src/Security/Voter/MatchVoter.php line 24

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use MedBrief\MSR\Entity\Account;
  6. use MedBrief\MSR\Entity\Expert;
  7. use MedBrief\MSR\Entity\Project;
  8. use MedBrief\MSR\Entity\User;
  9. use MedBrief\MSR\Repository\AccountRepository;
  10. use MedBrief\MSR\Repository\ExpertRepository;
  11. use MedBrief\MSR\Repository\ExpertUserRepository;
  12. use MedBrief\MSR\Repository\MatchLetterResponseRepository;
  13. use MedBrief\MSR\Repository\MessageThreadParticipantRepository;
  14. use MedBrief\MSR\Repository\ProjectRepository;
  15. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  16. use MedBrief\MSR\Service\ProjectMatch\MatchExpertUser;
  17. use MedBrief\MSR\Service\ProjectMatch\MatchMyExpertsThreadBuilder;
  18. use Override;
  19. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  20. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  21. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  22. use Symfony\Component\Security\Core\User\UserInterface;
  24. class MatchVoter extends Voter
  25. {
  26. public const VIEW_FIRM = 'MATCH_VIEW_FIRM';
  27. public const VIEW_EXPERT = 'MATCH_VIEW_EXPERT';
  28. public const VIEW_EXPERT_TERMS_ACCEPTED = 'MATCH_VIEW_EXPERT_TERMS_ACCEPTED';
  29. public const VIEW_MESSAGES_NAV = 'MATCH_VIEW_MESSAGES_NAV';
  30. public const VIEW_RECORDS_RADIOLOGY_TABS = 'MATCH_VIEW_RECORDS_RADIOLOGY_TABS';
  31. public const VIEW_PRIMARY_OR_SECONDARY_EXPERT = 'MATCH_VIEW_PRIMARY_OR_SECONDARY_EXPERT';
  33. public function __construct(
  34. private readonly AuthorizationCheckerInterface $auth,
  35. private readonly AccountRepository $accountRepository,
  36. private readonly ExpertRepository $expertRepository,
  37. private readonly MessageThreadParticipantRepository $messageThreadParticipantRepository,
  38. private readonly ProjectRepository $projectRepository,
  39. private readonly MatchLetterResponseRepository $matchLetterResponseRepository,
  40. private readonly ExpertUserRepository $expertUserRepository,
  41. private readonly MatchExpertUser $matchExpertUserService,
  42. private readonly UserHelper $userHelperService,
  43. ) {
  44. }
  46. #[Override]
  47. protected function supports(string $attribute, mixed $subject): bool
  48. {
  49. if ($attribute === self::VIEW_MESSAGES_NAV || $attribute === self::VIEW_EXPERT_TERMS_ACCEPTED) {
  50. return $subject === null;
  51. }
  53. return \in_array($attribute, [self::VIEW_FIRM, self::VIEW_EXPERT, self::VIEW_RECORDS_RADIOLOGY_TABS, self::VIEW_PRIMARY_OR_SECONDARY_EXPERT], true)
  54. && $subject instanceof Project;
  55. }
  57. #[Override]
  58. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  59. {
  60. $user = $token->getUser();
  61. if (!$user instanceof UserInterface) {
  62. return false;
  63. }
  65. /** @var Project $project */
  66. $project = $subject;
  68. return match ($attribute) {
  69. self::VIEW_FIRM => $this->canViewAsFirm($user, $project),
  70. self::VIEW_EXPERT => $this->canViewAsExpert($user, $project),
  71. self::VIEW_EXPERT_TERMS_ACCEPTED => $this->canViewExpertTermsAccepted($user),
  72. self::VIEW_MESSAGES_NAV => $this->canViewMessagesNavigation($user),
  73. self::VIEW_RECORDS_RADIOLOGY_TABS => $this->canViewRecordsRadiologyTabs($user, $project),
  74. self::VIEW_PRIMARY_OR_SECONDARY_EXPERT => $this->canViewAsPrimaryOrSecondaryExpert($user, $project),
  75. default => false,
  76. };
  77. }
  79. /**
  80. * Determines if the user can view the match tab.
  81. * User roles allowed:
  82. * - MB super admins (ROLE_SUPER_ADMIN)
  83. * - MB admins (ROLE_ADMIN)
  84. * - Client super admins (ROLE_ACCOUNT_{accountId}_SUPERADMINISTRATOR)
  85. * - Client admins (ROLE_ACCOUNT_{accountId}_ADMINISTRATOR)
  86. * - Matter/Project managers:
  87. * - Role-based: ROLE_PROJECT_{projectId}_PROJECTMANAGER
  88. * - Entity-based: $project->getManager() === $user
  89. *
  90. * @param UserInterface $user
  91. * @param Project $project
  92. *
  93. * @return bool
  94. */
  95. private function canViewAsFirm(UserInterface $user, Project $project): bool
  96. {
  97. $account = $project->getAccount();
  99. // Check if the matter is of type Clinical Negligence and is a client matter
  100. if ($project->getMatterType() !== Project::MATTER_TYPE_CLINICAL_NEGLIGENCE
  101. || $project->getType() !== Project::TYPE_MATTER_FIRM
  102. || $project->getMatterRequest() === null
  103. ) {
  104. return false;
  105. }
  107. // Check if account has match enabled at all
  108. if (!$account->isMatchEnabled()) {
  109. return false;
  110. }
  112. // MB admins - only need account-level match enabled
  113. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  114. return true;
  115. }
  117. // For client users, check if they have match access based on account settings
  118. if (!$this->hasUserMatchAccess($account, $user)) {
  119. return false;
  120. }
  122. // Client-level admins
  123. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $account->getId() . '_SUPERADMINISTRATOR')) {
  124. return true;
  125. }
  126. if ($this->auth->isGranted('ROLE_ACCOUNT_' . $account->getId() . '_ADMINISTRATOR')) {
  127. return true;
  128. }
  130. // Matter/Project manager (role-based)
  131. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_PROJECTMANAGER')) {
  132. return true;
  133. }
  135. // Matter/Project manager (entity relationship fallback)
  136. if ($project->getManager() && $project->getManager() === $user) {
  137. return true;
  138. }
  140. return false;
  141. }
  143. /**
  144. * Check if a user has match access for an account based on account-level and user-level settings.
  145. *
  146. * @param Account $account
  147. * @param UserInterface $user
  148. *
  149. * @return bool
  150. */
  151. private function hasUserMatchAccess(Account $account, UserInterface $user): bool
  152. {
  153. // If account allows all client users, grant access
  154. if ($account->isMatchOptInAllClientUsers()) {
  155. return true;
  156. }
  158. // If account is set to specific users, check user's individual matchOptIn
  159. if ($account->isMatchOptInSpecificUsers() && $user instanceof User) {
  160. return $user->getMatchOptIn();
  161. }
  163. return false;
  164. }
  166. /**
  167. * Determines if a user can view as an Expert.
  168. * Allows access to secondary users linked to an expert, but only if the expert has not confirmed a primary user yet.
  169. * Once a primary user is confirmed, only that user can view as the expert.
  170. *
  171. * @param UserInterface $user
  172. * @param Project $project
  173. *
  174. * @return bool
  175. */
  176. private function canViewAsExpert(UserInterface $user, Project $project): bool
  177. {
  178. // Invited Experts
  179. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERT')) {
  180. return true;
  181. }
  182. if ($this->auth->isGranted('ROLE_PROJECT_' . $project->getId() . '_EXPERTVIEWER')) {
  183. return true;
  184. }
  186. $isPrimaryUserForExpert = $this->matchExpertUserService->isPrimaryUserForExpert($user);
  187. if ($isPrimaryUserForExpert) {
  188. // If the expert has not confirmed a primary user yet, secondary users are treated as primary
  189. $user = $this->matchExpertUserService->getPrimaryUserForExpert($user);
  190. }
  192. // Uninvited Experts can only view if they are participants in the message thread for the project
  193. if (!$user instanceof User) {
  194. return false;
  195. }
  197. return $this->messageThreadParticipantRepository->isUserParticipantInProject($project, $user);
  198. }
  200. /**
  201. * Determines if a user can view as an Expert.
  202. * Allows access to secondary users linked to an expert, but only have the primary is a participant in the project threads
  203. *
  204. * @param UserInterface $user
  205. * @param Project $project
  206. *
  207. * @return bool
  208. */
  209. private function canViewAsPrimaryOrSecondaryExpert(UserInterface $user, Project $project): bool
  210. {
  211. //If the expert has not confirmed a primary user yet, secondary users are treated as primary
  212. $user = $this->matchExpertUserService->getPrimaryUserForExpert($user);
  214. // Uninvited Experts can only view if they are participants in the message thread for the project
  215. if (!$user instanceof User) {
  216. return false;
  217. }
  219. // Check if the user is a participant in any thread for the project
  220. return $this->messageThreadParticipantRepository->isUserParticipantInProject($project, $user);
  221. }
  223. /**
  224. * Limits access to certain project related functionality in the event that they are an expert,
  225. * but have no expert roles for the project yet.
  226. * Can be coupled with canViewAsExpert to show specific information, but limit others
  227. *
  228. * @param UserInterface $user
  229. * @param Project $project
  230. *
  231. * @return bool
  232. */
  233. private function canViewRecordsRadiologyTabs(UserInterface $user, Project $project): bool
  234. {
  235. $this->userHelperService->setUser($user);
  236. $userType = $this->matchExpertUserService->getUserType($user);
  238. // If the user is an expert, we need to check if they have roles for the project
  239. if ($userType === MatchMyExpertsThreadBuilder::USER_TYPE_EXPERT) {
  240. // Experts without project roles are denied view access to the records and radiology tabs
  241. // We check for any project role, as scanners and scanner download might also have Expert profiles.
  242. if ($this->userHelperService->hasProjectRole($project) || $this->userHelperService->hasAccountRole($project->getAccount())) {
  243. return true;
  244. }
  246. // Return false if they are an expert but don't have the expert role for the project
  247. return false;
  248. }
  250. // Currently there are no specific restrictions on viewing these tabs outside of this for now
  251. // so we return true
  252. return true;
  253. }
  255. /**
  256. * Determines if a user can see the messages navigation tab
  257. *
  258. * @param UserInterface $user
  259. *
  260. * @return bool
  261. */
  262. private function canViewMessagesNavigation(UserInterface $user): bool
  263. {
  264. // MB admins
  265. if ($this->auth->isGranted('ROLE_SUPER_ADMIN') || $this->auth->isGranted('ROLE_ADMIN')) {
  266. return true;
  267. }
  269. // If the user has the expert or expert viewer role, allow access
  270. if ($this->matchExpertUserService->isUserExpert($user)) {
  271. // Only experts with an expert profile
  272. if ($this->expertUserRepository->getExpertByUser($user) instanceof Expert) {
  273. return true;
  274. }
  275. }
  277. // Extract account IDs and project IDs from user roles
  278. $userRoles = $user->getRoles();
  279. $accountIds = [];
  280. $projectIds = [];
  282. foreach ($userRoles as $role) {
  283. if (preg_match('/^ROLE_ACCOUNT_(\d+)_/', $role, $matches)) {
  284. $accountIds[] = (int) $matches[1];
  285. }
  287. if (preg_match('/^ROLE_PROJECT_(\d+)_/', $role, $matches)) {
  288. $projectIds[] = (int) $matches[1];
  289. }
  290. }
  292. // Remove duplicates
  293. $accountIds = array_unique($accountIds);
  294. $projectIds = array_unique($projectIds);
  296. // Check if any accounts have match enabled and user has access
  297. if (!empty($accountIds)) {
  298. $accounts = $this->accountRepository->findBy(['id' => $accountIds]);
  299. foreach ($accounts as $account) {
  300. if ($account->isMatchEnabled() && $this->hasUserMatchAccess($account, $user)) {
  301. return true;
  302. }
  303. }
  304. }
  306. // Check if any projects with accounts have match enabled and user has access
  307. if (!empty($projectIds)) {
  308. $projects = $this->projectRepository->findBy(['id' => $projectIds]);
  309. foreach ($projects as $project) {
  310. $account = $project->getAccount();
  311. if ($account && $account->isMatchEnabled() && $this->hasUserMatchAccess($account, $user)) {
  312. return true;
  313. }
  314. }
  315. }
  317. return false;
  318. }
  320. /**
  321. * Determines if an expert user has accepted the expert terms.
  322. *
  323. * @param UserInterface $user
  324. *
  325. * @return bool
  326. */
  327. private function canViewExpertTermsAccepted(UserInterface $user): bool
  328. {
  329. // If the user has the expert or expert viewer role, allow access
  330. if ($this->matchExpertUserService->isUserExpert($user)) {
  331. // Only experts with an expert profile
  332. if ($this->expertUserRepository->getExpertByUser($user) instanceof Expert) {
  333. // Check if the expert has accepted the terms
  334. if ($this->matchLetterResponseRepository->hasExpertAcceptedTerms($user)) {
  335. return true;
  336. }
  337. }
  338. }
  340. // Default deny
  341. return false;
  342. }
  343. }