src/Security/Voter/CollectionVoter.php line 16

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use Doctrine\ORM\EntityManagerInterface;
  6. use InvalidArgumentException;
  7. use MedBrief\MSR\Entity\Collection;
  8. use MedBrief\MSR\Entity\ProjectUser;
  9. use Override;
  10. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  11. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  12. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  14. use Symfony\Component\Security\Core\User\UserInterface;
  16. class CollectionVoter implements VoterInterface
  17. {
  18. public const CREATE = 'CREATE';
  19. public const READ = 'READ';
  20. public const UPDATE = 'UPDATE';
  21. public const DELETE = 'DELETE';
  22. public const ADMINISTRATION = 'ADMINISTRATION';
  23. public const DOWNLOAD = 'DOWNLOAD';
  24. public const ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS = 'ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS';
  26. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker, private readonly EntityManagerInterface $entityManager)
  27. {
  28. }
  30. public function supportsAttribute($attribute): bool
  31. {
  32. return in_array($attribute, [
  33. self::CREATE,
  34. self::READ,
  35. self::UPDATE,
  36. self::DELETE,
  37. self::ADMINISTRATION,
  38. self::DOWNLOAD,
  39. self::ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS,
  40. ]);
  41. }
  43. public function supportsClass($class): bool
  44. {
  45. $supportedClass = Collection::class;
  47. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  48. }
  50. /**
  51. *
  52. * @param mixed $entity
  53. */
  54. #[Override]
  55. public function vote(TokenInterface $token, $entity, array $attributes)
  56. {
  57. /**
  58. * START: This is common code for all Voter::vote() methods
  59. */
  60. // check if class of this object is supported by this voter
  61. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  62. return VoterInterface::ACCESS_ABSTAIN;
  63. }
  65. // check if the voter is used correct, only allow one attribute
  66. // this isn't a requirement, it's just one easy way for you to
  67. // design your voter
  68. if (1 !== count($attributes)) {
  69. throw new InvalidArgumentException(
  70. 'Only one attribute is allowed for Medbrief Voters.'
  71. );
  72. }
  74. // set the attribute to check against
  75. $attribute = $attributes[0];
  77. // check if the given attribute is covered by this voter
  78. if (!$this->supportsAttribute($attribute)) {
  79. return VoterInterface::ACCESS_ABSTAIN;
  80. }
  82. // get current logged in user
  83. $user = $token->getUser();
  85. // make sure there is a user object (i.e. that the user is logged in)
  86. if (!$user instanceof UserInterface) {
  87. return VoterInterface::ACCESS_DENIED;
  88. }
  90. // Admin users can do everything
  91. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  92. return VoterInterface::ACCESS_GRANTED;
  93. }
  94. /**
  95. * END: Common code for all Voter:vote() methods. Put custom logic below.
  96. */
  98. // If this user has ADMINISTRATION rights for the project to which this
  99. // collection belongs
  100. if ($this->authorizationChecker->isGranted('ADMINISTRATION', $entity->getProject())) {
  102. // then they have access to do anything
  103. return VoterInterface::ACCESS_GRANTED;
  104. }
  106. // Decide if we allow the advanced annotation download options to display in the form for this collection.
  107. if ($attribute === self::ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS && ($entity->getProject() && $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getProject()->getId() . '_PROJECTMANAGER'))) {
  108. return VoterInterface::ACCESS_GRANTED;
  109. }
  111. if ($attribute == self::UPDATE || $attribute == self::DELETE) {
  112. // Retrieve the collection's root collection
  113. $rootCollection = $this->entityManager->getRepository(Collection::class)->find($entity->getRoot());
  114. // Get the project from the collection's root collection.
  115. $project = $rootCollection->getProject();
  117. // MEDICAL_RECORDS_ADMINISTRATION can update and delete any medical records Collection.
  118. if ($this->authorizationChecker->isGranted('MEDICAL_RECORDS_ADMINISTRATION', $project)) {
  119. $isGranted
  120. // Is the Collection in the public medical records Collection?
  121. = ($project->getMedicalRecordsCollection() && $project->getMedicalRecordsCollection()->containsCollectionRecursive($entity))
  122. // Or Private Collections?
  123. || ($project->getPrivateCollection() && $project->getPrivateCollection()->containsCollectionRecursive($entity))
  124. // Or PrivateSandbox Collections?
  125. || ($project->getPrivateSandboxCollection() && $project->getPrivateSandboxCollection()->containsCollectionRecursive($entity))
  126. // Or Unsorted Records collection?
  127. || ($project->getUnsortedRecordsCollection() && $project->getUnsortedRecordsCollection()->containsCollectionRecursive($entity));
  128. if ($isGranted) {
  129. return VoterInterface::ACCESS_GRANTED;
  130. }
  131. }
  133. // Grab the ProjectUser, so we can do some checks against the user's private collections.
  134. $projectUser = $this->entityManager->getRepository(ProjectUser::class)->findOneBy(['user' => $user, 'project' => $project]);
  136. // A user can update and delete collections that they created, contained in their PrivateSandbox collection.
  137. if ($projectUser) {
  138. $isGranted
  139. // Is the collection in the user's PrivateSandbox Collection?
  140. = $projectUser->getPrivateSandboxCollection()
  141. && $projectUser->getPrivateSandboxCollection()->containsCollectionRecursive($entity)
  142. // And did they create the Collection?
  143. && $entity->getCreator()
  144. && $entity->getCreator()->getId() == $user->getId();
  145. if ($isGranted) {
  146. // If we're updating, no problem...
  147. if ($attribute == self::UPDATE) {
  148. return VoterInterface::ACCESS_GRANTED;
  149. }
  151. // If we're deleting, then we need to check there are no Collections/Documents in the Collection that the user
  152. // does not have permission to delete.
  153. if ($attribute == self::DELETE) {
  154. // Check the user has access to delete the Documents contained directly in the collection.
  155. foreach ($entity->getDocuments() as $document) {
  156. if (!$this->authorizationChecker->isGranted('DELETE', $document)) {
  157. return VoterInterface::ACCESS_DENIED;
  158. }
  159. }
  161. // Grab all child Collections of the Collection
  162. $children = $this->entityManager->getRepository(Collection::class)->getChildren($entity);
  163. foreach ($children as $childCollection) {
  164. // Check the user has access to delete each of the child Collections, if one fails, we deny access.
  165. if (!$this->authorizationChecker->isGranted('DELETE', $childCollection)) {
  166. return VoterInterface::ACCESS_DENIED;
  167. }
  168. // Check the user has access to delete the Documents in the child Collection, If one fails, we deny access.
  169. foreach ($childCollection->getDocuments() as $document) {
  170. if (!$this->authorizationChecker->isGranted('DELETE', $document)) {
  171. return VoterInterface::ACCESS_DENIED;
  172. }
  173. }
  174. }
  176. // All clear for DELETE, grant access
  177. return VoterInterface::ACCESS_GRANTED;
  178. }
  179. }
  180. }
  181. }
  183. if ($attribute == self::DOWNLOAD) {
  184. // Get the Project from the Collection's root collection.
  185. $rootCollection = $this->entityManager->getRepository(Collection::class)->find($entity->getRoot());
  186. $project = $rootCollection->getProject();
  188. // MEDICAL_RECORDS_ADMINISTRATION can download all medical record Collections.
  189. if ($this->authorizationChecker->isGranted('MEDICAL_RECORDS_ADMINISTRATION', $project)) {
  190. $isGranted
  191. // Is the Collection in the Public Medical Record Collection?
  192. = ($project->getMedicalRecordsCollection() && $project->getMedicalRecordsCollection()->containsCollectionRecursive($entity))
  193. // Or, Private Medical Record collection?
  194. || ($project->getPrivateCollection() && $project->getPrivateCollection()->containsCollectionRecursive($entity))
  195. // Or, PrivateSandbox Medical Record collection?
  196. || ($project->getPrivateSandboxCollection() && $project->getPrivateSandboxCollection()->containsCollectionRecursive($entity))
  197. // Or, Unsorted Records collection?
  198. || ($project->getUnsortedRecordsCollection() && $project->getUnsortedRecordsCollection()->containsCollectionRecursive($entity));
  199. if ($isGranted) {
  200. return VoterInterface::ACCESS_GRANTED;
  201. }
  202. }
  204. // Grab the ProjectUser, so we can do some checks against the user's private Collections.
  205. $projectUser = $this->entityManager->getRepository(ProjectUser::class)->findOneBy(['user' => $user, 'project' => $project]);
  207. // Users with MEDICAL_RECORD_DOWNLOAD can download collections in the public medical records folder, as well as collections in their
  208. // private collection. They can also download records from the Unsorted Records folder.
  209. if ($projectUser && $this->authorizationChecker->isGranted('MEDICAL_RECORD_DOWNLOAD', $project)) {
  210. $isGranted
  211. // Is the Collection in the Public Medical Record Collection?
  212. = ($project->getMedicalRecordsCollection() && $project->getMedicalRecordsCollection()->containsCollectionRecursive($entity))
  213. // Or, is it in user's own Private Medical Record Collection?
  214. || ($projectUser->getPrivateCollection() && $projectUser->getPrivateCollection()->containsCollectionRecursive($entity))
  215. // Or, is it in the Unsorted Records collection?
  216. || ($project->getUnsortedRecordsCollection() && $project->getUnsortedRecordsCollection()->containsCollectionRecursive($entity));
  217. if ($isGranted) {
  218. return VoterInterface::ACCESS_GRANTED;
  219. }
  220. }
  222. // All users can download collections in their PrivateSandbox collections.
  223. if ($projectUser) {
  224. $isGranted
  225. // Is in user's PrivateSandbox Medical Record Collection?
  226. = $projectUser->getPrivateSandboxCollection() && $projectUser->getPrivateSandboxCollection()->containsCollectionRecursive($entity);
  227. if ($isGranted) {
  228. return VoterInterface::ACCESS_GRANTED;
  229. }
  230. }
  231. }
  233. // If we get to the end of this function, then no decisions have been
  234. // made so we deny access
  235. return VoterInterface::ACCESS_DENIED;
  236. }
  237. }