src/Security/Voter/ChronologyRequestDetailVoter.php line 14

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\ChronologyRequestDetail;
  7. use MedBrief\MSR\Entity\User;
  8. use Override;
  9. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  11. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  12. use Symfony\Component\Security\Core\User\UserInterface;
  14. class ChronologyRequestDetailVoter implements VoterInterface
  15. {
  16. public const CREATE = 'CREATE';
  17. public const READ = 'READ';
  18. public const UPDATE = 'UPDATE';
  19. public const DELETE = 'DELETE';
  20. public const ADMINISTRATION = 'ADMINISTRATION';
  22. /**
  23. * @param AuthorizationChecker $authorizationChecker
  24. */
  25. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker)
  26. {
  27. }
  29. public function supportsAttribute($attribute): bool
  30. {
  31. return in_array($attribute, [
  32. self::CREATE,
  33. self::READ,
  34. self::UPDATE,
  35. self::DELETE,
  36. self::ADMINISTRATION,
  37. ]);
  38. }
  40. public function supportsClass($class): bool
  41. {
  42. $supportedClass = ChronologyRequestDetail::class;
  44. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  45. }
  47. /**
  48. *
  49. * @param mixed $entity
  50. */
  51. #[Override]
  52. public function vote(TokenInterface $token, $entity, array $attributes)
  53. {
  54. /**
  55. * START: This is common code for all Voter::vote() methods
  56. */
  57. // check if class of this object is supported by this voter
  58. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  59. return VoterInterface::ACCESS_ABSTAIN;
  60. }
  62. // check if the voter is used correct, only allow one attribute
  63. // this isn't a requirement, it's just one easy way for you to
  64. // design your voter
  65. if (1 !== count($attributes)) {
  66. throw new InvalidArgumentException(
  67. 'Only one attribute is allowed for Medbrief Voters.'
  68. );
  69. }
  71. // set the attribute to check against
  72. $attribute = $attributes[0];
  74. // check if the given attribute is covered by this voter
  75. if (!$this->supportsAttribute($attribute)) {
  76. return VoterInterface::ACCESS_ABSTAIN;
  77. }
  79. // get current logged in user
  80. /** @var User $user */
  81. $user = $token->getUser();
  83. // make sure there is a user object (i.e. that the user is logged in)
  84. if (!$user instanceof UserInterface) {
  85. return VoterInterface::ACCESS_DENIED;
  86. }
  88. // Admin users can do everything
  89. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  90. return VoterInterface::ACCESS_GRANTED;
  91. }
  92. /**
  93. * END: Common code for all Voter:vote() methods. Put custom logic below.
  94. */
  96. // If you created the ChronologyRequest detail, then you can UPDATE and DELETE it,
  97. // else, only MedBrief Admins and Super Admins can.
  98. // Consequently, only MedBrief Admins and Super Admins can UPDATE and DELETE a
  99. // detail generated by an incoming/outgoing email, as it has no creator attached.
  100. if (($attribute === self::UPDATE || $attribute === self::DELETE) && ($entity->getCreator() && $entity->getCreator()->getId() == $user->getId())) {
  101. return VoterInterface::ACCESS_GRANTED;
  102. }
  104. // If we get to the end of this function, then no decisions have been
  105. // made so we deny access
  106. return VoterInterface::ACCESS_DENIED;
  107. }
  108. }