src/Security/Voter/MatchVoter.php line 22

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\Expert;
  6. use MedBrief\MSR\Entity\Project;
  7. use MedBrief\MSR\Entity\User;
  8. use MedBrief\MSR\Repository\AccountRepository;
  9. use MedBrief\MSR\Repository\ExpertRepository;
  10. use MedBrief\MSR\Repository\ExpertUserRepository;
  11. use MedBrief\MSR\Repository\MatchLetterResponseRepository;
  12. use MedBrief\MSR\Repository\MessageThreadParticipantRepository;
  13. use MedBrief\MSR\Repository\ProjectRepository;
  14. use MedBrief\MSR\Service\ProjectMatch\MatchExpertUser;
  15. use MedBrief\MSR\Service\ProjectMatch\MatchMyExpertsThreadBuilder;
  16. use Override;
  17. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  18. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  19. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  20. use Symfony\Component\Security\Core\User\UserInterface;
  22. class MatchVoter extends Voter
  23. {
  24. public const VIEW_FIRM = 'MATCH_VIEW_FIRM';
  25. public const VIEW_EXPERT = 'MATCH_VIEW_EXPERT';
  26. public const VIEW_EXPERT_TERMS_ACCEPTED = 'MATCH_VIEW_EXPERT_TERMS_ACCEPTED';
  27. public const VIEW_MESSAGES_NAV = 'MATCH_VIEW_MESSAGES_NAV';
  28. public const VIEW_RECORDS_RADIOLOGY_TABS = 'MATCH_VIEW_RECORDS_RADIOLOGY_TABS';
  29. public const VIEW_PRIMARY_OR_SECONDARY_EXPERT = 'MATCH_VIEW_PRIMARY_OR_SECONDARY_EXPERT';
  31. public function __construct(
  32. private readonly AuthorizationCheckerInterface $auth,
  33. private readonly AccountRepository $accountRepository,
  34. private readonly ExpertRepository $expertRepository,
  35. private readonly MessageThreadParticipantRepository $messageThreadParticipantRepository,
  36. private readonly ProjectRepository $projectRepository,
  37. private readonly MatchLetterResponseRepository $matchLetterResponseRepository,
  38. private readonly ExpertUserRepository $expertUserRepository,
  39. private readonly MatchExpertUser $matchExpertUserService
  40. ) {
  41. }
  43. #[Override]
  44. protected function supports(string $attribute, mixed $subject): bool
  45. {
  46. if ($attribute === self::VIEW_MESSAGES_NAV || $attribute === self::VIEW_EXPERT_TERMS_ACCEPTED) {
  47. return $subject === null;
  48. }
  50. return \in_array($attribute, [self::VIEW_FIRM, self::VIEW_EXPERT, self::VIEW_RECORDS_RADIOLOGY_TABS, self::VIEW_PRIMARY_OR_SECONDARY_EXPERT], true)
  51. && $subject instanceof Project;
  52. }
  54. #[Override]
  55. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  56. {
  57. $user = $token->getUser();
  58. if (!$user instanceof UserInterface) {
  59. return false;
  60. }
  62. /** @var Project $project */
  63. $project = $subject;
  65. return match ($attribute) {
  66. self::VIEW_FIRM => $this->canViewAsFirm($user, $project),
  67. self::VIEW_EXPERT => $this->canViewAsExpert($user, $project),
  68. self::VIEW_EXPERT_TERMS_ACCEPTED => $this->canViewExpertTermsAccepted($user),
  69. self::VIEW_MESSAGES_NAV => $this->canViewMessagesNavigation($user),
  70. self::VIEW_RECORDS_RADIOLOGY_TABS => $this->canViewRecordsRadiologyTabs($user, $project),
  71. self::VIEW_PRIMARY_OR_SECONDARY_EXPERT => $this->canViewAsPrimaryOrSecondaryExpert($user, $project),
  72. default => false,
  73. };
  74. }
  76. /**
  77. * Determines if the user can view the match tab.
  78. * User roles allowed:
  79. * - MB super admins (ROLE_SUPER_ADMIN)
  80. * - MB admins (ROLE_ADMIN)
  81. * - Client super admins (ROLE_ACCOUNT_{accountId}_SUPERADMINISTRATOR)
  82. * - Client admins (ROLE_ACCOUNT_{accountId}_ADMINISTRATOR)
  83. * - Matter/Project managers:
  84. * - Role-based: ROLE_PROJECT_{projectId}_PROJECTMANAGER
  85. * - Entity-based: $project->getManager() === $user
  86. *
  87. * @param UserInterface $user
  88. * @param Project $project
  89. *
  90. * @return bool
  91. */
  92. private function canViewAsFirm(UserInterface $user, Project $project): bool
  93. {
  94. // Check if client has opted in to match and if the matter is of type Clinical Negligence and is a client matter, if classic matter, don't allow viewing of match
  95. if (!$project->getAccount()->getMatchOptIn()
  96. || $project->getMatterType() !== Project::MATTER_TYPE_CLINICAL_NEGLIGENCE
  97. || $project->getType() !== Project::TYPE_MATTER_FIRM
  98. || $project->getMatterRequest() === null
  99. ) {
  100. return false;
  101. }
  103. // MB admins
  104. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  105. return true;
  106. }
  108. // Client-level admins
  109. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_SUPERADMINISTRATOR')) {
  110. return true;
  111. }
  112. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $project->getAccount()->getId() . '_ADMINISTRATOR')) {
  113. return true;
  114. }
  116. // Matter/Project manager (role-based)
  117. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_PROJECTMANAGER')) {
  118. return true;
  119. }
  121. // Matter/Project manager (entity relationship fallback)
  122. if ($project->getManager() && $project->getManager() === $user) {
  123. return true;
  124. }
  126. return false;
  127. }
  129. /**
  130. * Determines if a user can view as an Expert.
  131. * Allows access to secondary users linked to an expert, but only if the expert has not confirmed a primary user yet.
  132. * Once a primary user is confirmed, only that user can view as the expert.
  133. *
  134. * @param UserInterface $user
  135. * @param Project $project
  136. *
  137. * @return bool
  138. */
  139. private function canViewAsExpert(UserInterface $user, Project $project): bool
  140. {
  141. // Invited Experts
  142. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')) {
  143. return true;
  144. }
  145. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  146. return true;
  147. }
  149. $isPrimaryUserForExpert = $this->matchExpertUserService->isPrimaryUserForExpert($user);
  150. if ($isPrimaryUserForExpert) {
  151. // If the expert has not confirmed a primary user yet, secondary users are treated as primary
  152. $user = $this->matchExpertUserService->getPrimaryUserForExpert($user);
  153. }
  155. // Uninvited Experts can only view if they are participants in the message thread for the project
  156. if (!$user instanceof User) {
  157. return false;
  158. }
  160. return $this->messageThreadParticipantRepository->isUserParticipantInProject($project, $user);
  161. }
  163. /**
  164. * Determines if a user can view as an Expert.
  165. * Allows access to secondary users linked to an expert, but only if the expert has not confirmed a primary user yet.
  166. * Once a primary user is confirmed, only that user can view as the expert.
  167. *
  168. * @param UserInterface $user
  169. * @param Project $project
  170. *
  171. * @return bool
  172. */
  173. private function canViewAsPrimaryOrSecondaryExpert(UserInterface $user, Project $project): bool
  174. {
  175. // Invited Experts
  176. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')) {
  177. return true;
  178. }
  179. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  180. return true;
  181. }
  183. //If the expert has not confirmed a primary user yet, secondary users are treated as primary
  184. $user = $this->matchExpertUserService->getPrimaryUserForExpert($user);
  186. // Uninvited Experts can only view if they are participants in the message thread for the project
  187. if (!$user instanceof User) {
  188. return false;
  189. }
  191. // Check if the user is a participant in any thread for the project
  192. return $this->messageThreadParticipantRepository->isUserParticipantInProject($project, $user);
  193. }
  195. /**
  196. * Limits access to certain project related functionality in the event that they are an expert,
  197. * but have no expert roles for the project yet.
  198. * Can be coupled with canViewAsExpert to show specific information, but limit others
  199. *
  200. * @param UserInterface $user
  201. * @param Project $project
  202. *
  203. * @return bool
  204. */
  205. private function canViewRecordsRadiologyTabs(UserInterface $user, Project $project): bool
  206. {
  207. $userType = $this->matchExpertUserService->getUserType($user);
  209. // If the user is an expert, we need to check if they have roles for the project
  210. if ($userType === MatchMyExpertsThreadBuilder::USER_TYPE_EXPERT) {
  211. // Experts without project roles are denied view access to the records and radiology tabs
  212. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')
  213. || $this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  214. return true;
  215. }
  217. // Return false if they are an expert but don't have the expert role for the project
  218. return false;
  219. }
  221. // Currently there are no specific restrictions on viewing these tabs outside of this for now
  222. // so we return true
  223. return true;
  224. }
  226. /**
  227. * Determines if a user can see the messages navigation tab
  228. *
  229. * @param UserInterface $user
  230. *
  231. * @return bool
  232. */
  233. private function canViewMessagesNavigation(UserInterface $user): bool
  234. {
  235. // MB admins
  236. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  237. return true;
  238. }
  240. // If the user has the expert or expert viewer role, allow access
  241. if ($user instanceof User && ($user->isExpertOnly() || $user->isExpertViewerOnly())) {
  242. // Only experts with an expert profile
  243. if ($this->expertRepository->findOneBy(['user' => $user]) instanceof Expert) {
  244. return true;
  245. }
  246. }
  248. // Extract account IDs and project IDs from user roles
  249. $userRoles = $user->getRoles();
  250. $accountIds = [];
  251. $projectIds = [];
  253. foreach ($userRoles as $role) {
  254. if (preg_match('/^ROLE_ACCOUNT_(\d+)_/', $role, $matches)) {
  255. $accountIds[] = (int) $matches[1];
  256. }
  258. if (preg_match('/^ROLE_PROJECT_(\d+)_/', $role, $matches)) {
  259. $projectIds[] = (int) $matches[1];
  260. }
  261. }
  263. // Remove duplicates
  264. $accountIds = array_unique($accountIds);
  265. $projectIds = array_unique($projectIds);
  267. // Check if any accounts have match enabled
  268. if (!empty($accountIds)) {
  269. $accounts = $this->accountRepository->findBy(['id' => $accountIds]);
  270. foreach ($accounts as $account) {
  271. if ($account->getMatchOptIn()) {
  272. return true;
  273. }
  274. }
  275. }
  277. // Check if any projects with accounts have match enabled
  278. if (!empty($projectIds)) {
  279. $projects = $this->projectRepository->findBy(['id' => $projectIds]);
  280. foreach ($projects as $project) {
  281. $account = $project->getAccount();
  282. if ($account && $account->getMatchOptIn()) {
  283. return true;
  284. }
  285. }
  286. }
  288. return false;
  289. }
  291. /**
  292. * Determines if an expert user has accepted the expert terms.
  293. *
  294. * @param UserInterface $user
  295. *
  296. * @return bool
  297. */
  298. private function canViewExpertTermsAccepted(UserInterface $user): bool
  299. {
  300. // If the user has the expert or expert viewer role, allow access
  301. if ($user instanceof User && ($user->isExpertOnly() || $user->isExpertViewerOnly())) {
  302. // Only experts with an expert profile
  303. if ($this->expertRepository->findOneBy(['user' => $user]) instanceof Expert) {
  304. // Check if the expert has accepted the terms
  305. if ($this->matchLetterResponseRepository->hasExpertAcceptedTerms($user)) {
  306. return true;
  307. }
  308. }
  309. }
  311. // Default deny
  312. return false;
  313. }
  314. }