src/Security/Voter/MatchVoter.php line 16

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\MessageThread;
  6. use MedBrief\MSR\Entity\MessageThreadParticipant;
  7. use MedBrief\MSR\Entity\Project;
  8. use MedBrief\MSR\Repository\MessageThreadParticipantRepository;
  9. use MedBrief\MSR\Repository\MessageThreadRepository;
  10. use Override;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  14. use Symfony\Component\Security\Core\User\UserInterface;
  16. class MatchVoter extends Voter
  17. {
  18. public const VIEW_FIRM = 'MATCH_VIEW_FIRM';
  19. public const VIEW_EXPERT = 'MATCH_VIEW_EXPERT';
  21. public function __construct(
  22. private readonly AuthorizationCheckerInterface $auth,
  23. private readonly MessageThreadRepository $messageThreadRepository,
  24. private readonly MessageThreadParticipantRepository $messageThreadParticipantRepository,
  25. ) {
  26. }
  28. #[Override]
  29. protected function supports(string $attribute, mixed $subject): bool
  30. {
  31. return \in_array($attribute, [self::VIEW_FIRM, self::VIEW_EXPERT], true)
  32. && $subject instanceof Project;
  33. }
  35. #[Override]
  36. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  37. {
  38. $user = $token->getUser();
  39. if (!$user instanceof UserInterface) {
  40. return false;
  41. }
  43. /** @var Project $project */
  44. $project = $subject;
  46. return match ($attribute) {
  47. self::VIEW_FIRM => $this->canViewAsFirm($user, $project),
  48. self::VIEW_EXPERT => $this->canViewAsExpert($user, $project),
  49. default => false,
  50. };
  51. }
  53. /**
  54. * Determines if the user can view the match tab.
  55. * User roles allowed:
  56. * - MB super admins (ROLE_SUPER_ADMIN)
  57. * - MB admins (ROLE_ADMIN)
  58. * - Client super admins (ROLE_ACCOUNT_{accountId}_SUPERADMINISTRATOR)
  59. * - Client admins (ROLE_ACCOUNT_{accountId}_ADMINISTRATOR)
  60. * - Matter/Project managers:
  61. * - Role-based: ROLE_PROJECT_{projectId}_PROJECTMANAGER
  62. * - Entity-based: $project->getManager() === $user
  63. *
  64. * @param UserInterface $user
  65. * @param Project $project
  66. *
  67. * @return bool
  68. */
  69. private function canViewAsFirm(UserInterface $user, Project $project): bool
  70. {
  71. // Check if client has opted in to match and if the matter is of type Clinical Negligence and is a client matter, if classic matter, don't allow viewing of match
  72. if (!$project->getAccount()->getMatchOptIn()
  73. || $project->getMatterType() !== Project::MATTER_TYPE_CLINICAL_NEGLIGENCE
  74. || $project->getType() !== Project::TYPE_MATTER_FIRM
  75. || $project->getMatterRequest() === null
  76. ) {
  77. return false;
  78. }
  80. // MB admins
  81. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  82. return true;
  83. }
  85. // Client-level admins
  86. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_SUPERADMINISTRATOR')) {
  87. return true;
  88. }
  89. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_ADMINISTRATOR')) {
  90. return true;
  91. }
  93. // Matter/Project manager (role-based)
  94. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_PROJECTMANAGER')) {
  95. return true;
  96. }
  98. // Matter/Project manager (entity relationship fallback)
  99. if ($project->getManager() && $project->getManager() === $user) {
  100. return true;
  101. }
  103. return false;
  104. }
  106. /**
  107. * Scaffolding in case we want to limit which users can message experts.
  108. *
  109. * @param UserInterface $user
  110. * @param Project $project
  111. *
  112. * @return bool
  113. */
  114. private function canViewAsExpert(UserInterface $user, Project $project): bool
  115. {
  116. // Invited Experts
  117. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getAccount()->getId() . '_EXPERT')) {
  118. return true;
  119. }
  120. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getAccount()->getId() . '_EXPERTVIEWER')) {
  121. return true;
  122. }
  124. // Uninvited Experts can only view if they are participants in the message thread for the project
  125. $thread = $this->messageThreadRepository->findOneBy(['project' => $project]) ?? null;
  127. if ($thread instanceof MessageThread) {
  128. $threadParticipant = $this->messageThreadParticipantRepository->findParticipant($thread, $user);
  129. if ($threadParticipant instanceof MessageThreadParticipant) {
  130. return true;
  131. }
  132. }
  134. return false;
  135. }
  136. }