src/Security/Voter/ProjectVoter.php line 20

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Account;
  7. use MedBrief\MSR\Entity\Firm;
  8. use MedBrief\MSR\Entity\InterpartyDisclosure;
  9. use MedBrief\MSR\Entity\Project;
  10. use MedBrief\MSR\Entity\User;
  11. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  12. use MedBrief\MSR\Service\Role\RoleParserService;
  13. use MedBrief\MSR\Traits\Security\Authorization\Voter\ClientSortingSessionTrait;
  14. use Override;
  15. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  16. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  17. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  18. use Symfony\Component\Security\Core\User\UserInterface;
  20. class ProjectVoter implements VoterInterface
  21. {
  22. use ClientSortingSessionTrait;
  24. // CONSTANTS
  26. public const CREATE = 'CREATE';
  27. public const READ = 'READ';
  28. public const UPDATE = 'UPDATE';
  29. public const DELETE = 'DELETE';
  30. public const ADMINISTRATION = 'ADMINISTRATION';
  32. public const MEDICAL_RECORDS_ADMINISTRATION = 'MEDICAL_RECORDS_ADMINISTRATION';
  33. public const RADIOLOGY_ADMINISTRATION = 'RADIOLOGY_ADMINISTRATION';
  35. public const USER_ADMINISTRATION = 'USER_ADMINISTRATION';
  36. public const CLINICAL_SUMMARY_PROJECT_ADMINISTRATION = 'CLINICAL_SUMMARY_PROJECT_ADMINISTRATION';
  38. public const PROJECT_USER_LIST = 'PROJECT_USER_LIST';
  40. public const VIEW_DASHBOARD = 'VIEW_DASHBOARD';
  41. public const TOGGLE_STATUS = 'TOGGLE_STATUS';
  42. public const ARCHIVE = 'ARCHIVE';
  43. public const CANCEL_DELETE = 'CANCEL_DELETE';
  45. public const RADIOLOGY_DOWNLOAD = 'RADIOLOGY_DOWNLOAD';
  46. public const RADIOLOGY_DOWNLOAD_AUDIT_REPORT = 'RADIOLOGY_DOWNLOAD_AUDIT_REPORT';
  47. public const MEDICAL_RECORD_DOWNLOAD = 'MEDICAL_RECORD_DOWNLOAD';
  48. public const DELETION_REPORT_DOWNLOAD = 'DELETION_REPORT_DOWNLOAD';
  49. public const INTERNAL_USER_ACCESS_REPORT_DOWNLOAD = 'INTERNAL_USER_ACCESS_REPORT_DOWNLOAD';
  51. public const CHRONOLOGY_ADMINISTRATION = 'CHRONOLOGY_ADMINISTRATION';
  53. // This permission determines if a user sees an inactive notice message
  54. // when an inactive Project is accessed.
  55. public const BYPASS_INACTIVE_NOTICE = 'BYPASS_INACTIVE_NOTICE';
  57. // This permission determines if a user can view a closed project
  58. public const BYPASS_CLOSED_NOTICE = 'BYPASS_CLOSED_NOTICE';
  60. // Keep these permissions on a Project, as creating any of these
  61. // directly affects a Project.
  62. public const CREATE_BATCH_REQUEST = 'CREATE_BATCH_REQUEST';
  63. public const CREATE_BATCH_REQUEST_SIMPLE = 'CREATE_BATCH_REQUEST_SIMPLE';
  64. public const CREATE_CHRONOLOGY_REQUEST = 'CREATE_CHRONOLOGY_REQUEST';
  65. public const CREATE_ADDITIONAL_REQUEST = 'CREATE_ADDITIONAL_REQUEST';
  67. // Sorting Session
  68. public const SORTING_SESSION_LIST = 'SORTING_SESSION_LIST';
  69. public const CREATE_SORTING_SESSION = 'CREATE_SORTING_SESSION';
  70. public const CREATE_SORTING_SESSION_SIMPLE = 'CREATE_SORTING_SESSION_SIMPLE';
  72. // Creating a matter note
  73. public const CREATE_MATTER_NOTE = 'CREATE_MATTER_NOTE';
  74. // Allow list of matter notes
  75. public const LIST_MATTER_NOTES = 'LIST_MATTER_NOTES';
  77. // Allow view of matter communications
  78. public const VIEW_MATTER_COMMUNICATIONS = 'VIEW_MATTER_COMMUNICATIONS';
  80. // Disclosure permissions
  81. public const MEDICAL_RECORDS_DISCLOSE = 'MEDICAL_RECORDS_DISCLOSE';
  82. public const DISCLOSE_DISC = 'DISCLOSE_DISC';
  84. public const BYPASS_AUTHENTICATION = 'BYPASS_AUTHENTICATION';
  86. // Allows changing the account value of a Matter
  87. public const CHANGE_ACCOUNT = 'CHANGE_ACCOUNT';
  89. // Allows user to create a record request letter
  90. public const MANAGE_REQUEST_LETTERS = 'MANAGE_REQUEST_LETTERS';
  92. // Allows a user to see the 'Unsorted' records for a Project
  93. public const VIEW_UNSORTED_RECORDS = 'VIEW_UNSORTED_RECORDS';
  95. // Project Closure Permissions
  96. public const CREATE_PROJECT_CLOSURE = 'CREATE_PROJECT_CLOSURE';
  97. public const DOWNLOAD_ALL_PROJECT_FILES = 'DOWNLOAD_ALL_PROJECT_FILES';
  98. public const DOWNLOAD_PROJECT_CLOSURE_REPORT = 'DOWNLOAD_PROJECT_CLOSURE_REPORT';
  100. // Allows the user to see a modal showing important notes on the matter, if any.
  101. public const VIEW_IMPORTANT_NOTES = 'VIEW_IMPORTANT_NOTES';
  103. // Allows the user to see the service request requirement banners on the matter dashboard.
  104. public const VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS = 'VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS';
  106. // Inter-party Disclosure
  107. public const CREATE_INTERPARTY_DISCLOSURE = 'CREATE_INTERPARTY_DISCLOSURE';
  108. public const LIST_INTERPARTY_DISCLOSURE = 'LIST_INTERPARTY_DISCLOSURE';
  110. // Allows by passing the disabled state of service requests when a matter/project is closed or in the process of being closed.
  111. public const BYPASS_SERVICE_REQUEST_DISABLED = 'BYPASS_SERVICE_REQUEST_DISABLED';
  113. // Allows the user to download the 'user download medical records viewed report'
  114. public const VIEW_THIRD_PARTY_ACCESS_REPORT = 'VIEW_THIRD_PARTY_ACCESS_REPORT';
  116. public function __construct(private AuthorizationCheckerInterface $authorizationChecker, private UserHelper $userHelper)
  117. {
  118. }
  120. /**
  121. * Whether or not this User is allowed to perform specific actions on this Entity
  122. */
  123. public function supportsAttribute(mixed $attribute): bool
  124. {
  125. return in_array($attribute, [
  126. self::CREATE,
  127. self::READ,
  128. self::UPDATE,
  129. self::DELETE,
  130. self::ADMINISTRATION,
  131. self::MEDICAL_RECORDS_ADMINISTRATION,
  132. self::RADIOLOGY_ADMINISTRATION,
  133. self::USER_ADMINISTRATION,
  134. self::VIEW_DASHBOARD,
  135. self::TOGGLE_STATUS,
  136. self::PROJECT_USER_LIST,
  137. self::RADIOLOGY_DOWNLOAD,
  138. self::RADIOLOGY_DOWNLOAD_AUDIT_REPORT,
  139. self::MEDICAL_RECORD_DOWNLOAD,
  140. self::DELETION_REPORT_DOWNLOAD,
  141. self::INTERNAL_USER_ACCESS_REPORT_DOWNLOAD,
  142. self::CHRONOLOGY_ADMINISTRATION,
  143. self::ARCHIVE,
  144. self::CANCEL_DELETE,
  145. self::BYPASS_INACTIVE_NOTICE,
  146. self::BYPASS_CLOSED_NOTICE,
  147. self::CREATE_BATCH_REQUEST,
  148. self::CREATE_BATCH_REQUEST_SIMPLE,
  149. self::CREATE_CHRONOLOGY_REQUEST,
  150. self::CREATE_ADDITIONAL_REQUEST,
  151. self::SORTING_SESSION_LIST,
  152. self::CREATE_SORTING_SESSION,
  153. self::CREATE_SORTING_SESSION_SIMPLE,
  154. self::CREATE_MATTER_NOTE,
  155. self::LIST_MATTER_NOTES,
  156. self::VIEW_MATTER_COMMUNICATIONS,
  157. self::MEDICAL_RECORDS_DISCLOSE,
  158. self::DISCLOSE_DISC,
  159. self::BYPASS_AUTHENTICATION,
  160. self::CHANGE_ACCOUNT,
  161. self::MANAGE_REQUEST_LETTERS,
  162. self::VIEW_UNSORTED_RECORDS,
  163. self::CREATE_PROJECT_CLOSURE,
  164. self::DOWNLOAD_ALL_PROJECT_FILES,
  165. self::DOWNLOAD_PROJECT_CLOSURE_REPORT,
  166. self::VIEW_IMPORTANT_NOTES,
  167. self::VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS,
  168. self::CREATE_INTERPARTY_DISCLOSURE,
  169. self::LIST_INTERPARTY_DISCLOSURE,
  170. self::BYPASS_SERVICE_REQUEST_DISABLED,
  171. self::VIEW_THIRD_PARTY_ACCESS_REPORT,
  172. self::CLINICAL_SUMMARY_PROJECT_ADMINISTRATION,
  173. ]);
  174. }
  176. /**
  177. * Whether or not this is a supported Class
  178. *
  179. * @param string $class
  180. */
  181. public function supportsClass($class): bool
  182. {
  183. $supportedClass = Project::class;
  185. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  186. }
  188. /**
  189. * @param Project $entity
  190. *
  191. * @return int
  192. */
  193. #[Override]
  194. public function vote(TokenInterface $token, $entity, array $attributes)
  195. {
  196. /**
  197. * START: This is common code for all Voter::vote() methods
  198. */
  199. // check if class of this object is supported by this voter
  200. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  201. return VoterInterface::ACCESS_ABSTAIN;
  202. }
  204. // check if the voter is used correct, only allow one attribute
  205. // this isn't a requirement, it's just one easy way for you to
  206. // design your voter
  207. if (1 !== count($attributes)) {
  208. throw new InvalidArgumentException(
  209. 'Only one attribute is allowed for medbrief Voters.'
  210. );
  211. }
  213. // set the attribute to check against
  214. $attribute = $attributes[0];
  216. // check if the given attribute is covered by this voter
  217. if (!$this->supportsAttribute($attribute)) {
  218. return VoterInterface::ACCESS_ABSTAIN;
  219. }
  221. // get current logged in user
  222. /** @var User $user */
  223. $user = $token->getUser();
  225. // make sure there is a user object (i.e. that the user is logged in)
  226. if (!$user instanceof UserInterface) {
  227. return VoterInterface::ACCESS_DENIED;
  228. }
  230. // Only allow Super Admins and Admins to change accounts
  231. if ($attribute === self::CHANGE_ACCOUNT && !$this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  232. return VoterInterface::ACCESS_DENIED;
  233. }
  235. // Only allow Super Admins to delete a project
  236. if ($attribute === self::DELETE && !$this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN')) {
  237. return VoterInterface::ACCESS_DENIED;
  238. }
  240. // Only super admins can update service requests when the project is in a closed or closing state
  241. if ($attribute === self::BYPASS_SERVICE_REQUEST_DISABLED) {
  242. if ($this->authorizationChecker->isGranted('ROLE_SUPER_ADMIN') === true) {
  243. return VoterInterface::ACCESS_GRANTED;
  244. }
  245. return VoterInterface::ACCESS_DENIED;
  246. }
  248. /**
  249. * Clinical Summary Access Control with project entity passed in as the subject
  250. *
  251. * We need to put this before we grant admin users rights to everything otherwise the
  252. * isCloseInProgressOrComplete check has no effect
  253. */
  254. if ($attribute === self::CLINICAL_SUMMARY_PROJECT_ADMINISTRATION) {
  255. if ($this->canAccessClinicalSummaryWizard($entity)) {
  256. return VoterInterface::ACCESS_GRANTED;
  257. }
  258. return VoterInterface::ACCESS_DENIED;
  259. }
  261. // Admin users can do everything
  262. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  263. return VoterInterface::ACCESS_GRANTED;
  264. }
  265. /**
  266. * END: Common code for all Voter:vote() methods. Put custom logic below.
  267. */
  269. /**
  270. * API (Firm) Access Control
  271. */
  272. if ($user instanceof Firm) {
  273. // If the account that belongs to the project is allocated to the firm's client areas, allow everything.
  274. if ($entity->getAccount() instanceof Account && $user->getClientAreas()->contains($entity->getAccount()) === true) {
  275. return self::ACCESS_GRANTED;
  276. }
  277. return self::ACCESS_DENIED;
  278. }
  280. /**
  281. * Disclosure matter access control
  282. */
  283. // Grab all project levels roles related to this project.
  284. $allProjectRoles = RoleParserService::getAllRolesForProject($entity->getId());
  286. // Users that have been directly invited to the Disclosure will have permission granted
  287. $isDirectlyInvitedToDisclosureMatter = array_filter($allProjectRoles, fn ($role) => $this->authorizationChecker->isGranted($role)) !== [];
  289. // Check if the project is a disclosure, and exclude anyone who has been directly invited to the disclosure matter (i.e. those that were
  290. // added when creating the disclosure). Project level project managers of the original project will not have a project role on the disclosure target project.
  291. if ($entity->isTypeDisclosure() && $isDirectlyInvitedToDisclosureMatter === false) {
  292. $allowedAttributes = [
  293. self::READ,
  294. self::RADIOLOGY_DOWNLOAD,
  295. self::MEDICAL_RECORD_DOWNLOAD,
  296. self::BYPASS_INACTIVE_NOTICE,
  297. self::VIEW_THIRD_PARTY_ACCESS_REPORT,
  298. ];
  300. // Disclosure matters only allow certain actions for the those who can VIEW the source disclosure entity
  301. if (in_array($attribute, $allowedAttributes) && $entity->getDisclosureSources()->count() > 0) {
  302. // Grant access if the user has access to VIEW the original source disclosure (we take the latest one in the chain of sources)
  303. /** @var InterpartyDisclosure $disclosure */
  304. $disclosure = $entity->getDisclosureSources()->last();
  305. if ($this->authorizationChecker->isGranted(InterpartyDisclosureVoter::VIEW, $disclosure)) {
  306. return self::ACCESS_GRANTED;
  307. }
  308. }
  310. return self::ACCESS_DENIED;
  311. }
  313. //Checks if user can download radiology audit report
  314. if ($attribute === self::RADIOLOGY_DOWNLOAD_AUDIT_REPORT) {
  315. return $this->canRadiologyDownloadAuditReport($entity);
  316. }
  318. $this->userHelper->setUser($user);
  320. $denyAccess = [
  321. self::CREATE_SORTING_SESSION,
  322. self::LIST_MATTER_NOTES,
  323. self::CREATE_MATTER_NOTE,
  324. self::MEDICAL_RECORDS_DISCLOSE,
  325. self::DISCLOSE_DISC,
  326. self::VIEW_MATTER_COMMUNICATIONS,
  327. self::DELETION_REPORT_DOWNLOAD,
  328. self::INTERNAL_USER_ACCESS_REPORT_DOWNLOAD,
  329. self::MANAGE_REQUEST_LETTERS,
  330. self::DELETE,
  331. self::VIEW_IMPORTANT_NOTES,
  332. self::VIEW_SERVICE_REQUEST_REQUIREMENT_BANNERS,
  333. ];
  334. // Deny all other roles these permissions
  335. if (in_array($attribute, $denyAccess)) {
  336. return VoterInterface::ACCESS_DENIED;
  337. }
  339. // Permissions related to the creation and management of sorting sessions and batches.
  340. $attributeGroup = [
  341. self::CREATE_BATCH_REQUEST_SIMPLE,
  342. self::SORTING_SESSION_LIST,
  343. self::CREATE_SORTING_SESSION_SIMPLE,
  344. ];
  345. if (in_array($attribute, $attributeGroup)) {
  346. if ($this->hasClientSessionAccess($entity, $user)) {
  347. return VoterInterface::ACCESS_GRANTED;
  348. };
  349. return VoterInterface::ACCESS_DENIED;
  350. }
  352. // Deny all other roles from creating these ServiceRequests
  353. $serviceRequestCreateAttributes = [
  354. self::CREATE_BATCH_REQUEST,
  355. self::CREATE_CHRONOLOGY_REQUEST,
  356. self::CREATE_ADDITIONAL_REQUEST,
  357. ];
  358. if (in_array($attribute, $serviceRequestCreateAttributes)) {
  359. return VoterInterface::ACCESS_DENIED;
  360. }
  362. if ($attribute === self::VIEW_DASHBOARD && $user->getMatterDashboardEnabled()) {
  364. // then they have access to do anything
  365. return VoterInterface::ACCESS_GRANTED;
  366. }
  368. // if this user is a Super Administrator for the Account for which this Project belongs
  369. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $entity->getAccount()->getId() . '_SUPERADMINISTRATOR')) {
  371. // then they have access to do anything, except delete.
  372. return VoterInterface::ACCESS_GRANTED;
  373. }
  375. // Otherwise if this user is a Client Administrator for the Account then they can
  376. // do everything else except for User Administration and Deletion.
  377. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $entity->getAccount()->getId() . '_ADMINISTRATOR')) {
  379. // Commenting this out for now because Kennedy's actually need
  380. // regular Client Administrators to still have this access for now. - RR
  381. //if ($attribute != self::USER_ADMINISTRATION) {
  382. // then they have access
  383. return VoterInterface::ACCESS_GRANTED;
  384. //}
  385. }
  387. // if this user is a Sorter for the Account for which this Project belongs
  388. // if we are looking for access other than delete, full administration and user management abilities
  389. if ($this->authorizationChecker->isGranted('ROLE_ACCOUNT_' . $entity->getAccount()->getId() . '_SORTER') && ($attribute != self::DELETE
  390. && $attribute != self::ADMINISTRATION
  391. && $attribute != self::PROJECT_USER_LIST
  392. && $attribute != self::USER_ADMINISTRATION
  393. && $attribute != self::CREATE_PROJECT_CLOSURE
  394. && $attribute != self::CANCEL_DELETE
  395. && $attribute != self::ARCHIVE
  396. && $attribute != self::DOWNLOAD_ALL_PROJECT_FILES
  397. && $attribute != self::DOWNLOAD_PROJECT_CLOSURE_REPORT
  398. && $attribute != self::CREATE_INTERPARTY_DISCLOSURE
  399. && $attribute != self::LIST_INTERPARTY_DISCLOSURE)) {
  401. // then account level sorters have this access
  402. return VoterInterface::ACCESS_GRANTED;
  403. }
  405. // if we are looking for any access other than delete and full administration and the Closure of matters.
  406. if ($attribute != self::DELETE
  407. && $attribute != self::ADMINISTRATION
  408. && $attribute != self::CREATE_PROJECT_CLOSURE
  409. && $attribute != self::CANCEL_DELETE
  410. && $attribute != self::ARCHIVE
  411. && $attribute != self::DOWNLOAD_ALL_PROJECT_FILES
  412. && $attribute != self::DOWNLOAD_PROJECT_CLOSURE_REPORT
  413. ) {
  415. // then project managers may do this
  416. if ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER')) {
  417. return VoterInterface::ACCESS_GRANTED;
  418. }
  420. // Grant project manager access to a Project's manager, which will likely be a
  421. // ACCOUNT_PROJECT_MANAGER
  422. if ($entity->getManager() && $entity->getManager()->getId() === $user->getId()) {
  423. return VoterInterface::ACCESS_GRANTED;
  424. }
  425. }
  427. // if we are looking for the medical records administration or radiology administration attribute
  428. if ($attribute == self::MEDICAL_RECORDS_ADMINISTRATION || $attribute == self::RADIOLOGY_ADMINISTRATION || $attribute === self::VIEW_UNSORTED_RECORDS) {
  430. // any of the following roles will grant access
  431. $allowedRoles = [
  432. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  433. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  434. 'ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER',
  435. ];
  437. // so if the user has any one of these
  438. foreach ($allowedRoles as $role) {
  439. if ($this->authorizationChecker->isGranted($role)) {
  441. // then they have access
  442. return VoterInterface::ACCESS_GRANTED;
  443. }
  444. }
  445. }
  447. // If the project allows experts to see the unsorted records, and the user has an export role on the project.
  448. if ($attribute === self::VIEW_UNSORTED_RECORDS && ($entity->getAllowExpertViewUnsortedRecords() === true
  449. && ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_EXPERT') || $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_EXPERTVIEWER')))) {
  450. return VoterInterface::ACCESS_GRANTED;
  451. }
  453. // Certain roles will allow you to bypass the inactive notice on an inactive Project's related controller.
  454. if ($attribute == self::BYPASS_INACTIVE_NOTICE) {
  456. // any of the following roles will grant access
  457. $allowedRoles = [
  458. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  459. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  460. 'ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER',
  461. ];
  463. // so if the user has any one of these
  464. foreach ($allowedRoles as $role) {
  465. if ($this->authorizationChecker->isGranted($role)) {
  467. // then they have access
  468. return VoterInterface::ACCESS_GRANTED;
  469. }
  470. }
  471. }
  473. // Certain roles will allow you to bypass the closed notice on a closed Project's related controller.
  474. if ($attribute == self::BYPASS_CLOSED_NOTICE) {
  476. // any of the following roles will grant access
  477. $allowedRoles = [
  478. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  479. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  480. 'ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER',
  481. ];
  483. // so if the user has any one of these
  484. foreach ($allowedRoles as $role) {
  485. if ($this->authorizationChecker->isGranted($role)) {
  487. // then they have access
  488. return VoterInterface::ACCESS_GRANTED;
  489. }
  490. }
  491. }
  493. if ($attribute == self::RADIOLOGY_DOWNLOAD || $attribute == self::MEDICAL_RECORD_DOWNLOAD) {
  495. // Experts may do this, but EXPERTVIEWER's may not
  496. if ($this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_EXPERT')) {
  497. return VoterInterface::ACCESS_GRANTED;
  498. }
  500. // Scanner - Download Enabled may do this, but Scanner's may not
  501. if ($attribute == self::MEDICAL_RECORD_DOWNLOAD && $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD')) {
  502. return VoterInterface::ACCESS_GRANTED;
  503. }
  505. // Certain roles may have access to Radiology
  506. if ($attribute == self::RADIOLOGY_DOWNLOAD) {
  508. // Array of permitted/allowed roles
  509. $allowedRoles = [
  510. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  511. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  512. ];
  514. // Iterate through them and...
  515. foreach ($allowedRoles as $role) {
  517. // ... if they have the role...
  518. if ($this->authorizationChecker->isGranted($role)) {
  520. // SHAZAM!
  521. return VoterInterface::ACCESS_GRANTED;
  522. }
  523. }
  524. }
  525. }
  527. // if the user is wanting to read information about this Project
  528. if ($attribute == self::READ) {
  530. // if the user is an expert agency administrator let them pass.
  531. // this should probably be done in a better way, tying permissions
  532. // to an entity in one place somehow....
  533. if ($user->isExpertAgencyAdministrator()) {
  534. return VoterInterface::ACCESS_GRANTED;
  535. }
  537. // if the user has any role related to this project
  538. if ($this->userHelper->hasProjectRole($entity)) {
  540. // then they have access
  541. return VoterInterface::ACCESS_GRANTED;
  542. }
  543. }
  545. // if we are looking for updating a project
  546. // if the user is a project manager
  547. if ($attribute == self::UPDATE && $this->authorizationChecker->isGranted('ROLE_PROJECT_' . $entity->getId() . '_PROJECTMANAGER')) {
  549. // then they have access
  550. return VoterInterface::ACCESS_GRANTED;
  551. }
  553. // if we are checking to see if we can bypass authentication
  554. if ($attribute == self::BYPASS_AUTHENTICATION && $this->authorizationChecker->isGranted('USER_ADMINISTRATION', $entity)) {
  555. return VoterInterface::ACCESS_GRANTED;
  556. }
  558. // If we get to the end of this function, then no decisions have been
  559. // made so we deny access
  560. return VoterInterface::ACCESS_DENIED;
  561. }
  563. /**
  564. * Checks whether user has administrative rights for a clinical summary
  565. *
  566. *
  567. *
  568. * @param Project $entity
  569. *
  570. * @return int
  571. */
  572. private function canAccessClinicalSummaryWizard(Project $entity)
  573. {
  574. // Deny access if the project is in the process of being closed or is closed
  575. if ($entity->isCloseInProgressOrComplete()) {
  576. return false;
  577. }
  578. // Allow access if the user has the ROLE_ADMIN or ROLE_SUPER_ADMIN role
  579. return $this->authorizationChecker->isGranted('ROLE_ADMIN');
  580. }
  582. /**
  583. * Checks whether user can download radiology audit report
  584. *
  585. * @todo: Not type hinting this method now as this may change later
  586. *
  587. * @param Project $entity
  588. */
  589. private function canRadiologyDownloadAuditReport(Project $entity): int
  590. {
  591. $deniedRoles = [
  592. 'ROLE_PROJECT_' . $entity->getId() . '_EXPERT',
  593. 'ROLE_PROJECT_' . $entity->getId() . '_EXPERTVIEWER',
  594. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNER',
  595. 'ROLE_PROJECT_' . $entity->getId() . '_SCANNERDOWNLOAD',
  596. ];
  598. foreach ($deniedRoles as $role) {
  599. if ($this->authorizationChecker->isGranted($role)) {
  600. return VoterInterface::ACCESS_DENIED;
  601. }
  602. }
  604. return VoterInterface::ACCESS_GRANTED;
  605. }
  606. }