src/Security/Voter/AttributeOnlyVoter.php line 23

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Account;
  7. use MedBrief\MSR\Entity\Firm;
  8. use MedBrief\MSR\Entity\Project;
  9. use MedBrief\MSR\Entity\User;
  10. use MedBrief\MSR\Role\ParsedRole;
  11. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  12. use Override;
  13. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  14. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  15. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  16. use Symfony\Component\Security\Core\User\UserInterface;
  18. /**
  19. * This Voter handles the voting on checks that don't involve a specific
  20. * entity. Things like checking if a user can do some task like add a new
  21. * Account, or Project etc
  22. */
  23. class AttributeOnlyVoter implements VoterInterface
  24. {
  25. // these should be expanded over time as we need them
  26. public const CREATE_ACCOUNT = 'CREATE_ACCOUNT';
  27. public const CREATE_PROJECT = 'CREATE_PROJECT';
  28. public const CREATE_SERVICE_OPTION = 'CREATE_SERVICE_OPTION';
  29. public const CREATE_BILLING_ITEM = 'CREATE_BILLING_ITEM';
  30. public const CREATE_INVOICE = 'CREATE_INVOICE';
  31. public const CREATE_SORTING_MEMO_PHRASE = 'CREATE_SORTING_MEMO_PHRASE';
  32. public const CREATE_MATTER_REQUEST = 'CREATE_MATTER_REQUEST';
  33. public const CREATE_RECORDS_REQUEST_CENTRE_PARENT = 'CREATE_RECORDS_REQUEST_CENTRE_PARENT';
  34. public const CREATE_RECORDS_REQUEST_CENTRE_CHILD = 'CREATE_RECORDS_REQUEST_CENTRE_CHILD';
  35. public const CREATE_RECORDS_REQUEST_CENTRE_CONTACT = 'CREATE_RECORDS_REQUEST_CENTRE_CONTACT';
  36. public const CREATE_RECORDS_REQUEST_LETTER_TEMPLATE = 'CREATE_RECORDS_REQUEST_LETTER_TEMPLATE';
  37. public const CREATE_FIRM = 'CREATE_FIRM';
  39. // Manage records request centre contact
  40. public const MANAGE_RECORDS_REQUEST_CENTRE_CONTACT = 'MANAGE_RECORDS_REQUEST_CENTRE_CONTACT';
  42. public const LIST_ACCOUNT = 'LIST_ACCOUNT';
  43. public const LIST_PROJECT = 'LIST_PROJECT';
  44. public const LIST_PROJECT_CLOSED = 'LIST_PROJECT_CLOSED';
  45. public const LIST_USER = 'LIST_USER';
  46. public const LIST_SERVICE_OPTION = 'LIST_SERVICE_OPTION';
  47. public const LIST_BILLING_ITEM = 'LIST_BILLING_ITEM';
  48. public const LIST_PENDING_INVOICE = 'LIST_PENDING_INVOICE';
  49. public const LIST_INVOICE = 'LIST_INVOICE';
  50. public const LIST_SORTING_MEMO_PHRASE = 'LIST_SORTING_MEMO_PHRASE';
  51. public const LIST_MATTER_REQUEST = 'LIST_MATTER_REQUEST';
  52. public const LIST_RECORDS_REQUEST_CENTRE_PARENT = 'LIST_RECORDS_REQUEST_CENTRE_PARENT';
  53. public const LIST_RECORDS_REQUEST_CENTRE_CHILD = 'LIST_RECORDS_REQUEST_CENTRE_CHILD';
  54. public const LIST_RECORDS_REQUEST_CENTRE_ARCHIVED = 'LIST_RECORDS_REQUEST_CENTRE_ARCHIVED';
  55. public const LIST_RECORDS_REQUEST_LETTER_TEMPLATE = 'LIST_RECORDS_REQUEST_LETTER_TEMPLATE';
  56. public const LIST_FIRM = 'LIST_FIRM';
  57. public const LIST_PROJECT_TYPE = 'LIST_PROJECT_TYPE';
  58. public const LIST_PROJECT_RENEWALS = 'LIST_PROJECT_RENEWALS';
  60. public const USER_ADMINISTRATION = 'USER_ADMINISTRATION'; // indicates full user administration rights (CRUD)
  61. public const HUMAN_RESOURCE_ADMINISTRATION = 'HUMAN_RESOURCE_ADMINISTRATION'; // indicates full human resource administration rights (CRUD)
  62. public const USER_HELP_ADMINISTRATION = 'USER_HELP_ADMINISTRATION'; // indicates user Help Guide administration rights (CRUD)
  64. public const PRIORITISE_DISCS = 'PRIORITISE_DISCS';
  66. // Allow specific Users to mark stuffs as billed
  67. public const MARK_AS_BILLED = 'MARK_AS_BILLED';
  69. // Grants access to the 'Advanced' fields of all ServiceableInterface entities.
  70. public const SERVICE_REQUEST_ADVANCED = 'SERVICE_REQUEST_ADVANCED';
  72. public const ALLOW_USER_TYPE_CHANGE = 'ALLOW_USER_TYPE_CHANGE';
  74. // Migrated from ReportsBundle
  75. public const CREATE_REPORT = 'CREATE_REPORT';
  76. public const LIST_REPORT = 'LIST_REPORT';
  77. public const DOWNLOAD_REPORT = 'DOWNLOAD_REPORT';
  79. // Download Lists
  80. public const DOWNLOAD_PROJECT_LIST = 'DOWNLOAD_PROJECT_LIST';
  82. // User profile access
  83. public const VIEW_MY_PROFILE = 'VIEW_MY_PROFILE';
  85. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker, private readonly UserHelper $userHelper)
  86. {
  87. }
  89. public function supportsAttribute($attribute): bool
  90. {
  91. return in_array($attribute, [
  92. self::CREATE_ACCOUNT,
  93. self::CREATE_PROJECT,
  94. self::LIST_ACCOUNT,
  95. self::LIST_PROJECT,
  96. self::LIST_USER,
  97. self::USER_ADMINISTRATION,
  98. self::USER_HELP_ADMINISTRATION,
  99. self::LIST_PROJECT_CLOSED,
  100. self::PRIORITISE_DISCS,
  101. self::LIST_SERVICE_OPTION,
  102. self::CREATE_SERVICE_OPTION,
  103. self::LIST_BILLING_ITEM,
  104. self::CREATE_BILLING_ITEM,
  105. self::CREATE_INVOICE,
  106. self::LIST_PENDING_INVOICE,
  107. self::LIST_INVOICE,
  108. self::HUMAN_RESOURCE_ADMINISTRATION,
  109. self::SERVICE_REQUEST_ADVANCED,
  110. self::MARK_AS_BILLED,
  111. self::CREATE_SORTING_MEMO_PHRASE,
  112. self::LIST_SORTING_MEMO_PHRASE,
  113. self::LIST_MATTER_REQUEST,
  114. self::CREATE_MATTER_REQUEST,
  115. self::CREATE_RECORDS_REQUEST_CENTRE_PARENT,
  116. self::LIST_RECORDS_REQUEST_CENTRE_PARENT,
  117. self::CREATE_RECORDS_REQUEST_CENTRE_CHILD,
  118. self::LIST_RECORDS_REQUEST_CENTRE_CHILD,
  119. self::CREATE_RECORDS_REQUEST_CENTRE_CONTACT,
  120. self::MANAGE_RECORDS_REQUEST_CENTRE_CONTACT,
  121. self::LIST_RECORDS_REQUEST_CENTRE_ARCHIVED,
  122. self::CREATE_RECORDS_REQUEST_LETTER_TEMPLATE,
  123. self::LIST_RECORDS_REQUEST_LETTER_TEMPLATE,
  124. self::ALLOW_USER_TYPE_CHANGE,
  125. self::CREATE_REPORT,
  126. self::LIST_REPORT,
  127. self::DOWNLOAD_REPORT,
  128. self::DOWNLOAD_PROJECT_LIST,
  129. self::LIST_FIRM,
  130. self::CREATE_FIRM,
  131. self::LIST_PROJECT_TYPE,
  132. self::LIST_PROJECT_RENEWALS,
  133. self::VIEW_MY_PROFILE,
  134. 'EA_EXECUTE_ACTION',
  135. ]);
  136. }
  138. public function supportsClass($class): bool
  139. {
  140. // the class is inconsequential for this Voter
  141. return true;
  142. }
  144. /**
  145. *
  146. * @param mixed $entity
  147. */
  148. #[Override]
  149. public function vote(TokenInterface $token, $entity, array $attributes)
  150. {
  151. /**
  152. * START: This is common code for all Voter::vote() methods
  153. */
  154. // check if class of this object is supported by this voter
  155. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  156. return VoterInterface::ACCESS_ABSTAIN;
  157. }
  159. // set the attribute to check against
  160. $attribute = $attributes[0];
  162. // check if the given attribute is covered by this voter
  163. if (!$this->supportsAttribute($attribute)) {
  164. return VoterInterface::ACCESS_ABSTAIN;
  165. }
  167. // check if the voter is used correct, only allow one attribute
  168. // this isn't a requirement, it's just one easy way for you to
  169. // design your voter
  170. if (1 !== count($attributes)) {
  171. throw new InvalidArgumentException(
  172. 'Only one attribute is allowed for medbrief Voters.'
  173. );
  174. }
  176. // get current logged in user
  177. /** @var User $user */
  178. $user = $token->getUser();
  180. // make sure there is a user object (i.e. that the user is logged in)
  181. if (!$user instanceof UserInterface) {
  182. return VoterInterface::ACCESS_DENIED;
  183. }
  185. // Check if the user can view the 'My Profile' section
  186. if ($attribute === self::VIEW_MY_PROFILE) {
  187. return $this->canViewMyProfile($user);
  188. }
  190. // Universally disable this for now, as we will launch without the ability to add new ones.
  191. if ($attribute === self::CREATE_SORTING_MEMO_PHRASE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  192. return VoterInterface::ACCESS_DENIED;
  193. }
  195. // Only ROLE_ADMIN and ROLE_SUPER_ADMIN can PRIORITISE_DISCS at this stage.
  196. if ($attribute === self::PRIORITISE_DISCS && $this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  197. return VoterInterface::ACCESS_GRANTED;
  198. }
  200. // Only ROLE_HR_ADMIN can HUMAN_RESOURCE_ADMINISTRATION at this stage.
  201. // The ROLE_HR_ADMIN role can only be added via a command.
  202. if ($attribute === self::HUMAN_RESOURCE_ADMINISTRATION && (!$this->authorizationChecker->isGranted('ROLE_HR_ADMIN') || $this->authorizationChecker->isGranted('IS_IMPERSONATOR'))) {
  203. return VoterInterface::ACCESS_DENIED;
  204. }
  206. // Only SUPER_ADMIN can CREATE_SERVICE_OPTION at this stage.
  207. if ($attribute === self::CREATE_SERVICE_OPTION && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  208. return VoterInterface::ACCESS_DENIED;
  209. }
  211. // Only SUPER_ADMIN can CREATE_BILLING_ITEM at this stage.
  212. if ($attribute === self::CREATE_BILLING_ITEM && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  213. return VoterInterface::ACCESS_DENIED;
  214. }
  216. // Only SUPER_ADMIN can CREATE_RECORDS_REQUEST_LETTER_TEMPLATE.
  217. if ($attribute === self::CREATE_RECORDS_REQUEST_LETTER_TEMPLATE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  218. return VoterInterface::ACCESS_DENIED;
  219. }
  221. // Only SUPER_ADMIN can LIST_RECORDS_REQUEST_LETTER_TEMPLATE.
  222. if ($attribute === self::LIST_RECORDS_REQUEST_LETTER_TEMPLATE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  223. return VoterInterface::ACCESS_DENIED;
  224. }
  226. // Only Super Admins and those with isBillingAdmin can mark ServiceRequests as billed.
  227. if ($attribute === self::MARK_AS_BILLED) {
  228. if ($this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN') || $user->isBillingAdmin()) {
  229. return VoterInterface::ACCESS_GRANTED;
  230. }
  231. return VoterInterface::ACCESS_DENIED;
  232. }
  234. // Only Help Guide Admins can create, edit or delete.
  235. if ($attribute === self::USER_HELP_ADMINISTRATION) {
  236. if ($this->authorizationChecker->isGranted('ROLE_HELP_ADMIN')) {
  237. return VoterInterface::ACCESS_GRANTED;
  238. }
  239. return VoterInterface::ACCESS_DENIED;
  240. }
  242. // Super Admin users can do everything
  243. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  244. return VoterInterface::ACCESS_GRANTED;
  245. }
  247. /**
  248. * END: Common code for all Voter:vote() methods. Put custom logic below.
  249. */
  250. $this->userHelper->setUser($user);
  252. // if we are looking if the user may create a matter ('Classic' matter creation process)
  253. // if the user is a client administrator for at least one account
  254. if ($attribute == self::CREATE_PROJECT && ($user->isAccountAdministrator() || $user->isAccountProjectManager())) {
  255. // Grab all accounts that the user has a role on
  256. $accountsWithRole = $this->userHelper->getAccountsWithAnyRole();
  257. foreach ($accountsWithRole as $account) {
  258. if ($account->hasAccessToClassicMatterCreation()) {
  259. // Look for at least one account that has access to the 'Classic' matter creation form
  260. return VoterInterface::ACCESS_GRANTED;
  261. }
  262. }
  263. }
  265. // If the User is a Super Admin, Admin, Client SuperAdmin, Client Admin, Client PM, Matter PM
  266. if ($attribute == self::LIST_PROJECT_RENEWALS && ($user->isAccountAdministrator() || $user->isAccountProjectManager() || $user->isProjectManager())) {
  267. return VoterInterface::ACCESS_GRANTED;
  268. }
  270. // if we are looking if the user may create a matter ('Standard' matter creation process)
  271. if ($attribute === self::CREATE_MATTER_REQUEST || $attribute === self::LIST_MATTER_REQUEST) {
  272. if ($user instanceof Firm) {
  273. // If a Firm is authenticated, they by default have access to create/list matter requests
  274. return VoterInterface::ACCESS_GRANTED;
  275. }
  276. // if the user is a client administrator for at least one account
  277. if ($user->isAccountAdministrator() || $user->isAccountProjectManager() || $user->isAccountTechnicalAdmin()) {
  278. // Grab all accounts that the user has a role on
  279. $accountsWithRole = $this->userHelper->getAccountsWithAnyRole();
  280. foreach ($accountsWithRole as $account) {
  281. if ($account->hasAccessToStandardMatterCreation()) {
  282. // Look for at least one account that has access to the 'Standard' matter creation form
  283. return VoterInterface::ACCESS_GRANTED;
  284. }
  285. }
  286. }
  287. }
  289. // if we are looking if the user may view a list of accounts
  290. if ($attribute == self::LIST_ACCOUNT) {
  292. // if the user is a client administrator for at least one account,
  293. // then they may se a list of Accounts
  294. if ($user->isAccountAdministrator()) {
  295. return VoterInterface::ACCESS_GRANTED;
  296. }
  298. if ($user->isAccountTechnicalAdmin()) {
  299. return VoterInterface::ACCESS_GRANTED;
  300. }
  301. }
  303. //if we are looking if the user may view the 'Type' search filter in the matter dashboard, matter list, closed matters list
  304. if ($attribute == self::LIST_PROJECT_TYPE) {
  305. if ($user->isAccountAdministrator() && !$user->isAccountTechnicalAdmin()) {
  306. return VoterInterface::ACCESS_GRANTED;
  307. }
  309. //if the user has an expert role but not an expert viewer role
  310. if ($user->isExpertOnly() && !$user->isExpertViewerOnly()) {
  311. return VoterInterface::ACCESS_GRANTED;
  312. }
  314. return VoterInterface::ACCESS_DENIED;
  315. }
  317. // if we are looking if the user may view a list of projects
  318. if ($attribute == self::LIST_PROJECT) {
  320. // if the user is an expert agency administrator let them pass.
  321. // this should probably be done in a better way, tying permissions
  322. // to an entity in one place somehow....
  323. if ($user->isExpertAgencyAdministrator()) {
  324. return VoterInterface::ACCESS_GRANTED;
  325. }
  327. $accessibleAccounts = $this->userHelper->getAccountIdsWithAnyRole();
  328. $accessibleProjects = $this->userHelper->getProjectIdsWithAnyRole();
  330. // if the user has been assigned at least one Account or Project
  331. // role, then they have access
  332. if ($accessibleAccounts !== [] || $accessibleProjects !== []) {
  333. return VoterInterface::ACCESS_GRANTED;
  334. }
  335. }
  337. // Check if the User can download a list of projects for all the Accounts they have access to.
  338. if ($attribute === self::DOWNLOAD_PROJECT_LIST) {
  339. return $this->canDownloadProjectList($user);
  340. }
  342. if ($attribute === self::LIST_FIRM) {
  343. return $this->canListFirm($user);
  344. }
  346. // If we get to the end of this function, then no decisions have been
  347. // made so we deny access
  348. return VoterInterface::ACCESS_DENIED;
  349. }
  351. /**
  352. * Checks if a user can download a project list.
  353. *
  354. * @param User $user
  355. */
  356. protected function canDownloadProjectList(User $user): int
  357. {
  358. if ($user) {
  359. switch (true) {
  360. case $user->isAccountProjectManager():
  361. case $user->isAccountAdministrator():
  362. return self::ACCESS_GRANTED;
  363. }
  364. }
  365. return self::ACCESS_DENIED;
  366. }
  368. private function canListFirm(User $user): int
  369. {
  370. if ($user && $user->isAccountTechnicalAdmin()) {
  371. return self::ACCESS_GRANTED;
  372. }
  373. return self::ACCESS_DENIED;
  374. }
  376. /**
  377. * Determines if a user can view the 'My Profile' section of their account section.
  378. *
  379. * The tab is only activated for users invited to matters as:
  380. * - Expert
  381. * - Expert - View only
  382. *
  383. * The tab must NOT display for users that only have expert roles for disclosure matters.
  384. *
  385. * @param User $user
  386. *
  387. * @return int
  388. */
  389. private function canViewMyProfile(User $user): int
  390. {
  391. // Load the user into the UserHelper
  392. $this->userHelper->setUser($user);
  394. $parsedRoles = $this->userHelper->getParsedRoles();
  396. /** @var ParsedRole $parsedRole */
  397. foreach ($parsedRoles as $parsedRole) {
  398. // If subject isn't a Project, ignore
  399. if (!($parsedRole->getSubject() instanceof Project)) {
  400. continue;
  401. }
  403. // If it's not an Expert Role, ignore
  404. if ($parsedRole->isRoleLevelExpert() === false) {
  405. continue;
  406. }
  408. // Check if the project is NOT a disclosure matter
  409. // In which case, we grant access
  410. if ($parsedRole->isDisclosureSubject() === false) {
  411. return self::ACCESS_GRANTED;
  412. }
  413. }
  415. // Also check role invitations
  416. /** @var ParsedRole $parsedRole */
  417. foreach ($this->userHelper->getRoleInvitationsParsedRoles() as $parsedRole) {
  418. if (!($parsedRole->getSubject() instanceof Project)) {
  419. continue;
  420. }
  422. // If it's not an Expert Role, ignore
  423. if ($parsedRole->isRoleLevelExpert() === false) {
  424. continue;
  425. }
  427. // Check if the project is NOT a disclosure matter
  428. // In which case, we grant access
  429. if ($parsedRole->isDisclosureSubject() === false) {
  430. return self::ACCESS_GRANTED;
  431. }
  432. }
  434. return self::ACCESS_DENIED;
  435. }
  436. }