUEST) {
  261. if ($user instanceof Firm) {
  262. // If a Firm is authenticated, they by default have access to create/list matter requests
  263. return VoterInterface::ACCESS_GRANTED;
  264. }
  265. // if the user is a client administrator for at least one account
  266. if ($user->isAccountAdministrator() || $user->isAccountProjectManager() || $user->isAccountTechnicalAdmin()) {
  267. // Grab all accounts that the user has a role on
  268. $accountsWithRole = $this->userHelper->getAccountsWithAnyRole();
  269. foreach ($accountsWithRole as $account) {
  270. if ($account->hasAccessToStandardMatterCreation()) {
  271. // Look for at least one account that has access to the 'Standard' matter creation form
  272. return VoterInterface::ACCESS_GRANTED;
  273. }
  274. }
  275. }
  276. }
  278. // if we are looking if the user may view a list of accounts
  279. if ($attribute == self::LIST_ACCOUNT) {
  281. // if the user is a client administrator for at least one account,
  282. // then they may se a list of Accounts
  283. if ($user->isAccountAdministrator()) {
  284. return VoterInterface::ACCESS_GRANTED;
  285. }
  287. if ($user->isAccountTechnicalAdmin()) {
  288. return VoterInterface::ACCESS_GRANTED;
  289. }
  290. }
  292. //if we are looking if the user may view the 'Type' search filter in the matter dashboard, matter list, closed matters list
  293. if ($attribute == self::LIST_PROJECT_TYPE) {
  294. if ($user->isAccountAdministrator() && !$user->isAccountTechnicalAdmin()) {
  295. return VoterInterface::ACCESS_GRANTED;
  296. }
  298. //if the user has an expert role but not an expert viewer role
  299. if ($user->isExpertOnly() && !$user->isExpertViewerOnly()) {
  300. return VoterInterface::ACCESS_GRANTED;
  301. }
  303. return VoterInterface::ACCESS_DENIED;
  304. }
  306. // if we are looking if the user may view a list of projects
  307. if ($attribute == self::LIST_PROJECT) {
  309. // if the user is an expert agency administrator let them pass.
  310. // this should probably be done in a better way, tying permissions
  311. // to an entity in one place somehow....
  312. if ($user->isExpertAgencyAdministrator()) {
  313. return VoterInterface::ACCESS_GRANTED;
  314. }
  316. $accessibleAccounts = $this->userHelper->getAccountIdsWithAnyRole();
  317. $accessibleProjects = $this->userHelper->getProjectIdsWithAnyRole();
  319. // if the user has been assigned at least one Account or Project
  320. // role, then they have access
  321. if ($accessibleAccounts !== [] || $accessibleProjects !== []) {
  322. return VoterInterface::ACCESS_GRANTED;
  323. }
  324. }
  326. // Check if the User can download a list of projects for all the Accounts they have access to.
  327. if ($attribute === self::DOWNLOAD_PROJECT_LIST) {
  328. return $this->canDownloadProjectList($user);
  329. }
  331. if ($attribute === self::LIST_FIRM) {
  332. return $this->canListFirm($user);
  333. }
  335. // If we get to the end of this function, then no decisions have been
  336. // made so we deny access
  337. return VoterInterface::ACCESS_DENIED;
  338. }
  340. /**
  341. * Checks if a user can download a project list.
  342. *
  343. * @param User $user
  344. */
  345. protected function canDownloadProjectList(User $user): int
  346. {
  347. if ($user) {
  348. switch (true) {
  349. case $user->isAccountProjectManager():
  350. case $user->isAccountAdministrator():
  351. return self::ACCESS_GRANTED;
  352. }
  353. }
  354. return self::ACCESS_DENIED;
  355. }
  357. private function canListFirm(User $user): int
  358. {
  359. if ($user && $user->isAccountTechnicalAdmin()) {
  360. return self::ACCESS_GRANTED;
  361. }
  362. return self::ACCESS_DENIED;
  363. }
  364. }