src/Security/Voter/ProjectLicenseLevelVoter.php line 13

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Project;
  7. use Override;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  11. use Symfony\Component\Security\Core\User\UserInterface;
  13. class ProjectLicenseLevelVoter implements VoterInterface
  14. {
  15. public const FEATURE_VIEW_RADIOLOGY = 'FEATURE_VIEW_RADIOLOGY';
  17. public function supportsAttribute($attribute): bool
  18. {
  19. return $attribute == self::FEATURE_VIEW_RADIOLOGY;
  20. }
  22. public function supportsClass($class): bool
  23. {
  24. $supportedClass = Project::class;
  26. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  27. }
  29. /**
  30. *
  31. * @param mixed $entity
  32. */
  33. #[Override]
  34. public function vote(TokenInterface $token, $entity, array $attributes)
  35. {
  36. /**
  37. * START: This is common code for all Voter::vote() methods
  38. */
  39. // check if class of this object is supported by this voter
  40. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  41. return VoterInterface::ACCESS_ABSTAIN;
  42. }
  44. // check if the voter is used correct, only allow one attribute
  45. // this isn't a requirement, it's just one easy way for you to
  46. // design your voter
  47. if (1 !== count($attributes)) {
  48. throw new InvalidArgumentException(
  49. 'Only one attribute is allowed for medbrief Voters.'
  50. );
  51. }
  53. // set the attribute to check against
  54. $attribute = $attributes[0];
  56. // check if the given attribute is covered by this voter
  57. if (!$this->supportsAttribute($attribute)) {
  58. return VoterInterface::ACCESS_ABSTAIN;
  59. }
  61. // get current logged in user
  62. $user = $token->getUser();
  64. // make sure there is a user object (i.e. that the user is logged in)
  65. if (!$user instanceof UserInterface) {
  66. return VoterInterface::ACCESS_DENIED;
  67. }
  69. // In the case of this voter, MedBrief Admin and Super Admin should not see the feature either,
  70. // as the functionality is effectively removed.
  71. // if ($this->authorizationChecker->isGranted('ROLE_ADMIN'))
  72. // {
  73. // return VoterInterface::ACCESS_GRANTED;
  74. // }
  75. /**
  76. * END: Common code for all Voter:vote() methods. Put custom logic below.
  77. */
  79. // An array containing the features we can check with this voter, and the corresponding license levels that
  80. // grant access to them.
  81. $featureLicenses = [];
  83. // FEATURE_VIEW_RADIOLOGY
  84. $featureLicenses[self::FEATURE_VIEW_RADIOLOGY] = $this->allLicenseLevelsExcept([
  85. Project::LICENSE_LEVEL_BASIC,
  86. ]);
  88. // If we have a set of allowed license levels for this attribute, and the Project's license level falls in that set,
  89. // we grant access.
  90. if (isset($featureLicenses[$attribute]) && in_array($entity->getLicenseLevel(), $featureLicenses[$attribute], true)) {
  91. return VoterInterface::ACCESS_GRANTED;
  92. }
  94. // If we get to the end of this function, then no decisions have been
  95. // made so we deny access
  96. return VoterInterface::ACCESS_DENIED;
  97. }
  99. /**
  100. * A convenience method for specifying all Project License Levels,
  101. * except the specified excluded ones.
  102. *
  103. * @param array $excludeLicenseLevels
  104. */
  105. private function allLicenseLevelsExcept(array $excludeLicenseLevels): array
  106. {
  107. return array_filter($this->allLicenseLevels(), fn ($licenseLevel): bool => !in_array($licenseLevel, $excludeLicenseLevels));
  108. }
  110. /**
  111. * A convenience method for specifying all Project License Levels.
  112. */
  113. private function allLicenseLevels(): array
  114. {
  115. return array_keys(Project::getILicenseLevelOptions());
  116. }
  117. }