src/Security/Voter/AttributeOnlyVoter.php line 25

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Account;
  7. use MedBrief\MSR\Entity\Expert;
  8. use MedBrief\MSR\Entity\Firm;
  9. use MedBrief\MSR\Entity\Project;
  10. use MedBrief\MSR\Entity\User;
  11. use MedBrief\MSR\Repository\ExpertUserRepository;
  12. use MedBrief\MSR\Role\ParsedRole;
  13. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  14. use Override;
  15. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  16. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  17. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  18. use Symfony\Component\Security\Core\User\UserInterface;
  20. /**
  21. * This Voter handles the voting on checks that don't involve a specific
  22. * entity. Things like checking if a user can do some task like add a new
  23. * Account, or Project etc
  24. */
  25. class AttributeOnlyVoter implements VoterInterface
  26. {
  27. // these should be expanded over time as we need them
  28. public const CREATE_ACCOUNT = 'CREATE_ACCOUNT';
  29. public const CREATE_PROJECT = 'CREATE_PROJECT';
  30. public const CREATE_SERVICE_OPTION = 'CREATE_SERVICE_OPTION';
  31. public const CREATE_BILLING_ITEM = 'CREATE_BILLING_ITEM';
  32. public const CREATE_INVOICE = 'CREATE_INVOICE';
  33. public const CREATE_SORTING_MEMO_PHRASE = 'CREATE_SORTING_MEMO_PHRASE';
  34. public const CREATE_MATTER_REQUEST = 'CREATE_MATTER_REQUEST';
  35. public const CREATE_RECORDS_REQUEST_CENTRE_PARENT = 'CREATE_RECORDS_REQUEST_CENTRE_PARENT';
  36. public const CREATE_RECORDS_REQUEST_CENTRE_CHILD = 'CREATE_RECORDS_REQUEST_CENTRE_CHILD';
  37. public const CREATE_RECORDS_REQUEST_CENTRE_CONTACT = 'CREATE_RECORDS_REQUEST_CENTRE_CONTACT';
  38. public const CREATE_RECORDS_REQUEST_LETTER_TEMPLATE = 'CREATE_RECORDS_REQUEST_LETTER_TEMPLATE';
  39. public const CREATE_FIRM = 'CREATE_FIRM';
  41. // Manage records request centre contact
  42. public const MANAGE_RECORDS_REQUEST_CENTRE_CONTACT = 'MANAGE_RECORDS_REQUEST_CENTRE_CONTACT';
  44. public const LIST_ACCOUNT = 'LIST_ACCOUNT';
  45. public const LIST_PROJECT = 'LIST_PROJECT';
  46. public const LIST_PROJECT_CLOSED = 'LIST_PROJECT_CLOSED';
  47. public const LIST_USER = 'LIST_USER';
  48. public const LIST_SERVICE_OPTION = 'LIST_SERVICE_OPTION';
  49. public const LIST_BILLING_ITEM = 'LIST_BILLING_ITEM';
  50. public const LIST_PENDING_INVOICE = 'LIST_PENDING_INVOICE';
  51. public const LIST_INVOICE = 'LIST_INVOICE';
  52. public const LIST_SORTING_MEMO_PHRASE = 'LIST_SORTING_MEMO_PHRASE';
  53. public const LIST_MATTER_REQUEST = 'LIST_MATTER_REQUEST';
  54. public const LIST_RECORDS_REQUEST_CENTRE_PARENT = 'LIST_RECORDS_REQUEST_CENTRE_PARENT';
  55. public const LIST_RECORDS_REQUEST_CENTRE_CHILD = 'LIST_RECORDS_REQUEST_CENTRE_CHILD';
  56. public const LIST_RECORDS_REQUEST_CENTRE_ARCHIVED = 'LIST_RECORDS_REQUEST_CENTRE_ARCHIVED';
  57. public const LIST_RECORDS_REQUEST_LETTER_TEMPLATE = 'LIST_RECORDS_REQUEST_LETTER_TEMPLATE';
  58. public const LIST_FIRM = 'LIST_FIRM';
  59. public const LIST_PROJECT_TYPE = 'LIST_PROJECT_TYPE';
  60. public const LIST_PROJECT_RENEWALS = 'LIST_PROJECT_RENEWALS';
  62. public const USER_ADMINISTRATION = 'USER_ADMINISTRATION'; // indicates full user administration rights (CRUD)
  63. public const HUMAN_RESOURCE_ADMINISTRATION = 'HUMAN_RESOURCE_ADMINISTRATION'; // indicates full human resource administration rights (CRUD)
  64. public const USER_HELP_ADMINISTRATION = 'USER_HELP_ADMINISTRATION'; // indicates user Help Guide administration rights (CRUD)
  66. public const PRIORITISE_DISCS = 'PRIORITISE_DISCS';
  68. // Allow specific Users to mark stuffs as billed
  69. public const MARK_AS_BILLED = 'MARK_AS_BILLED';
  71. // Grants access to the 'Advanced' fields of all ServiceableInterface entities.
  72. public const SERVICE_REQUEST_ADVANCED = 'SERVICE_REQUEST_ADVANCED';
  74. public const ALLOW_USER_TYPE_CHANGE = 'ALLOW_USER_TYPE_CHANGE';
  76. // Migrated from ReportsBundle
  77. public const CREATE_REPORT = 'CREATE_REPORT';
  78. public const LIST_REPORT = 'LIST_REPORT';
  79. public const DOWNLOAD_REPORT = 'DOWNLOAD_REPORT';
  81. // Download Lists
  82. public const DOWNLOAD_PROJECT_LIST = 'DOWNLOAD_PROJECT_LIST';
  84. // User profile access
  85. public const VIEW_MY_PROFILE = 'VIEW_MY_PROFILE';
  87. public function __construct(
  88. private readonly AuthorizationCheckerInterface $authorizationChecker,
  89. private readonly UserHelper $userHelper,
  90. private readonly ExpertUserRepository $expertUserRepository,
  91. ) {
  92. }
  94. public function supportsAttribute($attribute): bool
  95. {
  96. return in_array($attribute, [
  97. self::CREATE_ACCOUNT,
  98. self::CREATE_PROJECT,
  99. self::LIST_ACCOUNT,
  100. self::LIST_PROJECT,
  101. self::LIST_USER,
  102. self::USER_ADMINISTRATION,
  103. self::USER_HELP_ADMINISTRATION,
  104. self::LIST_PROJECT_CLOSED,
  105. self::PRIORITISE_DISCS,
  106. self::LIST_SERVICE_OPTION,
  107. self::CREATE_SERVICE_OPTION,
  108. self::LIST_BILLING_ITEM,
  109. self::CREATE_BILLING_ITEM,
  110. self::CREATE_INVOICE,
  111. self::LIST_PENDING_INVOICE,
  112. self::LIST_INVOICE,
  113. self::HUMAN_RESOURCE_ADMINISTRATION,
  114. self::SERVICE_REQUEST_ADVANCED,
  115. self::MARK_AS_BILLED,
  116. self::CREATE_SORTING_MEMO_PHRASE,
  117. self::LIST_SORTING_MEMO_PHRASE,
  118. self::LIST_MATTER_REQUEST,
  119. self::CREATE_MATTER_REQUEST,
  120. self::CREATE_RECORDS_REQUEST_CENTRE_PARENT,
  121. self::LIST_RECORDS_REQUEST_CENTRE_PARENT,
  122. self::CREATE_RECORDS_REQUEST_CENTRE_CHILD,
  123. self::LIST_RECORDS_REQUEST_CENTRE_CHILD,
  124. self::CREATE_RECORDS_REQUEST_CENTRE_CONTACT,
  125. self::MANAGE_RECORDS_REQUEST_CENTRE_CONTACT,
  126. self::LIST_RECORDS_REQUEST_CENTRE_ARCHIVED,
  127. self::CREATE_RECORDS_REQUEST_LETTER_TEMPLATE,
  128. self::LIST_RECORDS_REQUEST_LETTER_TEMPLATE,
  129. self::ALLOW_USER_TYPE_CHANGE,
  130. self::CREATE_REPORT,
  131. self::LIST_REPORT,
  132. self::DOWNLOAD_REPORT,
  133. self::DOWNLOAD_PROJECT_LIST,
  134. self::LIST_FIRM,
  135. self::CREATE_FIRM,
  136. self::LIST_PROJECT_TYPE,
  137. self::LIST_PROJECT_RENEWALS,
  138. self::VIEW_MY_PROFILE,
  139. 'EA_EXECUTE_ACTION',
  140. ]);
  141. }
  143. public function supportsClass($class): bool
  144. {
  145. // the class is inconsequential for this Voter
  146. return true;
  147. }
  149. /**
  150. *
  151. * @param mixed $entity
  152. */
  153. #[Override]
  154. public function vote(TokenInterface $token, $entity, array $attributes)
  155. {
  156. /**
  157. * START: This is common code for all Voter::vote() methods
  158. */
  159. // check if class of this object is supported by this voter
  160. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  161. return VoterInterface::ACCESS_ABSTAIN;
  162. }
  164. // set the attribute to check against
  165. $attribute = $attributes[0];
  167. // check if the given attribute is covered by this voter
  168. if (!$this->supportsAttribute($attribute)) {
  169. return VoterInterface::ACCESS_ABSTAIN;
  170. }
  172. // check if the voter is used correct, only allow one attribute
  173. // this isn't a requirement, it's just one easy way for you to
  174. // design your voter
  175. if (1 !== count($attributes)) {
  176. throw new InvalidArgumentException(
  177. 'Only one attribute is allowed for medbrief Voters.'
  178. );
  179. }
  181. // get current logged in user
  182. /** @var User $user */
  183. $user = $token->getUser();
  185. // make sure there is a user object (i.e. that the user is logged in)
  186. if (!$user instanceof UserInterface) {
  187. return VoterInterface::ACCESS_DENIED;
  188. }
  190. // Check if the user can view the 'My Profile' section
  191. if ($attribute === self::VIEW_MY_PROFILE) {
  192. return $this->canViewMyProfile($user);
  193. }
  195. // Universally disable this for now, as we will launch without the ability to add new ones.
  196. if ($attribute === self::CREATE_SORTING_MEMO_PHRASE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  197. return VoterInterface::ACCESS_DENIED;
  198. }
  200. // Only ROLE_ADMIN and ROLE_SUPER_ADMIN can PRIORITISE_DISCS at this stage.
  201. if ($attribute === self::PRIORITISE_DISCS && $this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  202. return VoterInterface::ACCESS_GRANTED;
  203. }
  205. // Only ROLE_HR_ADMIN can HUMAN_RESOURCE_ADMINISTRATION at this stage.
  206. // The ROLE_HR_ADMIN role can only be added via a command.
  207. if ($attribute === self::HUMAN_RESOURCE_ADMINISTRATION && (!$this->authorizationChecker->isGranted('ROLE_HR_ADMIN') || $this->authorizationChecker->isGranted('IS_IMPERSONATOR'))) {
  208. return VoterInterface::ACCESS_DENIED;
  209. }
  211. // Only SUPER_ADMIN can CREATE_SERVICE_OPTION at this stage.
  212. if ($attribute === self::CREATE_SERVICE_OPTION && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  213. return VoterInterface::ACCESS_DENIED;
  214. }
  216. // Only SUPER_ADMIN can CREATE_BILLING_ITEM at this stage.
  217. if ($attribute === self::CREATE_BILLING_ITEM && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  218. return VoterInterface::ACCESS_DENIED;
  219. }
  221. // Only SUPER_ADMIN can CREATE_RECORDS_REQUEST_LETTER_TEMPLATE.
  222. if ($attribute === self::CREATE_RECORDS_REQUEST_LETTER_TEMPLATE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  223. return VoterInterface::ACCESS_DENIED;
  224. }
  226. // Only SUPER_ADMIN can LIST_RECORDS_REQUEST_LETTER_TEMPLATE.
  227. if ($attribute === self::LIST_RECORDS_REQUEST_LETTER_TEMPLATE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  228. return VoterInterface::ACCESS_DENIED;
  229. }
  231. // Only Super Admins and those with isBillingAdmin can mark ServiceRequests as billed.
  232. if ($attribute === self::MARK_AS_BILLED) {
  233. if ($this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN') || $user->isBillingAdmin()) {
  234. return VoterInterface::ACCESS_GRANTED;
  235. }
  236. return VoterInterface::ACCESS_DENIED;
  237. }
  239. // Only Help Guide Admins can create, edit or delete.
  240. if ($attribute === self::USER_HELP_ADMINISTRATION) {
  241. if ($this->authorizationChecker->isGranted('ROLE_HELP_ADMIN')) {
  242. return VoterInterface::ACCESS_GRANTED;
  243. }
  244. return VoterInterface::ACCESS_DENIED;
  245. }
  247. // Super Admin users can do everything
  248. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  249. return VoterInterface::ACCESS_GRANTED;
  250. }
  252. /**
  253. * END: Common code for all Voter:vote() methods. Put custom logic below.
  254. */
  255. $this->userHelper->setUser($user);
  257. // if we are looking if the user may create a matter ('Classic' matter creation process)
  258. // if the user is a client administrator for at least one account
  259. if ($attribute == self::CREATE_PROJECT && ($user->isAccountAdministrator() || $user->isAccountProjectManager())) {
  260. // Grab all accounts that the user has a role on
  261. $accountsWithRole = $this->userHelper->getAccountsWithAnyRole();
  262. foreach ($accountsWithRole as $account) {
  263. if ($account->hasAccessToClassicMatterCreation()) {
  264. // Look for at least one account that has access to the 'Classic' matter creation form
  265. return VoterInterface::ACCESS_GRANTED;
  266. }
  267. }
  268. }
  270. // If the User is a Super Admin, Admin, Client SuperAdmin, Client Admin, Client PM, Matter PM
  271. if ($attribute == self::LIST_PROJECT_RENEWALS && ($user->isAccountAdministrator() || $user->isAccountProjectManager() || $user->isProjectManager())) {
  272. return VoterInterface::ACCESS_GRANTED;
  273. }
  275. // if we are looking if the user may create a matter ('Standard' matter creation process)
  276. if ($attribute === self::CREATE_MATTER_REQUEST || $attribute === self::LIST_MATTER_REQUEST) {
  277. if ($user instanceof Firm) {
  278. // If a Firm is authenticated, they by default have access to create/list matter requests
  279. return VoterInterface::ACCESS_GRANTED;
  280. }
  281. // if the user is a client administrator for at least one account
  282. if ($user->isAccountAdministrator() || $user->isAccountProjectManager() || $user->isAccountTechnicalAdmin()) {
  283. // Grab all accounts that the user has a role on
  284. $accountsWithRole = $this->userHelper->getAccountsWithAnyRole();
  285. foreach ($accountsWithRole as $account) {
  286. if ($account->hasAccessToStandardMatterCreation()) {
  287. // Look for at least one account that has access to the 'Standard' matter creation form
  288. return VoterInterface::ACCESS_GRANTED;
  289. }
  290. }
  291. }
  292. }
  294. // if we are looking if the user may view a list of accounts
  295. if ($attribute == self::LIST_ACCOUNT) {
  297. // if the user is a client administrator for at least one account,
  298. // then they may se a list of Accounts
  299. if ($user->isAccountAdministrator()) {
  300. return VoterInterface::ACCESS_GRANTED;
  301. }
  303. if ($user->isAccountTechnicalAdmin()) {
  304. return VoterInterface::ACCESS_GRANTED;
  305. }
  306. }
  308. //if we are looking if the user may view the 'Type' search filter in the matter dashboard, matter list, closed matters list
  309. if ($attribute == self::LIST_PROJECT_TYPE) {
  310. if ($user->isAccountAdministrator() && !$user->isAccountTechnicalAdmin()) {
  311. return VoterInterface::ACCESS_GRANTED;
  312. }
  314. //if the user has an expert role but not an expert viewer role
  315. if ($user->isExpertOnly() && !$user->isExpertViewerOnly()) {
  316. return VoterInterface::ACCESS_GRANTED;
  317. }
  319. return VoterInterface::ACCESS_DENIED;
  320. }
  322. // if we are looking if the user may view a list of projects
  323. if ($attribute == self::LIST_PROJECT) {
  325. // if the user is an expert agency administrator let them pass.
  326. // this should probably be done in a better way, tying permissions
  327. // to an entity in one place somehow....
  328. if ($user->isExpertAgencyAdministrator()) {
  329. return VoterInterface::ACCESS_GRANTED;
  330. }
  332. $accessibleAccounts = $this->userHelper->getAccountIdsWithAnyRole();
  333. $accessibleProjects = $this->userHelper->getProjectIdsWithAnyRole();
  335. // if the user has been assigned at least one Account or Project
  336. // role, then they have access
  337. if ($accessibleAccounts !== [] || $accessibleProjects !== []) {
  338. return VoterInterface::ACCESS_GRANTED;
  339. }
  340. }
  342. // Check if the User can download a list of projects for all the Accounts they have access to.
  343. if ($attribute === self::DOWNLOAD_PROJECT_LIST) {
  344. return $this->canDownloadProjectList($user);
  345. }
  347. if ($attribute === self::LIST_FIRM) {
  348. return $this->canListFirm($user);
  349. }
  351. // If we get to the end of this function, then no decisions have been
  352. // made so we deny access
  353. return VoterInterface::ACCESS_DENIED;
  354. }
  356. /**
  357. * Checks if a user can download a project list.
  358. *
  359. * @param User $user
  360. */
  361. protected function canDownloadProjectList(User $user): int
  362. {
  363. if ($user) {
  364. switch (true) {
  365. case $user->isAccountProjectManager():
  366. case $user->isAccountAdministrator():
  367. return self::ACCESS_GRANTED;
  368. }
  369. }
  370. return self::ACCESS_DENIED;
  371. }
  373. private function canListFirm(User $user): int
  374. {
  375. if ($user && $user->isAccountTechnicalAdmin()) {
  376. return self::ACCESS_GRANTED;
  377. }
  378. return self::ACCESS_DENIED;
  379. }
  381. /**
  382. * Determines if a user can view the 'My Profile' section of their account section.
  383. *
  384. * The tab is only activated for users invited to matters as:
  385. * - Expert
  386. * - Expert - View only
  387. *
  388. * The tab must NOT display for users that only have expert roles for disclosure matters.
  389. *
  390. * @param User $user
  391. *
  392. * @return int
  393. */
  394. private function canViewMyProfile(User $user): int
  395. {
  396. // Load the user into the UserHelper
  397. $this->userHelper->setUser($user);
  399. $parsedRoles = $this->userHelper->getParsedRoles();
  401. /** @var ParsedRole $parsedRole */
  402. foreach ($parsedRoles as $parsedRole) {
  403. // If subject isn't a Project, ignore
  404. if (!($parsedRole->getSubject() instanceof Project)) {
  405. continue;
  406. }
  408. // If it's not an Expert Role, ignore
  409. if ($parsedRole->isRoleLevelExpert() === false) {
  410. continue;
  411. }
  413. // Check if the project is NOT a disclosure matter
  414. // In which case, we grant access
  415. if ($parsedRole->isDisclosureSubject() === false) {
  416. return self::ACCESS_GRANTED;
  417. }
  418. }
  420. // Also check role invitations
  421. /** @var ParsedRole $parsedRole */
  422. foreach ($this->userHelper->getRoleInvitationsParsedRoles() as $parsedRole) {
  423. if (!($parsedRole->getSubject() instanceof Project)) {
  424. continue;
  425. }
  427. // If it's not an Expert Role, ignore
  428. if ($parsedRole->isRoleLevelExpert() === false) {
  429. continue;
  430. }
  432. // Check if the project is NOT a disclosure matter
  433. // In which case, we grant access
  434. if ($parsedRole->isDisclosureSubject() === false) {
  435. return self::ACCESS_GRANTED;
  436. }
  437. }
  439. // Grant access if they have an expert profile
  440. if ($this->expertUserRepository->getExpertByUser($user) instanceof Expert) {
  441. return self::ACCESS_GRANTED;
  442. }
  444. return self::ACCESS_DENIED;
  445. }
  446. }