src/Security/Voter/MatchVoter.php line 20

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\Expert;
  6. use MedBrief\MSR\Entity\MessageThreadParticipant;
  7. use MedBrief\MSR\Entity\Project;
  8. use MedBrief\MSR\Entity\User;
  9. use MedBrief\MSR\Repository\AccountRepository;
  10. use MedBrief\MSR\Repository\ExpertRepository;
  11. use MedBrief\MSR\Repository\MatchLetterResponseRepository;
  12. use MedBrief\MSR\Repository\MessageThreadParticipantRepository;
  13. use MedBrief\MSR\Repository\ProjectRepository;
  14. use Override;
  15. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  16. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  17. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  18. use Symfony\Component\Security\Core\User\UserInterface;
  20. class MatchVoter extends Voter
  21. {
  22. public const VIEW_FIRM = 'MATCH_VIEW_FIRM';
  23. public const VIEW_EXPERT = 'MATCH_VIEW_EXPERT';
  24. public const VIEW_EXPERT_TERMS_ACCEPTED = 'MATCH_VIEW_EXPERT_TERMS_ACCEPTED';
  25. public const VIEW_MESSAGES_NAV = 'MATCH_VIEW_MESSAGES_NAV';
  27. public function __construct(
  28. private readonly AuthorizationCheckerInterface $auth,
  29. private readonly AccountRepository $accountRepository,
  30. private readonly ExpertRepository $expertRepository,
  31. private readonly MessageThreadParticipantRepository $messageThreadParticipantRepository,
  32. private readonly ProjectRepository $projectRepository,
  33. private readonly MatchLetterResponseRepository $matchLetterResponseRepository
  34. ) {
  35. }
  37. #[Override]
  38. protected function supports(string $attribute, mixed $subject): bool
  39. {
  40. if ($attribute === self::VIEW_MESSAGES_NAV || $attribute === self::VIEW_EXPERT_TERMS_ACCEPTED) {
  41. return $subject === null;
  42. }
  44. return \in_array($attribute, [self::VIEW_FIRM, self::VIEW_EXPERT], true)
  45. && $subject instanceof Project;
  46. }
  48. #[Override]
  49. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  50. {
  51. $user = $token->getUser();
  52. if (!$user instanceof UserInterface) {
  53. return false;
  54. }
  56. /** @var Project $project */
  57. $project = $subject;
  59. return match ($attribute) {
  60. self::VIEW_FIRM => $this->canViewAsFirm($user, $project),
  61. self::VIEW_EXPERT => $this->canViewAsExpert($user, $project),
  62. self::VIEW_EXPERT_TERMS_ACCEPTED => $this->canViewExpertTermsAccepted($user),
  63. self::VIEW_MESSAGES_NAV => $this->canViewMessagesNavigation($user),
  64. default => false,
  65. };
  66. }
  68. /**
  69. * Determines if the user can view the match tab.
  70. * User roles allowed:
  71. * - MB super admins (ROLE_SUPER_ADMIN)
  72. * - MB admins (ROLE_ADMIN)
  73. * - Client super admins (ROLE_ACCOUNT_{accountId}_SUPERADMINISTRATOR)
  74. * - Client admins (ROLE_ACCOUNT_{accountId}_ADMINISTRATOR)
  75. * - Matter/Project managers:
  76. * - Role-based: ROLE_PROJECT_{projectId}_PROJECTMANAGER
  77. * - Entity-based: $project->getManager() === $user
  78. *
  79. * @param UserInterface $user
  80. * @param Project $project
  81. *
  82. * @return bool
  83. */
  84. private function canViewAsFirm(UserInterface $user, Project $project): bool
  85. {
  86. // Check if client has opted in to match and if the matter is of type Clinical Negligence and is a client matter, if classic matter, don't allow viewing of match
  87. if (!$project->getAccount()->getMatchOptIn()
  88. || $project->getMatterType() !== Project::MATTER_TYPE_CLINICAL_NEGLIGENCE
  89. || $project->getType() !== Project::TYPE_MATTER_FIRM
  90. || $project->getMatterRequest() === null
  91. ) {
  92. return false;
  93. }
  95. // MB admins
  96. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  97. return true;
  98. }
  100. // Client-level admins
  101. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_SUPERADMINISTRATOR')) {
  102. return true;
  103. }
  104. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_ADMINISTRATOR')) {
  105. return true;
  106. }
  108. // Matter/Project manager (role-based)
  109. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_PROJECTMANAGER')) {
  110. return true;
  111. }
  113. // Matter/Project manager (entity relationship fallback)
  114. if ($project->getManager() && $project->getManager() === $user) {
  115. return true;
  116. }
  118. return false;
  119. }
  121. /**
  122. * Determines if a user can view as an Expert.
  123. *
  124. * @param UserInterface $user
  125. * @param Project $project
  126. *
  127. * @return bool
  128. */
  129. private function canViewAsExpert(UserInterface $user, Project $project): bool
  130. {
  131. // Invited Experts
  132. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')) {
  133. return true;
  134. }
  135. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  136. return true;
  137. }
  139. // Uninvited Experts can only view if they are participants in the message thread for the project
  140. $threadParticipant = $this->messageThreadParticipantRepository->findParticipantByProjectAndUser($project, $user);
  142. if ($threadParticipant instanceof MessageThreadParticipant) {
  143. return true;
  144. }
  146. return false;
  147. }
  149. /**
  150. * Determines if a user can see the messages navigation tab
  151. *
  152. * @param UserInterface $user
  153. *
  154. * @return bool
  155. */
  156. private function canViewMessagesNavigation(UserInterface $user): bool
  157. {
  158. // MB admins
  159. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  160. return true;
  161. }
  163. // If the user has the expert or expert viewer role, allow access
  164. if ($user instanceof User && ($user->isExpertOnly() || $user->isExpertViewerOnly())) {
  165. // Only experts with an expert profile
  166. if ($this->expertRepository->findOneBy(['user' => $user]) instanceof Expert) {
  167. return true;
  168. }
  169. }
  171. // Extract account IDs and project IDs from user roles
  172. $userRoles = $user->getRoles();
  173. $accountIds = [];
  174. $projectIds = [];
  176. foreach ($userRoles as $role) {
  177. if (preg_match('/^ROLE_ACCOUNT_(\d+)_/', $role, $matches)) {
  178. $accountIds[] = (int) $matches[1];
  179. }
  181. if (preg_match('/^ROLE_PROJECT_(\d+)_/', $role, $matches)) {
  182. $projectIds[] = (int) $matches[1];
  183. }
  184. }
  186. // Remove duplicates
  187. $accountIds = array_unique($accountIds);
  188. $projectIds = array_unique($projectIds);
  190. // Check if any accounts have match enabled
  191. if (!empty($accountIds)) {
  192. $accounts = $this->accountRepository->findBy(['id' => $accountIds]);
  193. foreach ($accounts as $account) {
  194. if ($account->getMatchOptIn()) {
  195. return true;
  196. }
  197. }
  198. }
  200. // Check if any projects with accounts have match enabled
  201. if (!empty($projectIds)) {
  202. $projects = $this->projectRepository->findBy(['id' => $projectIds]);
  203. foreach ($projects as $project) {
  204. $account = $project->getAccount();
  205. if ($account && $account->getMatchOptIn()) {
  206. return true;
  207. }
  208. }
  209. }
  211. return false;
  212. }
  214. /**
  215. * Determines if an expert user has accepted the expert terms.
  216. *
  217. * @param UserInterface $user
  218. *
  219. * @return bool
  220. */
  221. private function canViewExpertTermsAccepted(UserInterface $user): bool
  222. {
  223. // If the user has the expert or expert viewer role, allow access
  224. if ($user instanceof User && ($user->isExpertOnly() || $user->isExpertViewerOnly())) {
  225. // Only experts with an expert profile
  226. if ($this->expertRepository->findOneBy(['user' => $user]) instanceof Expert) {
  227. // Check if the expert has accepted the terms
  228. if ($this->matchLetterResponseRepository->hasExpertAcceptedTerms($user)) {
  229. return true;
  230. }
  231. }
  232. }
  234. // Default deny
  235. return false;
  236. }
  237. }