src/Security/Voter/HelpArticleVoter.php line 13

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\HelpArticle;
  6. use MedBrief\MSR\Entity\User;
  7. use Override;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  9. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  10. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. use Symfony\Component\Security\Core\User\UserInterface;
  13. class HelpArticleVoter extends Voter
  14. {
  15. public const CREATE = 'CREATE';
  16. public const UPDATE = 'UPDATE';
  17. public const VIEW = 'VIEW';
  18. public const DELETE = 'DELETE';
  19. public const ADMINISTRATION = 'ADMINISTRATION';
  21. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker)
  22. {
  23. }
  25. #[Override]
  26. protected function supports($attribute, $subject): bool
  27. {
  28. return in_array($attribute, [
  29. self::CREATE,
  30. self::UPDATE,
  31. self::VIEW,
  32. self::DELETE,
  33. self::ADMINISTRATION,
  34. ])
  35. && $subject instanceof HelpArticle;
  36. }
  38. #[Override]
  39. protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
  40. {
  41. $user = $token->getUser();
  42. // if the user is anonymous, do not grant access
  43. if (!$user instanceof UserInterface) {
  44. return false;
  45. }
  47. /** @var HelpArticle $helpArticle */
  48. $helpArticle = $subject;
  49. // ... (check conditions and return true to grant permission) ...
  50. return match ($attribute) {
  51. self::CREATE, self::UPDATE, self::DELETE => $this->canCreate($user),
  52. self::VIEW => $this->canView($user, $helpArticle),
  53. self::ADMINISTRATION => $this->isAdministration(),
  54. default => false,
  55. };
  56. }
  58. protected function canCreate(User $user)
  59. {
  60. // MEDBRIEF HELP ADMIN
  61. return $this->authorizationChecker->isGranted('ROLE_HELP_ADMIN');
  62. }
  64. protected function canView(User $user, HelpArticle $helpArticle)
  65. {
  66. // MEDBRIEF ADMIN
  67. if ($this->isAdministration()) {
  68. return true;
  69. }
  71. // No one except admins should see hidden articles
  72. if ($helpArticle->getHidden() === true) {
  73. return false;
  74. }
  76. // If the user is a client level user...
  77. // they should only ever see client content types.
  78. if ($user->isAccountAdministrator()
  79. || $user->isAccountProjectManager()
  80. || $user->isAccountTechnicalAdmin()
  81. || $user->isProjectManager()
  82. || $user->isAccountSorter()
  83. ) {
  84. // If the user has both a client level and matter level access, we use their client level access to determine which
  85. // articles they see.
  86. return $helpArticle->isClientContentType();
  87. }
  88. // Third Party Articles can be seen by everyone else
  89. return $helpArticle->isThirdPartyContentType();
  90. }
  92. /**
  93. * Returns true if the user has an admin related role
  94. *
  95. * @return bool
  96. */
  97. protected function isAdministration()
  98. {
  99. // MEDBRIEF ADMIN
  100. return $this->authorizationChecker->isGranted('ROLE_ADMIN');
  101. }
  102. }