src/Security/Voter/ProjectVoter.php line 20

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Account;
  7. use MedBrief\MSR\Entity\Firm;
  8. use MedBrief\MSR\Entity\InterpartyDisclosure;
  9. use MedBrief\MSR\Entity\Project;
  10. use MedBrief\MSR\Entity\User;
  11. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  12. use MedBrief\MSR\Service\Role\RoleParserService;
  13. use MedBrief\MSR\Traits\Security\Authorization\Voter\ClientSortingSessionTrait;
  14. use Override;
  15. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  16. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  17. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  18. use Symfony\Component\Security\Core\User\UserInterface;
  20. class ProjectVoter implements VoterInterface
  21. {
  22. use ClientSortingSessionTrait;
  24. // CONSTANTS
  26. public const CREATE = 'CREATE';
  27. public const READ = 'READ';
  28. public const UPDATE = 'UPDATE';
  29. public const DELETE = 'DELETE';
  30. public const ADMINISTRATION = 'ADMINISTRATION';
  32. public const MEDICAL_RECORDS_ADMINISTRATION = 'MEDICAL_RECORDS_ADMINISTRATION';
  33. public const RADIOLOGY_ADMINISTRATION = 'RADIOLOGY_ADMINISTRATION';
  35. public const USER_ADMINISTRATION = 'USER_ADMINISTRATION';
  36. public const CLINICAL_SUMMARY_PROJECT_ADMINISTRATION = 'CLINICAL_SUMMARY_PROJECT_ADMINISTRATION';
  38. public const PROJECT_USER_LIST = 'PROJECT_USER_LIST';
  40. public const VIEW_DASHBOARD = 'VIEW_DASHBOARD';
  41. public const TOGGLE_STATUS = 'TOGGLE_STATUS';
  42. public const ARCHIVE = 'ARCHIVE';
  43. public const CANCEL_DELETE = 'CANCEL_DELETE';
  45. public const RADIOLOGY_DOWNLOAD = 'RADIOLOGY_DOWNLOAD';
  46. public const RADIOLOGY_DOWNLOAD_AUDIT_REPORT = 'RADIOLOGY_DOWNLOAD_AUDIT_REPORT';
  47. public const MEDICAL_RECORD_DOWNLOAD = 'MEDICAL_RECORD_DOWNLOAD';
  48. public const DELETION_REPORT_DOWNLOAD = 'DELETION_REPORT_DOWNLOAD';
  49. public const INTERNAL_USER_ACCESS_REPORT_DOWNLOAD = 'INTERNAL_USER_ACCESS_REPORT_DOWNLOAD';
  51. public const CHRONOLOGY_ADMINISTRATION = 'CHRONOLOGY_ADMINISTRATION';
  53. // This permission determines if a user sees an inactive notice message
  54. // when an inactive Project is accessed.
  55. public const BYPASS_INACTIVE_NOTICE = 'BYPASS_INACTIVE_NOTICE';
  57. // This permission determines if a user can view a closed project
  58. public const BYPASS_CLOSED_NOTICE = 'BYPASS_CLOSED_NOTICE';
  60. // Keep these permissions on a Project, as creating any of these
  61. // directly affects a Project.
  62. public const CREATE_BATCH_REQUEST = 'CREATE_BATCH_REQUEST';
  63. public const CREATE_BATCH_REQUEST_SIMPLE = 'CREATE_BATCH_REQUEST_SIMPLE';
  64. public const CREATE_CHRONOLOGY_REQUEST = 'CREATE_CHRONOLOGY_REQUEST';
  65. public const CREATE_ADDITIONAL_REQUEST = 'CREATE_ADDITIONAL_REQUEST';
  67. // Sorting Session
  68. public const SORTING_SESSION_LIST = 'SORTING_SESSION_LIST';
  69. public const CREATE_SORTING_SESSION = 'CREATE_SORTING_SESSION';
  70. public const CREATE_SORTING_SESSION_SIMPLE = 'CREATE_SORTING_SESSION_SIMPLE';
  72. // Creating a matter note
  73. public const CREATE_MATTER_NOTE = 'CREATE_MATTER_NOTE';
  74. // Allow list of matter notes
  75. public const LIST_MATTER_NOTES = 'LIST_MATTER_NOTES';
  77. // Allow view of matter communications
  78. public const VIEW_MATTER_COMMUNICATIONS = 'VIEW_MATTER_COMMUNICATIONS';
  80. // Disclosure permissions
  81. public const MEDICAL_RECORDS_DISCLOSE = 'MEDICAL_RECORDS_DISCLOSE';
  82. public const DISCLOSE_DISC = 'DISCLOSE_DISC';
  84. public const BYPASS_AUTHENTICATION = 'BYPASS_AUTHENTICATION';
  86. // Allows changing the account value of a Matter
  87. public const CHANGE_ACCOUNT = 'CHANGE_ACCOUNT';
  89. // Allows user to create a record request letter
  90. public const MANAGE_REQUEST_LETTERS = 'MANAGE_REQUEST_LETTERS';
  92. // Allows a user to see the 'Unsorted' records for a Project
  93. public const VIEW_UNSORTED_RECORDS = 'VIEW_UNSORTED_RECORDS';
  95. // Project Closure Permissions
  96. public const CREATE_PROJECT_CLOSURE = 'CREATE_PROJECT_CLOSURE';
  97. public const DOWNLOAD_ALL_PROJECT_FILES = 'DOWNLOAD_ALL_PROJECT_FILES';
  98. public const DOWNLOAD_PROJECT_CLOSURE_REPORT = 'DOWNLOAD_PROJECT_CLOSURE_REPORT';
  100. // Allows the user to see a modal showing important notes on the matter, if any.
  101. public const VIEW_IMPORTANT_NOTES = 'VIEW_IMPORTANT_NOTES';
  103. // Allows the user to see the service request requirement banners on the matter dashboard.
  104. public const VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS = 'VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS';
  106. // Inter-party Disclosure
  107. public const CREATE_INTERPARTY_DISCLOSURE = 'CREATE_INTERPARTY_DISCLOSURE';
  108. public const LIST_INTERPARTY_DISCLOSURE = 'LIST_INTERPARTY_DISCLOSURE';
  110. // Allows by passing the disabled state of service requests when a matter/project is closed or in the process of being closed.
  111. public const BYPASS_SERVICE_REQUEST_DISABLED = 'BYPASS_SERVICE_REQUEST_DISABLED';
  113. // Allows the user to download the 'user download medical records viewed report'
  114. public const VIEW_THIRD_PARTY_ACCESS_REPORT = 'VIEW_THIRD_PARTY_ACCESS_REPORT';
  116. public function __construct(private AuthorizationCheckerInterface $authorizationChecker, private UserHelper $userHelper)
  117. {
  118. }
  120. /**
  121. * Whether or not this User is allowed to perform specific actions on this Entity
  122. *
  123. * @param mixed $attribute
  124. */
  125. public function supportsAttribute(mixed $attribute): bool
  126. {
  127. return in_array($attribute, [
  128. self::CREATE,
  129. self::READ,
  130. self::UPDATE,
  131. self::DELETE,
  132. self::ADMINISTRATION,
  133. self::MEDICAL_RECORDS_ADMINISTRATION,
  134. self::RADIOLOGY_ADMINISTRATION,
  135. self::USER_ADMINISTRATION,
  136. self::VIEW_DASHBOARD,
  137. self::TOGGLE_STATUS,
  138. self::PROJECT_USER_LIST,
  139. self::RADIOLOGY_DOWNLOAD,
  140. self::RADIOLOGY_DOWNLOAD_AUDIT_REPORT,
  141. self::MEDICAL_RECORD_DOWNLOAD,
  142. self::DELETION_REPORT_DOWNLOAD,
  143. self::INTERNAL_USER_ACCESS_REPORT_DOWNLOAD,
  144. self::CHRONOLOGY_ADMINISTRATION,
  145. self::ARCHIVE,
  146. self::CANCEL_DELETE,
  147. self::BYPASS_INACTIVE_NOTICE,
  148. self::BYPASS_CLOSED_NOTICE,
  149. self::CREATE_BATCH_REQUEST,
  150. self::CREATE_BATCH_REQUEST_SIMPLE,
  151. self::CREATE_CHRONOLOGY_REQUEST,
  152. self::CREATE_ADDITIONAL_REQUEST,
  153. self::SORTING_SESSION_LIST,
  154. self::CREATE_SORTING_SESSION,
  155. self::CREATE_SORTING_SESSION_SIMPLE,
  156. self::CREATE_MATTER_NOTE,
  157. self::LIST_MATTER_NOTES,
  158. self::VIEW_MATTER_COMMUNICATIONS,
  159. self::MEDICAL_RECORDS_DISCLOSE,
  160. self::DISCLOSE_DISC,
  161. self::BYPASS_AUTHENTICATION,
  162. self::CHANGE_ACCOUNT,
  163. self::MANAGE_REQUEST_LETTERS,
  164. self::VIEW_UNSORTED_RECORDS,
  165. self::CREATE_PROJECT_CLOSURE,
  166. self::DOWNLOAD_ALL_PROJECT_FILES,
  167. self::DOWNLOAD_PROJECT_CLOSURE_REPORT,
  168. self::VIEW_IMPORTANT_NOTES,
  169. self::VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS,
  170. self::CREATE_INTERPARTY_DISCLOSURE,
  171. self::LIST_INTERPARTY_DISCLOSURE,
  172. self::BYPASS_SERVICE_REQUEST_DISABLED,
  173. self::VIEW_THIRD_PARTY_ACCESS_REPORT,
  174. self::CLINICAL_SUMMARY_PROJECT_ADMINISTRATION,
  175. ]);
  176. }
  178. /**
  179. * Whether or not this is a supported Class
  180. *
  181. * @param string $class
  182. */
  183. public function supportsClass($class): bool
  184. {
  185. $supportedClass = Project::class;
  187. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  188. }
  190. /**
  191. * @param Project $entity
  192. *
  193. * @return int
  194. */
  195. #[Override]
  196. public function vote(TokenInterface $token, $entity, array $attributes)
  197. {
  198. /**
  199. * START: This is common code for all Voter::vote() methods
  200. */
  201. // check if class of this object is supported by this voter
  202. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  203. return VoterInterface::ACCESS_ABSTAIN;
  204. }
  206. // check if the voter is used correct, only allow one attribute
  207. // this isn't a requirement, it's just one easy way for you to
  208. // design your voter
  209. if (1 !== count($attributes)) {
  210. throw new InvalidArgumentException(
  211. 'Only one attribute is allowed for medbrief Voters.'
  212. );
  213. }
  215. // set the attribute to check against
  216. $attribute = $attributes[0];
  218. // check if the given attribute is covered by this voter
  219. if (!$this->supportsAttribute($attribute)) {
  220. return VoterInterface::ACCESS_ABSTAIN;
  221. }
  223. // get current logged in user
  224. /** @var User $user */
  225. $user = $token->getUser();
  227. // make sure there is a user object (i.e. that the user is logged in)
  228. if (!$user instanceof UserInterface) {
  229. return VoterInterface::ACCESS_DENIED;
  230. }
  232. // Only allow Super Admins and Admins to change accounts
  233. if ($attribute === self::CHANGE_ACCOUNT && !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  234. return VoterInterface::ACCESS_DENIED;
  235. }
  237. // Only allow Super Admins to delete a project
  238. if ($attribute === self::DELETE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  239. return VoterInterface::ACCESS_DENIED;
  240. }
  242. // Only super admins can update service requests when the project is in a closed or closing state
  243. if ($attribute === self::BYPASS_SERVICE_REQUEST_DISABLED) {
  244. if ($this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN') === true) {
  245. return VoterInterface::ACCESS_GRANTED;
  246. }
  247. return VoterInterface::ACCESS_DENIED;
  248. }
  250. /**
  251. * Clinical Summary Access Control with project entity passed in as the subject
  252. *
  253. * We need to put this before we grant admin users rights to everything otherwise the
  254. * isCloseInProgressOrComplete check has no effect
  255. */
  256. if ($attribute === self::CLINICAL_SUMMARY_PROJECT_ADMINISTRATION) {
  257. if ($this->canAccessClinicalSummaryWizard($entity)) {
  258. return VoterInterface::ACCESS_GRANTED;
  259. }
  260. return VoterInterface::ACCESS_DENIED;
  261. }
  263. // Admin users can do everything
  264. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  265. return VoterInterface::ACCESS_GRANTED;
  266. }
  267. /**
  268. * END: Common code for all Voter:vote() methods. Put custom logic below.
  269. */
  271. /**
  272. * API (Firm) Access Control
  273. */
  274. if ($user instanceof Firm) {
  275. // If the account that belongs to the project is allocated to the firm's client areas, allow everything.
  276. if ($entity->getAccount() instanceof Account && $user->getClientAreas()->contains($entity->getAccount()) === true) {
  277. return self::ACCESS_GRANTED;
  278. }
  279. return self::ACCESS_DENIED;
  280. }
  282. /**
  283. * Disclosure matter access control
  284. */
  285. // Grab all project levels roles related to this project.
  286. $allProjectRoles = RoleParserService::getAllRolesForProject($entity->getId());
  288. // Users that have been directly invited to the Disclosure will have permission granted
  289. $isDirectlyInvitedToDisclosureMatter = array_filter($allProjectRoles, fn ($role) => $this->authorizationChecker->isGranted($role)) !== [];
  291. // Check if the project is a disclosure, and exclude anyone who has been directly invited to the disclosure matter (i.e. those that were
  292. // added when creating the disclosure). Project level project managers of the original project will not have a project role on the disclosure target project.
  293. if ($entity->isTypeDisclosure() && $isDirectlyInvitedToDisclosureMatter === false) {
  294. $allowedAttributes = [
  295. self::READ,
  296. self::RADIOLOGY_DOWNLOAD,
  297. self::MEDICAL_RECORD_DOWNLOAD,
  298. self::BYPASS_INACTIVE_NOTICE,
  299. self::VIEW_THIRD_PARTY_ACCESS_REPORT,
  300. ];
  302. // Disclosure matters only allow certain actions for the those who can VIEW the source disclosure entity
  303. if (in_array($attribute, $allowedAttributes) && $entity->getDisclosureSources()->count() > 0) {
  304. // Grant access if the user has access to VIEW the original source disclosure (we take the latest one in the chain of sources)
  305. /** @var InterpartyDisclosure $disclosure */
  306. $disclosure = $entity->getDisclosureSources()->last();
  307. if ($this->authorizationChecker->isGranted(InterpartyDisclosureVoter::VIEW, $disclosure)) {
  308. return self::ACCESS_GRANTED;
  309. }
  310. }
  312. return self::ACCESS_DENIED;
  313. }
  315. //Checks if user can download radiology audit report
  316. if ($attribute === self::RADIOLOGY_DOWNLOAD_AUDIT_REPORT) {
  317. return $this->canRadiologyDownloadAuditReport($entity);
  318. }
  320. $this->userHelper->setUser($user);
  322. $denyAccess = [
  323. self::CREATE_SORTING_SESSION,
  324. self::LIST_MATTER_NOTES,
  325. self::CREATE_MATTER_NOTE,
  326. self::MEDICAL_RECORDS_DISCLOSE,
  327. self::DISCLOSE_DISC,
  328. self::VIEW_MATTER_COMMUNICATIONS,
  329. self::DELETION_REPORT_DOWNLOAD,
  330. self::INTERNAL_USER_ACCESS_REPORT_DOWNLOAD,
  331. self::MANAGE_REQUEST_LETTERS,
  332. self::DELETE,
  333. self::VIEW_IMPORTANT_NOTES,
  334. self::VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS,
  335. ];
  336. // Deny all other roles these permissions
  337. if (in_array($attribute, $denyAccess)) {
  338. return VoterInterface::ACCESS_DENIED;
  339. }
  341. // Permissions related to the creation and management of sorting sessions and batches.
  342. $attributeGroup = [
  343. self::CREATE_BATCH_REQUEST_SIMPLE,
  344. self::SORTING_SESSION_LIST,
  345. self::CREATE_SORTING_SESSION_SIMPLE,
  346. ];
  347. if (in_array($attribute, $attributeGroup)) {
  348. if ($this->hasClientSessionAccess($entity, $user)) {
  349. return VoterInterface::ACCESS_GRANTED;
  350. };
  351. return VoterInterface::ACCESS_DENIED;
  352. }
  354. // Deny all other roles from creating these ServiceRequests
  355. $serviceRequestCreateAttributes = [
  356. self::CREATE_BATCH_REQUEST,
  357. self::CREATE_CHRONOLOGY_REQUEST,
  358. self::CREATE_ADDITIONAL_REQUEST,
  359. ];
  360. if (in_array($attribute, $serviceRequestCreateAttributes)) {
  361. return VoterInterface::ACCESS_DENIED;
  362. }
  364. if ($attribute === self::VIEW_DASHBOARD && $user->getMatterDashboardEnabled()) {
  366. // then they have access to do anything
  367. return VoterInterface::ACCESS_GRANTED;
  368. }
  370. // if this user is a Super Administrator for the Account for which this Project belongs
  371. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $entity->getAccount()->getId() . '_SUPERADMINISTRATOR')) {
  373. // then they have access to do anything, except delete.
  374. return VoterInterface::ACCESS_GRANTED;
  375. }
  377. // Otherwise if this user is a Client Administrator for the Account then they can
  378. // do everything else except for User Administration and Deletion.
  379. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $entity->getAccount()->getId() . '_ADMINISTRATOR')) {
  381. // Commenting this out for now because Kennedy's actually need
  382. // regular Client Administrators to still have this access for now. - RR
  383. //if ($attribute != self::USER_ADMINISTRATION) {
  384. // then they have access
  385. return VoterInterface::ACCESS_GRANTED;
  386. //}
  387. }
  389. // if this user is a Sorter for the Account for which this Project belongs
  390. // if we are looking for access other than delete, full administration and user management abilities
  391. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $entity->getAccount()->getId() . '_SORTER') && ($attribute != self::DELETE
  392. && $attribute != self::ADMINISTRATION
  393. && $attribute != self::PROJECT_USER_LIST
  394. && $attribute != self::USER_ADMINISTRATION
  395. && $attribute != self::CREATE_PROJECT_CLOSURE
  396. && $attribute != self::CANCEL_DELETE
  397. && $attribute != self::ARCHIVE
  398. && $attribute != self::DOWNLOAD_ALL_PROJECT_FILES
  399. && $attribute != self::DOWNLOAD_PROJECT_CLOSURE_REPORT
  400. && $attribute != self::CREATE_INTERPARTY_DISCLOSURE
  401. && $attribute != self::LIST_INTERPARTY_DISCLOSURE)) {
  403. // then account level sorters have this access
  404. return VoterInterface::ACCESS_GRANTED;
  405. }
  407. // if we are looking for any access other than delete and full administration.
  408. // Note: Project managers ARE allowed closure-related permissions (CREATE_PROJECT_CLOSURE,
  409. // CANCEL_DELETE, ARCHIVE, DOWNLOAD_ALL_PROJECT_FILES, DOWNLOAD_PROJECT_CLOSURE_REPORT)
  410. // to match client admin + super admin access. See MSR-5782.
  411. if ($attribute != self::DELETE
  412. && $attribute != self::ADMINISTRATION
  413. ) {
  415. // then project managers may do this
  416. if ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER')) {
  417. return VoterInterface::ACCESS_GRANTED;
  418. }
  420. // Grant project manager access to a Project's manager, which will likely be a
  421. // ACCOUNT_PROJECT_MANAGER
  422. if ($entity->getManager() && $entity->getManager()->getId() === $user->getId()) {
  423. return VoterInterface::ACCESS_GRANTED;
  424. }
  425. }
  427. // if we are looking for the medical records administration or radiology administration attribute
  428. if ($attribute == self::MEDICAL_RECORDS_ADMINISTRATION || $attribute == self::RADIOLOGY_ADMINISTRATION || $attribute === self::VIEW_UNSORTED_RECORDS) {
  430. // any of the following roles will grant access
  431. $allowedRoles = [
  432. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  433. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  434. 'ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER',
  435. ];
  437. // so if the user has any one of these
  438. foreach ($allowedRoles as $role) {
  439. if ($this->authorizationChecker->isGranted($role)) {
  441. // then they have access
  442. return VoterInterface::ACCESS_GRANTED;
  443. }
  444. }
  445. }
  447. // If the project allows experts to see the unsorted records, and the user has an export role on the project.
  448. if ($attribute === self::VIEW_UNSORTED_RECORDS && ($entity->getAllowExpertViewUnsortedRecords() === true
  449. && ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_EXPERT') || $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_EXPERTVIEWER')))) {
  450. return VoterInterface::ACCESS_GRANTED;
  451. }
  453. // Certain roles will allow you to bypass the inactive notice on an inactive Project's related controller.
  454. if ($attribute == self::BYPASS_INACTIVE_NOTICE) {
  456. // any of the following roles will grant access
  457. $allowedRoles = [
  458. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  459. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  460. 'ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER',
  461. ];
  463. // so if the user has any one of these
  464. foreach ($allowedRoles as $role) {
  465. if ($this->authorizationChecker->isGranted($role)) {
  467. // then they have access
  468. return VoterInterface::ACCESS_GRANTED;
  469. }
  470. }
  471. }
  473. // Certain roles will allow you to bypass the closed notice on a closed Project's related controller.
  474. if ($attribute == self::BYPASS_CLOSED_NOTICE) {
  476. // any of the following roles will grant access
  477. $allowedRoles = [
  478. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  479. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  480. 'ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER',
  481. ];
  483. // so if the user has any one of these
  484. foreach ($allowedRoles as $role) {
  485. if ($this->authorizationChecker->isGranted($role)) {
  487. // then they have access
  488. return VoterInterface::ACCESS_GRANTED;
  489. }
  490. }
  491. }
  493. if ($attribute == self::RADIOLOGY_DOWNLOAD || $attribute == self::MEDICAL_RECORD_DOWNLOAD) {
  495. // Experts may do this, but EXPERTVIEWER's may not
  496. if ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_EXPERT')) {
  497. return VoterInterface::ACCESS_GRANTED;
  498. }
  500. // Scanner - Download Enabled may do this, but Scanner's may not
  501. if ($attribute == self::MEDICAL_RECORD_DOWNLOAD && $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD')) {
  502. return VoterInterface::ACCESS_GRANTED;
  503. }
  505. // Certain roles may have access to Radiology
  506. if ($attribute == self::RADIOLOGY_DOWNLOAD) {
  508. // Array of permitted/allowed roles
  509. $allowedRoles = [
  510. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  511. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  512. ];
  514. // Iterate through them and...
  515. foreach ($allowedRoles as $role) {
  517. // ... if they have the role...
  518. if ($this->authorizationChecker->isGranted($role)) {
  520. // SHAZAM!
  521. return VoterInterface::ACCESS_GRANTED;
  522. }
  523. }
  524. }
  525. }
  527. // if the user is wanting to read information about this Project
  528. if ($attribute == self::READ) {
  530. // if the user is an expert agency administrator let them pass.
  531. // this should probably be done in a better way, tying permissions
  532. // to an entity in one place somehow....
  533. if ($user->isExpertAgencyAdministrator()) {
  534. return VoterInterface::ACCESS_GRANTED;
  535. }
  537. // if the user has any role related to this project
  538. if ($this->userHelper->hasProjectRole($entity)) {
  540. // then they have access
  541. return VoterInterface::ACCESS_GRANTED;
  542. }
  543. }
  545. // if we are looking for updating a project
  546. // if the user is a project manager
  547. if ($attribute == self::UPDATE && $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER')) {
  549. // then they have access
  550. return VoterInterface::ACCESS_GRANTED;
  551. }
  553. // if we are checking to see if we can bypass authentication
  554. if ($attribute == self::BYPASS_AUTHENTICATION && $this->authorizationChecker->isGranted('USER_ADMINISTRATION', $entity)) {
  555. return VoterInterface::ACCESS_GRANTED;
  556. }
  558. // If we get to the end of this function, then no decisions have been
  559. // made so we deny access
  560. return VoterInterface::ACCESS_DENIED;
  561. }
  563. /**
  564. * Checks whether user has administrative rights for a clinical summary
  565. *
  566. *
  567. *
  568. * @param Project $entity
  569. *
  570. * @return int
  571. */
  572. private function canAccessClinicalSummaryWizard(Project $entity)
  573. {
  574. // Deny access if the project is in the process of being closed or is closed
  575. if ($entity->isCloseInProgressOrComplete()) {
  576. return false;
  577. }
  578. // Allow access if the user has the ROLE_ADMIN or ROLE_SUPER_ADMIN role
  579. return $this->authorizationChecker->isGranted('ROLE_ADMIN');
  580. }
  582. /**
  583. * Checks whether user can download radiology audit report
  584. *
  585. * @todo: Not type hinting this method now as this may change later
  586. *
  587. * @param Project $entity
  588. */
  589. private function canRadiologyDownloadAuditReport(Project $entity): int
  590. {
  591. $deniedRoles = [
  592. 'ROLE_PROJECT_' . $entity->getId() . '_EXPERT',
  593. 'ROLE_PROJECT_' . $entity->getId() . '_EXPERTVIEWER',
  594. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  595. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  596. ];
  598. foreach ($deniedRoles as $role) {
  599. if ($this->authorizationChecker->isGranted($role)) {
  600. return VoterInterface::ACCESS_DENIED;
  601. }
  602. }
  604. return VoterInterface::ACCESS_GRANTED;
  605. }
  606. }