src/Security/Voter/MatchVoter.php line 19

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\Expert;
  6. use MedBrief\MSR\Entity\Project;
  7. use MedBrief\MSR\Entity\User;
  8. use MedBrief\MSR\Repository\AccountRepository;
  9. use MedBrief\MSR\Repository\ExpertRepository;
  10. use MedBrief\MSR\Repository\MatchLetterResponseRepository;
  11. use MedBrief\MSR\Repository\MessageThreadParticipantRepository;
  12. use MedBrief\MSR\Repository\ProjectRepository;
  13. use Override;
  14. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  15. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  16. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  17. use Symfony\Component\Security\Core\User\UserInterface;
  19. class MatchVoter extends Voter
  20. {
  21. public const VIEW_FIRM = 'MATCH_VIEW_FIRM';
  22. public const VIEW_EXPERT = 'MATCH_VIEW_EXPERT';
  23. public const VIEW_EXPERT_TERMS_ACCEPTED = 'MATCH_VIEW_EXPERT_TERMS_ACCEPTED';
  24. public const VIEW_MESSAGES_NAV = 'MATCH_VIEW_MESSAGES_NAV';
  26. public function __construct(
  27. private readonly AuthorizationCheckerInterface $auth,
  28. private readonly AccountRepository $accountRepository,
  29. private readonly ExpertRepository $expertRepository,
  30. private readonly MessageThreadParticipantRepository $messageThreadParticipantRepository,
  31. private readonly ProjectRepository $projectRepository,
  32. private readonly MatchLetterResponseRepository $matchLetterResponseRepository
  33. ) {
  34. }
  36. #[Override]
  37. protected function supports(string $attribute, mixed $subject): bool
  38. {
  39. if ($attribute === self::VIEW_MESSAGES_NAV || $attribute === self::VIEW_EXPERT_TERMS_ACCEPTED) {
  40. return $subject === null;
  41. }
  43. return \in_array($attribute, [self::VIEW_FIRM, self::VIEW_EXPERT], true)
  44. && $subject instanceof Project;
  45. }
  47. #[Override]
  48. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  49. {
  50. $user = $token->getUser();
  51. if (!$user instanceof UserInterface) {
  52. return false;
  53. }
  55. /** @var Project $project */
  56. $project = $subject;
  58. return match ($attribute) {
  59. self::VIEW_FIRM => $this->canViewAsFirm($user, $project),
  60. self::VIEW_EXPERT => $this->canViewAsExpert($user, $project),
  61. self::VIEW_EXPERT_TERMS_ACCEPTED => $this->canViewExpertTermsAccepted($user),
  62. self::VIEW_MESSAGES_NAV => $this->canViewMessagesNavigation($user),
  63. default => false,
  64. };
  65. }
  67. /**
  68. * Determines if the user can view the match tab.
  69. * User roles allowed:
  70. * - MB super admins (ROLE_SUPER_ADMIN)
  71. * - MB admins (ROLE_ADMIN)
  72. * - Client super admins (ROLE_ACCOUNT_{accountId}_SUPERADMINISTRATOR)
  73. * - Client admins (ROLE_ACCOUNT_{accountId}_ADMINISTRATOR)
  74. * - Matter/Project managers:
  75. * - Role-based: ROLE_PROJECT_{projectId}_PROJECTMANAGER
  76. * - Entity-based: $project->getManager() === $user
  77. *
  78. * @param UserInterface $user
  79. * @param Project $project
  80. *
  81. * @return bool
  82. */
  83. private function canViewAsFirm(UserInterface $user, Project $project): bool
  84. {
  85. // Check if client has opted in to match and if the matter is of type Clinical Negligence and is a client matter, if classic matter, don't allow viewing of match
  86. if (!$project->getAccount()->getMatchOptIn()
  87. || $project->getMatterType() !== Project::MATTER_TYPE_CLINICAL_NEGLIGENCE
  88. || $project->getType() !== Project::TYPE_MATTER_FIRM
  89. || $project->getMatterRequest() === null
  90. ) {
  91. return false;
  92. }
  94. // MB admins
  95. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  96. return true;
  97. }
  99. // Client-level admins
  100. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_SUPERADMINISTRATOR')) {
  101. return true;
  102. }
  103. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_ADMINISTRATOR')) {
  104. return true;
  105. }
  107. // Matter/Project manager (role-based)
  108. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_PROJECTMANAGER')) {
  109. return true;
  110. }
  112. // Matter/Project manager (entity relationship fallback)
  113. if ($project->getManager() && $project->getManager() === $user) {
  114. return true;
  115. }
  117. return false;
  118. }
  120. /**
  121. * Determines if a user can view as an Expert.
  122. *
  123. * @param UserInterface $user
  124. * @param Project $project
  125. *
  126. * @return bool
  127. */
  128. private function canViewAsExpert(UserInterface $user, Project $project): bool
  129. {
  130. // Invited Experts
  131. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')) {
  132. return true;
  133. }
  134. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  135. return true;
  136. }
  138. // Uninvited Experts can only view if they are participants in the message thread for the project
  139. if (!$user instanceof User) {
  140. return false;
  141. }
  143. return $this->messageThreadParticipantRepository->isUserParticipantInProject($project, $user);
  144. }
  146. /**
  147. * Determines if a user can see the messages navigation tab
  148. *
  149. * @param UserInterface $user
  150. *
  151. * @return bool
  152. */
  153. private function canViewMessagesNavigation(UserInterface $user): bool
  154. {
  155. // MB admins
  156. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  157. return true;
  158. }
  160. // If the user has the expert or expert viewer role, allow access
  161. if ($user instanceof User && ($user->isExpertOnly() || $user->isExpertViewerOnly())) {
  162. // Only experts with an expert profile
  163. if ($this->expertRepository->findOneBy(['user' => $user]) instanceof Expert) {
  164. return true;
  165. }
  166. }
  168. // Extract account IDs and project IDs from user roles
  169. $userRoles = $user->getRoles();
  170. $accountIds = [];
  171. $projectIds = [];
  173. foreach ($userRoles as $role) {
  174. if (preg_match('/^ROLE_ACCOUNT_(\d+)_/', $role, $matches)) {
  175. $accountIds[] = (int) $matches[1];
  176. }
  178. if (preg_match('/^ROLE_PROJECT_(\d+)_/', $role, $matches)) {
  179. $projectIds[] = (int) $matches[1];
  180. }
  181. }
  183. // Remove duplicates
  184. $accountIds = array_unique($accountIds);
  185. $projectIds = array_unique($projectIds);
  187. // Check if any accounts have match enabled
  188. if (!empty($accountIds)) {
  189. $accounts = $this->accountRepository->findBy(['id' => $accountIds]);
  190. foreach ($accounts as $account) {
  191. if ($account->getMatchOptIn()) {
  192. return true;
  193. }
  194. }
  195. }
  197. // Check if any projects with accounts have match enabled
  198. if (!empty($projectIds)) {
  199. $projects = $this->projectRepository->findBy(['id' => $projectIds]);
  200. foreach ($projects as $project) {
  201. $account = $project->getAccount();
  202. if ($account && $account->getMatchOptIn()) {
  203. return true;
  204. }
  205. }
  206. }
  208. return false;
  209. }
  211. /**
  212. * Determines if an expert user has accepted the expert terms.
  213. *
  214. * @param UserInterface $user
  215. *
  216. * @return bool
  217. */
  218. private function canViewExpertTermsAccepted(UserInterface $user): bool
  219. {
  220. // If the user has the expert or expert viewer role, allow access
  221. if ($user instanceof User && ($user->isExpertOnly() || $user->isExpertViewerOnly())) {
  222. // Only experts with an expert profile
  223. if ($this->expertRepository->findOneBy(['user' => $user]) instanceof Expert) {
  224. // Check if the expert has accepted the terms
  225. if ($this->matchLetterResponseRepository->hasExpertAcceptedTerms($user)) {
  226. return true;
  227. }
  228. }
  229. }
  231. // Default deny
  232. return false;
  233. }
  234. }