src/Security/Voter/BatchRequestVoter.php line 18

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\BatchRequest;
  7. use MedBrief\MSR\Entity\Project;
  8. use MedBrief\MSR\Entity\ServiceOption;
  9. use MedBrief\MSR\Entity\ServiceRequest;
  10. use MedBrief\MSR\Entity\User;
  11. use MedBrief\MSR\Traits\Security\Authorization\Voter\ClientSortingSessionTrait;
  12. use Override;
  13. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  14. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  15. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  16. use Symfony\Component\Security\Core\User\UserInterface;
  18. class BatchRequestVoter implements VoterInterface
  19. {
  20. use ClientSortingSessionTrait;
  22. public const CREATE = 'CREATE';
  23. public const READ = 'READ';
  24. public const UPDATE = 'UPDATE';
  25. public const UPDATE_SIMPLE = 'UPDATE_SIMPLE';
  26. public const DELETE = 'DELETE';
  27. public const ADMINISTRATION = 'ADMINISTRATION';
  28. public const DUPLICATE = 'DUPLICATE';
  29. public const DOWNLOAD = 'DOWNLOAD';
  30. public const UPLOAD_DOCUMENT = 'UPLOAD_DOCUMENT';
  32. public function __construct(private AuthorizationCheckerInterface $authorizationChecker)
  33. {
  34. }
  36. public function supportsAttribute($attribute): bool
  37. {
  38. return in_array($attribute, [
  39. self::CREATE,
  40. self::READ,
  41. self::UPDATE,
  42. self::UPDATE_SIMPLE,
  43. self::DELETE,
  44. self::ADMINISTRATION,
  45. self::DUPLICATE,
  46. self::DOWNLOAD,
  47. self::UPLOAD_DOCUMENT,
  48. ]);
  49. }
  51. public function supportsClass($class): bool
  52. {
  53. $supportedClass = BatchRequest::class;
  55. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  56. }
  58. /**
  59. *
  60. * @param mixed $entity
  61. */
  62. #[Override]
  63. public function vote(TokenInterface $token, $entity, array $attributes)
  64. {
  65. /**
  66. * START: This is common code for all Voter::vote() methods
  67. */
  68. // check if class of this object is supported by this voter
  69. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  70. return VoterInterface::ACCESS_ABSTAIN;
  71. }
  73. // check if the voter is used correct, only allow one attribute
  74. // this isn't a requirement, it's just one easy way for you to
  75. // design your voter
  76. if (1 !== count($attributes)) {
  77. throw new InvalidArgumentException(
  78. 'Only one attribute is allowed for Medbrief Voters.'
  79. );
  80. }
  82. // set the attribute to check against
  83. $attribute = $attributes[0];
  85. // check if the given attribute is covered by this voter
  86. if (!$this->supportsAttribute($attribute)) {
  87. return VoterInterface::ACCESS_ABSTAIN;
  88. }
  90. /** @var BatchRequest $batchRequest */
  91. $batchRequest = $entity;
  93. // get current logged in user
  94. /** @var User $user */
  95. $user = $token->getUser();
  97. // Grab Project this BatchRequest belongs to, so we can do permission checks at the Project level.
  98. /** @var Project $project */
  99. $project = $batchRequest->getProject();
  101. /** @var ServiceRequest $serviceRequest */
  102. $serviceRequest = $batchRequest->getServiceRequest();
  104. $batchRequest->getSortingSession();
  106. // make sure there is a user object (i.e. that the user is logged in)
  107. if (!$user instanceof UserInterface) {
  108. return VoterInterface::ACCESS_DENIED;
  109. }
  111. // Admin users can do everything
  112. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  113. return VoterInterface::ACCESS_GRANTED;
  114. }
  115. /**
  116. * END: Common code for all Voter:vote() methods. Put custom logic below.
  117. */
  118. // If you can READ the project, you can read the BatchRequest.
  119. if ($attribute === self::READ && $this->authorizationChecker->isGranted('READ', $project)) {
  120. return VoterInterface::ACCESS_GRANTED;
  121. }
  123. $permissionGroup = [
  124. self::UPDATE_SIMPLE,
  125. self::UPLOAD_DOCUMENT,
  126. ];
  127. // if user is client, grant permission to update
  128. // Only grant permission if service option applies to simple batch request.
  129. if (in_array($attribute, $permissionGroup) && $this->hasClientSessionAccess($project, $user) && ($serviceRequest && $serviceRequest->getServiceOption()->getAppliesTo() === ServiceOption::APPLIES_TO_BATCH_REQUEST_SIMPLE)) {
  130. return VoterInterface::ACCESS_GRANTED;
  131. }
  133. if ($attribute === self::DOWNLOAD) {
  134. $clientId = $project->getAccount()->getId();
  135. if (
  136. $this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $clientId . '_ADMINISTRATOR')
  137. || $this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $clientId . '_SUPERADMINISTRATOR')
  138. || $this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $clientId . '_SORTER')
  139. || $this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $clientId . '_PROJECTMANAGER')
  140. // Include Project level Project Managers in this vote.
  141. || $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $project->getId() . '_PROJECTMANAGER')
  142. ) {
  143. return VoterInterface::ACCESS_GRANTED;
  144. }
  145. }
  147. // If we get to the end of this function, then no decisions have been
  148. // made so we deny access
  149. return VoterInterface::ACCESS_DENIED;
  150. }
  151. }