src/Security/Voter/PDFTronAnnotationVoter.php line 16

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use Doctrine\ORM\EntityManagerInterface;
  6. use InvalidArgumentException;
  7. use MedBrief\MSR\Entity\Annotation;
  8. use MedBrief\MSR\Entity\Document;
  9. use MedBrief\MSR\Entity\User;
  10. use Override;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  14. use Symfony\Component\Security\Core\User\UserInterface;
  16. class PDFTronAnnotationVoter implements VoterInterface
  17. {
  18. public const CREATE = 'CREATE';
  19. public const READ = 'READ';
  20. public const UPDATE = 'UPDATE';
  21. public const DELETE = 'DELETE';
  22. public const ADMINISTRATION = 'ADMINISTRATION';
  23. public const UPDATE_VISIBILITY = 'UPDATE_VISIBILITY';
  25. public function __construct(private readonly AuthorizationCheckerInterface $authorizationChecker, private readonly EntityManagerInterface $entityManager)
  26. {
  27. }
  29. public function supportsAttribute($attribute): bool
  30. {
  31. return in_array($attribute, [
  32. self::CREATE,
  33. self::READ,
  34. self::UPDATE,
  35. self::DELETE,
  36. self::ADMINISTRATION,
  37. self::UPDATE_VISIBILITY,
  38. ]);
  39. }
  41. public function supportsClass($class): bool
  42. {
  43. $supportedClass = Annotation::class;
  45. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  46. }
  48. /**
  49. *
  50. * @param mixed $entity
  51. */
  52. #[Override]
  53. public function vote(TokenInterface $token, $entity, array $attributes)
  54. {
  55. /**
  56. * START: This is common code for all Voter::vote() methods
  57. */
  58. // check if class of this object is supported by this voter
  59. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  60. return VoterInterface::ACCESS_ABSTAIN;
  61. }
  63. // check if the voter is used correct, only allow one attribute
  64. // this isn't a requirement, it's just one easy way for you to
  65. // design your voter
  66. if (1 !== count($attributes)) {
  67. throw new InvalidArgumentException(
  68. 'Only one attribute is allowed for medbrief Voters.'
  69. );
  70. }
  72. // set the attribute to check against
  73. $attribute = $attributes[0];
  75. // check if the given attribute is covered by this voter
  76. if (!$this->supportsAttribute($attribute)) {
  77. return VoterInterface::ACCESS_ABSTAIN;
  78. }
  80. // get current logged in user
  81. /** @var User $user */
  82. $user = $token->getUser();
  84. // make sure there is a user object (i.e. that the user is logged in)
  85. if (!$user instanceof UserInterface) {
  86. return VoterInterface::ACCESS_DENIED;
  87. }
  89. // Admin and Super admin users can do everything.
  90. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  91. return VoterInterface::ACCESS_GRANTED;
  92. }
  93. /**
  94. * END: Common code for all Voter:vote() methods. Put custom logic below.
  95. */
  97. // Check if the user has access to the Document in order to determine if they can see the annotations.
  98. if ($entity->getDocumentId()) {
  99. // Retrieve the Document...
  100. /** @var Document $document */
  101. $document = $this->entityManager->getRepository(Document::class)->find($entity->getDocumentId());
  103. // You need to be able to read the Project the Document belongs to, and you stream the native file for the Document,
  104. // to do anything related to the Document's annotations.
  105. if ($document && $document->getProject() && ($this->authorizationChecker->isGranted('READ', $document->getProject())
  106. && $this->authorizationChecker->isGranted('STREAM_NATIVE', $document))) {
  107. // The basic permissions for a Document is enough to allow CREATE of annotations.
  108. if ($attribute === self::CREATE) {
  109. return VoterInterface::ACCESS_GRANTED;
  110. }
  111. // Reading annotations is based on the visibility of the Annotation, unless the user has Client level access,
  112. // or is a Project manager for the Project the annotation's document belongs to.
  113. if ($attribute === self::READ) {
  114. // For disclosure matters, only annotations made by the user can be seen by them.
  115. if ($document->getProject()->isTypeDisclosure() === true) {
  116. if ($entity->getAuthorId() == $user->getId()) {
  117. return VoterInterface::ACCESS_GRANTED;
  118. }
  119. } elseif ($entity->isPubliclyVisible()) {
  120. // If the annotation is public, everyone can see it.
  121. return VoterInterface::ACCESS_GRANTED;
  122. } elseif ($entity->getAuthorId() == $user->getId()) {
  123. // If the user is the author of the annotation, they can see it.
  124. return VoterInterface::ACCESS_GRANTED;
  125. } elseif ($user->isAccountAdministrator()) {
  126. // If the user is an account level administrator, they can see all annotations.
  127. return VoterInterface::ACCESS_GRANTED;
  128. } elseif ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $document->getProject()->getId() . '_PROJECTMANAGER')) {
  129. // If the user is a project manager for the Matter the document belongs to, they can see all annotations.
  130. return VoterInterface::ACCESS_GRANTED;
  131. }
  132. }
  133. // In order to UPDATE or DELETE an annotation, you must be the Annotation's Author.
  134. if (($attribute === self::UPDATE || $attribute === self::DELETE) && $entity->getAuthorId() == $user->getId()) {
  135. return VoterInterface::ACCESS_GRANTED;
  136. }
  137. // Check if the user can update the visibility of an annotation.
  138. if ($attribute === self::UPDATE_VISIBILITY && $this->authorizationChecker->isGranted('UPDATE_ANNOTATION_VISIBILITY', $document)) {
  139. return VoterInterface::ACCESS_GRANTED;
  140. }
  141. }
  142. }
  144. // If we get to the end of this function, then no decisions have been
  145. // made so we deny access
  146. return VoterInterface::ACCESS_DENIED;
  147. }
  148. }