<?phpnamespace MedBrief\MSR\Security\Voter;use InvalidArgumentException;use MedBrief\MSR\Entity\OrthancAnnotation;use Override;use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;use Symfony\Component\Security\Core\User\UserInterface;class OrthancAnnotationVoter implements VoterInterface{ public const CREATE = 'CREATE'; public const READ = 'READ'; public const UPDATE = 'UPDATE'; public const DELETE = 'DELETE'; public const ADMINISTRATION = 'ADMINISTRATION'; public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker) { } public function supportsAttribute($attribute): bool { return in_array($attribute, [ self::CREATE, self::READ, self::UPDATE, self::DELETE, self::ADMINISTRATION, ]); } public function supportsClass($class): bool { $supportedClass = OrthancAnnotation::class; return $supportedClass === $class || is_subclass_of($class, $supportedClass); } /** * * @param mixed $entity */ #[Override] public function vote(TokenInterface $token, $entity, array $attributes) { /** * START: This is common code for all Voter::vote() methods */ // check if class of this object is supported by this voter if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) { return VoterInterface::ACCESS_ABSTAIN; } // check if the voter is used correct, only allow one attribute // this isn't a requirement, it's just one easy way for you to // design your voter if (1 !== count($attributes)) { throw new InvalidArgumentException( 'Only one attribute is allowed for medbrief Voters.' ); } // set the attribute to check against $attribute = $attributes[0]; // check if the given attribute is covered by this voter if (!$this->supportsAttribute($attribute)) { return VoterInterface::ACCESS_ABSTAIN; } // get current logged in user $user = $token->getUser(); // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return VoterInterface::ACCESS_DENIED; } // Admin and Super admin users can do everything. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) { return VoterInterface::ACCESS_GRANTED; } /** * END: Common code for all Voter:vote() methods. Put custom logic below. */ // Check if the user has access to the Document in order to determine if they can see the annotations. if ($entity->getDocument()) { // Retrieve the Document... $document = $entity->getDocument(); // You need to be able to read the Project the Document if ($document && $document->getProject() && $this->authorizationChecker->isGranted('READ', $document->getProject())) { // The basic permissions for a Project is enough to allow CREATE of annotations. if ($attribute === self::CREATE) { return VoterInterface::ACCESS_GRANTED; } // If you can see an annotation, you can update or delete it at this time, due to a limitation of the // Osimis viewer. if ($attribute === self::READ || $attribute === self::UPDATE || $attribute === self::DELETE) { // If the annotation is public, everyone can see it. if ($user->isAccountAdministrator()) { // If the user is an account level administrator, they can see all annotations. return VoterInterface::ACCESS_GRANTED; } elseif ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $document->getProject()->getId() . '_PROJECTMANAGER')) { // If the user is a project manager for the Matter the document belongs to, they can see all annotations. return VoterInterface::ACCESS_GRANTED; } elseif ($entity->getCreator()->getId() == $user->getId()) { // Everyone can see their annotations return VoterInterface::ACCESS_GRANTED; } } } } // If we get to the end of this function, then no decisions have been // made so we deny access return VoterInterface::ACCESS_DENIED; }}