src/Security/Voter/MatchVoter.php line 23

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\Account;
  6. use MedBrief\MSR\Entity\Expert;
  7. use MedBrief\MSR\Entity\Project;
  8. use MedBrief\MSR\Entity\User;
  9. use MedBrief\MSR\Repository\AccountRepository;
  10. use MedBrief\MSR\Repository\ExpertRepository;
  11. use MedBrief\MSR\Repository\ExpertUserRepository;
  12. use MedBrief\MSR\Repository\MatchLetterResponseRepository;
  13. use MedBrief\MSR\Repository\MessageThreadParticipantRepository;
  14. use MedBrief\MSR\Repository\ProjectRepository;
  15. use MedBrief\MSR\Service\ProjectMatch\MatchExpertUser;
  16. use MedBrief\MSR\Service\ProjectMatch\MatchMyExpertsThreadBuilder;
  17. use Override;
  18. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  19. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  20. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  21. use Symfony\Component\Security\Core\User\UserInterface;
  23. class MatchVoter extends Voter
  24. {
  25. public const VIEW_FIRM = 'MATCH_VIEW_FIRM';
  26. public const VIEW_EXPERT = 'MATCH_VIEW_EXPERT';
  27. public const VIEW_EXPERT_TERMS_ACCEPTED = 'MATCH_VIEW_EXPERT_TERMS_ACCEPTED';
  28. public const VIEW_MESSAGES_NAV = 'MATCH_VIEW_MESSAGES_NAV';
  29. public const VIEW_RECORDS_RADIOLOGY_TABS = 'MATCH_VIEW_RECORDS_RADIOLOGY_TABS';
  30. public const VIEW_PRIMARY_OR_SECONDARY_EXPERT = 'MATCH_VIEW_PRIMARY_OR_SECONDARY_EXPERT';
  32. public function __construct(
  33. private readonly AuthorizationCheckerInterface $auth,
  34. private readonly AccountRepository $accountRepository,
  35. private readonly ExpertRepository $expertRepository,
  36. private readonly MessageThreadParticipantRepository $messageThreadParticipantRepository,
  37. private readonly ProjectRepository $projectRepository,
  38. private readonly MatchLetterResponseRepository $matchLetterResponseRepository,
  39. private readonly ExpertUserRepository $expertUserRepository,
  40. private readonly MatchExpertUser $matchExpertUserService
  41. ) {
  42. }
  44. #[Override]
  45. protected function supports(string $attribute, mixed $subject): bool
  46. {
  47. if ($attribute === self::VIEW_MESSAGES_NAV || $attribute === self::VIEW_EXPERT_TERMS_ACCEPTED) {
  48. return $subject === null;
  49. }
  51. return \in_array($attribute, [self::VIEW_FIRM, self::VIEW_EXPERT, self::VIEW_RECORDS_RADIOLOGY_TABS, self::VIEW_PRIMARY_OR_SECONDARY_EXPERT], true)
  52. && $subject instanceof Project;
  53. }
  55. #[Override]
  56. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  57. {
  58. $user = $token->getUser();
  59. if (!$user instanceof UserInterface) {
  60. return false;
  61. }
  63. /** @var Project $project */
  64. $project = $subject;
  66. return match ($attribute) {
  67. self::VIEW_FIRM => $this->canViewAsFirm($user, $project),
  68. self::VIEW_EXPERT => $this->canViewAsExpert($user, $project),
  69. self::VIEW_EXPERT_TERMS_ACCEPTED => $this->canViewExpertTermsAccepted($user),
  70. self::VIEW_MESSAGES_NAV => $this->canViewMessagesNavigation($user),
  71. self::VIEW_RECORDS_RADIOLOGY_TABS => $this->canViewRecordsRadiologyTabs($user, $project),
  72. self::VIEW_PRIMARY_OR_SECONDARY_EXPERT => $this->canViewAsPrimaryOrSecondaryExpert($user, $project),
  73. default => false,
  74. };
  75. }
  77. /**
  78. * Determines if the user can view the match tab.
  79. * User roles allowed:
  80. * - MB super admins (ROLE_SUPER_ADMIN)
  81. * - MB admins (ROLE_ADMIN)
  82. * - Client super admins (ROLE_ACCOUNT_{accountId}_SUPERADMINISTRATOR)
  83. * - Client admins (ROLE_ACCOUNT_{accountId}_ADMINISTRATOR)
  84. * - Matter/Project managers:
  85. * - Role-based: ROLE_PROJECT_{projectId}_PROJECTMANAGER
  86. * - Entity-based: $project->getManager() === $user
  87. *
  88. * @param UserInterface $user
  89. * @param Project $project
  90. *
  91. * @return bool
  92. */
  93. private function canViewAsFirm(UserInterface $user, Project $project): bool
  94. {
  95. $account = $project->getAccount();
  97. // Check if the matter is of type Clinical Negligence and is a client matter
  98. if ($project->getMatterType() !== Project::MATTER_TYPE_CLINICAL_NEGLIGENCE
  99. || $project->getType() !== Project::TYPE_MATTER_FIRM
  100. || $project->getMatterRequest() === null
  101. ) {
  102. return false;
  103. }
  105. // Check if account has match enabled at all
  106. if (!$account->isMatchEnabled()) {
  107. return false;
  108. }
  110. // MB admins - only need account-level match enabled
  111. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  112. return true;
  113. }
  115. // For client users, check if they have match access based on account settings
  116. if (!$this->hasUserMatchAccess($account, $user)) {
  117. return false;
  118. }
  120. // Client-level admins
  121. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $account->getId() . '_SUPERADMINISTRATOR')) {
  122. return true;
  123. }
  124. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $account->getId() . '_ADMINISTRATOR')) {
  125. return true;
  126. }
  128. // Matter/Project manager (role-based)
  129. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_PROJECTMANAGER')) {
  130. return true;
  131. }
  133. // Matter/Project manager (entity relationship fallback)
  134. if ($project->getManager() && $project->getManager() === $user) {
  135. return true;
  136. }
  138. return false;
  139. }
  141. /**
  142. * Check if a user has match access for an account based on account-level and user-level settings.
  143. *
  144. * @param Account $account
  145. * @param UserInterface $user
  146. *
  147. * @return bool
  148. */
  149. private function hasUserMatchAccess(Account $account, UserInterface $user): bool
  150. {
  151. // If account allows all client users, grant access
  152. if ($account->isMatchOptInAllClientUsers()) {
  153. return true;
  154. }
  156. // If account is set to specific users, check user's individual matchOptIn
  157. if ($account->isMatchOptInSpecificUsers() && $user instanceof User) {
  158. return $user->getMatchOptIn();
  159. }
  161. return false;
  162. }
  164. /**
  165. * Determines if a user can view as an Expert.
  166. * Allows access to secondary users linked to an expert, but only if the expert has not confirmed a primary user yet.
  167. * Once a primary user is confirmed, only that user can view as the expert.
  168. *
  169. * @param UserInterface $user
  170. * @param Project $project
  171. *
  172. * @return bool
  173. */
  174. private function canViewAsExpert(UserInterface $user, Project $project): bool
  175. {
  176. // Invited Experts
  177. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')) {
  178. return true;
  179. }
  180. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  181. return true;
  182. }
  184. $isPrimaryUserForExpert = $this->matchExpertUserService->isPrimaryUserForExpert($user);
  185. if ($isPrimaryUserForExpert) {
  186. // If the expert has not confirmed a primary user yet, secondary users are treated as primary
  187. $user = $this->matchExpertUserService->getPrimaryUserForExpert($user);
  188. }
  190. // Uninvited Experts can only view if they are participants in the message thread for the project
  191. if (!$user instanceof User) {
  192. return false;
  193. }
  195. return $this->messageThreadParticipantRepository->isUserParticipantInProject($project, $user);
  196. }
  198. /**
  199. * Determines if a user can view as an Expert.
  200. * Allows access to secondary users linked to an expert, but only have the primary is a participant in the project threads
  201. *
  202. * @param UserInterface $user
  203. * @param Project $project
  204. *
  205. * @return bool
  206. */
  207. private function canViewAsPrimaryOrSecondaryExpert(UserInterface $user, Project $project): bool
  208. {
  209. //If the expert has not confirmed a primary user yet, secondary users are treated as primary
  210. $user = $this->matchExpertUserService->getPrimaryUserForExpert($user);
  212. // Uninvited Experts can only view if they are participants in the message thread for the project
  213. if (!$user instanceof User) {
  214. return false;
  215. }
  217. // Check if the user is a participant in any thread for the project
  218. return $this->messageThreadParticipantRepository->isUserParticipantInProject($project, $user);
  219. }
  221. /**
  222. * Limits access to certain project related functionality in the event that they are an expert,
  223. * but have no expert roles for the project yet.
  224. * Can be coupled with canViewAsExpert to show specific information, but limit others
  225. *
  226. * @param UserInterface $user
  227. * @param Project $project
  228. *
  229. * @return bool
  230. */
  231. private function canViewRecordsRadiologyTabs(UserInterface $user, Project $project): bool
  232. {
  233. $userType = $this->matchExpertUserService->getUserType($user);
  235. // If the user is an expert, we need to check if they have roles for the project
  236. if ($userType === MatchMyExpertsThreadBuilder::USER_TYPE_EXPERT) {
  237. // Experts without project roles are denied view access to the records and radiology tabs
  238. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')
  239. || $this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  240. return true;
  241. }
  243. // Return false if they are an expert but don't have the expert role for the project
  244. return false;
  245. }
  247. // Currently there are no specific restrictions on viewing these tabs outside of this for now
  248. // so we return true
  249. return true;
  250. }
  252. /**
  253. * Determines if a user can see the messages navigation tab
  254. *
  255. * @param UserInterface $user
  256. *
  257. * @return bool
  258. */
  259. private function canViewMessagesNavigation(UserInterface $user): bool
  260. {
  261. // MB admins
  262. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  263. return true;
  264. }
  266. // If the user has the expert or expert viewer role, allow access
  267. if ($this->matchExpertUserService->isUserExpert($user)) {
  268. // Only experts with an expert profile
  269. if ($this->expertUserRepository->getExpertByUser($user) instanceof Expert) {
  270. return true;
  271. }
  272. }
  274. // Extract account IDs and project IDs from user roles
  275. $userRoles = $user->getRoles();
  276. $accountIds = [];
  277. $projectIds = [];
  279. foreach ($userRoles as $role) {
  280. if (preg_match('/^ROLE_ACCOUNT_(\d+)_/', $role, $matches)) {
  281. $accountIds[] = (int) $matches[1];
  282. }
  284. if (preg_match('/^ROLE_PROJECT_(\d+)_/', $role, $matches)) {
  285. $projectIds[] = (int) $matches[1];
  286. }
  287. }
  289. // Remove duplicates
  290. $accountIds = array_unique($accountIds);
  291. $projectIds = array_unique($projectIds);
  293. // Check if any accounts have match enabled and user has access
  294. if (!empty($accountIds)) {
  295. $accounts = $this->accountRepository->findBy(['id' => $accountIds]);
  296. foreach ($accounts as $account) {
  297. if ($account->isMatchEnabled() && $this->hasUserMatchAccess($account, $user)) {
  298. return true;
  299. }
  300. }
  301. }
  303. // Check if any projects with accounts have match enabled and user has access
  304. if (!empty($projectIds)) {
  305. $projects = $this->projectRepository->findBy(['id' => $projectIds]);
  306. foreach ($projects as $project) {
  307. $account = $project->getAccount();
  308. if ($account && $account->isMatchEnabled() && $this->hasUserMatchAccess($account, $user)) {
  309. return true;
  310. }
  311. }
  312. }
  314. return false;
  315. }
  317. /**
  318. * Determines if an expert user has accepted the expert terms.
  319. *
  320. * @param UserInterface $user
  321. *
  322. * @return bool
  323. */
  324. private function canViewExpertTermsAccepted(UserInterface $user): bool
  325. {
  326. // If the user has the expert or expert viewer role, allow access
  327. if ($this->matchExpertUserService->isUserExpert($user)) {
  328. // Only experts with an expert profile
  329. if ($this->expertUserRepository->getExpertByUser($user) instanceof Expert) {
  330. // Check if the expert has accepted the terms
  331. if ($this->matchLetterResponseRepository->hasExpertAcceptedTerms($user)) {
  332. return true;
  333. }
  334. }
  335. }
  337. // Default deny
  338. return false;
  339. }
  340. }