src/Security/Voter/DocumentVoter.php line 16

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use Doctrine\ORM\EntityManagerInterface;
  6. use InvalidArgumentException;
  7. use MedBrief\MSR\Entity\Document;
  8. use MedBrief\MSR\Entity\ProjectUser;
  9. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  10. use Override;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  14. use Symfony\Component\Security\Core\User\UserInterface;
  16. class DocumentVoter implements VoterInterface
  17. {
  18. public const CREATE = 'CREATE';
  19. public const READ = 'READ';
  20. public const UPDATE = 'UPDATE';
  21. public const DELETE = 'DELETE';
  22. public const ADMINISTRATION = 'ADMINISTRATION';
  24. public const DOWNLOAD_NATIVE = 'DOWNLOAD_NATIVE';
  25. public const STREAM_NATIVE = 'STREAM_NATIVE';
  27. // Controls if the user can update the annotation visibility of a Document's annotations.
  28. public const UPDATE_ANNOTATION_VISIBILITY = 'UPDATE_ANNOTATION_VISIBILITY';
  29. public const ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS = 'ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS';
  31. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker, private readonly EntityManagerInterface $entityManager, private readonly UserHelper $userHelper)
  32. {
  33. }
  35. public function supportsAttribute($attribute): bool
  36. {
  37. return in_array($attribute, [
  38. self::CREATE,
  39. self::READ,
  40. self::UPDATE,
  41. self::DELETE,
  42. self::ADMINISTRATION,
  43. self::DOWNLOAD_NATIVE,
  44. self::STREAM_NATIVE,
  45. self::UPDATE_ANNOTATION_VISIBILITY,
  46. self::ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS,
  47. ]);
  48. }
  50. public function supportsClass($class): bool
  51. {
  52. $supportedClass = Document::class;
  54. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  55. }
  57. /**
  58. *
  59. * @param mixed $entity
  60. */
  61. #[Override]
  62. public function vote(TokenInterface $token, $entity, array $attributes)
  63. {
  64. /**
  65. * START: This is common code for all Voter::vote() methods
  66. */
  67. // check if class of this object is supported by this voter
  68. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  69. return VoterInterface::ACCESS_ABSTAIN;
  70. }
  72. // check if the voter is used correct, only allow one attribute
  73. // this isn't a requirement, it's just one easy way for you to
  74. // design your voter
  75. if (1 !== count($attributes)) {
  76. throw new InvalidArgumentException(
  77. 'Only one attribute is allowed for Medbrief Voters.'
  78. );
  79. }
  81. // set the attribute to check against
  82. $attribute = $attributes[0];
  84. // check if the given attribute is covered by this voter
  85. if (!$this->supportsAttribute($attribute)) {
  86. return VoterInterface::ACCESS_ABSTAIN;
  87. }
  89. // get current logged in user
  90. $user = $token->getUser();
  92. // make sure there is a user object (i.e. that the user is logged in)
  93. if (!$user instanceof UserInterface) {
  94. return VoterInterface::ACCESS_DENIED;
  95. }
  97. // Admin users can do everything
  98. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  99. return VoterInterface::ACCESS_GRANTED;
  100. }
  101. /**
  102. * END: Common code for all Voter:vote() methods. Put custom logic below.
  103. */
  104. $this->userHelper->setUser($user);
  106. // if this user has ADMINISTRATION rights for the project to which this
  107. // document belongs
  108. if ($this->authorizationChecker->isGranted('ADMINISTRATION', $entity->getProject())) {
  110. // then they have access to do anything
  111. return VoterInterface::ACCESS_GRANTED;
  112. }
  114. // Check if the user can update annotation visibility for a Project's documents.
  115. // Project Managers can do this.
  116. if (($attribute === self::UPDATE_ANNOTATION_VISIBILITY || $attribute === self::ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS) && $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getProject()->getId() . '_PROJECTMANAGER')) {
  117. return VoterInterface::ACCESS_GRANTED;
  118. }
  120. // if this user has Medical Records administration or Radiology Administration - this was added to allow client
  121. // level sorters to have the access they need
  122. // @todo We should probably do an additiona check here to see what kind of document we have here (a medical record
  123. // or a radiology file). But at the moment I don't think it is a problem because I user that has one of the below
  124. // access levels always has the other one as well
  125. // For everything, except updating the visibility of annotations.
  126. if (($this->authorizationChecker->isGranted('MEDICAL_RECORDS_ADMINISTRATION', $entity->getProject()) || $this->authorizationChecker->isGranted('RADIOLOGY_ADMINISTRATION', $entity->getProject())) && ($attribute !== self::UPDATE_ANNOTATION_VISIBILITY && $attribute !== self::ANNOTATION_VISIBILITY_DOWNLOAD_OPTIONS)) {
  127. // then they have access to do anything
  128. return VoterInterface::ACCESS_GRANTED;
  129. }
  131. // if the user is wanting to stream the native (I.E view) or read this document of this document
  132. if ($attribute == self::STREAM_NATIVE || $attribute == self::READ) {
  134. // if the user is an expert agency administrator let them pass.
  135. // this should probably be done in a better way, tying permissions
  136. // to an entity in one place somehow....
  137. if ($user->isExpertAgencyAdministrator()) {
  138. return VoterInterface::ACCESS_GRANTED;
  139. }
  141. $project = $entity->getProject();
  143. // if the user has a role on the project that gives them
  144. // administrative access to it
  145. if ($this->userHelper->hasProjectAdministrativeRole($project)) {
  147. // then they have access
  148. return VoterInterface::ACCESS_GRANTED;
  150. // else if they have any other role on the project (currently just EXPERT or EXPERTVIEWER)
  151. // Or, if the user has disclosure project read access (Project needs to then be type disclosure)
  152. } elseif ($this->userHelper->hasProjectRole($project) || $this->userHelper->hasDisclosureProjectReadAccess($project)) {
  154. // then grab their project user record (if they have one)
  155. $projectUser = $this->entityManager->getRepository(ProjectUser::class)->findOneBy(['user' => $user, 'project' => $entity->getProject()]);
  157. // if they have a project user record for the project
  158. if ($projectUser) {
  160. // and if the document is in the project's public collection or
  161. // is in this user's private/PrivateSandbox collection or
  162. // in the project's Unsorted Records collection
  163. if ($project->getMedicalRecordsCollection()->containsDocumentRecursive($entity)
  164. || ($projectUser->getPrivateCollection() && $projectUser->getPrivateCollection()->containsDocumentRecursive($entity))
  165. || ($projectUser->getPrivateSandboxCollection() && $projectUser->getPrivateSandboxCollection()->containsDocumentRecursive($entity))
  166. || ($project->getUnsortedRecordsCollection() && $project->getUnsortedRecordsCollection()->containsDocumentRecursive($entity))
  167. ) {
  169. // then they have access
  170. return VoterInterface::ACCESS_GRANTED;
  171. }
  173. // if this is a radiology file
  174. // @todo We need a better way to determine if this is a radiology file
  175. if ($entity->getMimeType() == 'application/dicom') {
  177. // then they have access
  178. return VoterInterface::ACCESS_GRANTED;
  179. }
  180. }
  181. }
  182. }
  184. // if the user wants to delete or update this document
  185. if ($attribute == self::DELETE || $attribute == self::UPDATE) {
  187. // if it is a dicom file
  188. // @todo we should actually do a DB check to see if this document
  189. // is connected toe a Disc
  190. //then if this user may manage radiology for the documents project
  191. if ($entity->getMimeType() == 'application/dicom' && $this->authorizationChecker->isGranted('RADIOLOGY_ADMINISTRATION', $entity->getProject())) {
  193. // then they have access
  194. return VoterInterface::ACCESS_GRANTED;
  195. }
  197. //else we assume that this is a medical record (since there are no other kinds of document) So then if they have
  198. // medical records administration access
  199. if ($this->authorizationChecker->isGranted('MEDICAL_RECORDS_ADMINISTRATION', $entity->getProject())) {
  201. // then they have access
  202. return VoterInterface::ACCESS_GRANTED;
  203. }
  205. // Grab their project user record (if they have one)
  206. $projectUser = $this->entityManager->getRepository(ProjectUser::class)->findOneBy(['user' => $user, 'project' => $entity->getProject()]);
  208. // If the document is in the PrivateSandbox collection of the user, and they created it, allow them to update/delete it.
  209. if ($projectUser && $projectUser->getPrivateSandboxCollection() && $projectUser->getPrivateSandboxCollection()->containsDocumentRecursive($entity) && $entity->getCreator() && $entity->getCreator()->getId() == $user->getId()) {
  210. return VoterInterface::ACCESS_GRANTED;
  211. }
  212. }
  214. // finally if the user is trying to download the document
  215. if ($attribute == self::DOWNLOAD_NATIVE) {
  217. // If the document is in the public medical records collection, or the public unsorted records collection, a user with MEDICAL_RECORD_DOWNLOAD can download it.
  218. if (
  219. ($entity->getProject()->getMedicalRecordsCollection()->containsDocumentRecursive($entity) || $entity->getProject()->getUnsortedRecordsCollection() && $entity->getProject()->getUnsortedRecordsCollection()->containsDocumentRecursive($entity)) && $this->authorizationChecker->isGranted('MEDICAL_RECORD_DOWNLOAD', $entity->getProject())
  220. ) {
  221. return VoterInterface::ACCESS_GRANTED;
  222. }
  224. // Grab the projectUser, so we can do some checks against the associated collections.
  225. $projectUser = $this->entityManager->getRepository(ProjectUser::class)->findOneBy(['user' => $user, 'project' => $entity->getProject()]);
  227. // If the document is in their own Private collection, a user with MEDICAL_RECORD_DOWNLOAD can download it.
  228. if ($projectUser && $projectUser->getPrivateCollection() && $projectUser->getPrivateCollection()->containsDocumentRecursive($entity) && $this->authorizationChecker->isGranted('MEDICAL_RECORD_DOWNLOAD', $entity->getProject())) {
  229. return VoterInterface::ACCESS_GRANTED;
  230. }
  232. // If the document is in the user's PrivateSandbox collection, they can download it.
  233. if ($projectUser && $projectUser->getPrivateSandboxCollection() && $projectUser->getPrivateSandboxCollection()->containsDocumentRecursive($entity)) {
  234. return VoterInterface::ACCESS_GRANTED;
  235. }
  236. }
  238. // If we get to the end of this function, then no decisions have been
  239. // made so we deny access
  240. return VoterInterface::ACCESS_DENIED;
  241. }
  242. }