src/Security/Voter/SortingSessionDetailVoter.php line 17

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\Project;
  7. use MedBrief\MSR\Entity\SortingSession;
  8. use MedBrief\MSR\Entity\SortingSessionDetail;
  9. use MedBrief\MSR\Entity\User;
  10. use MedBrief\MSR\Traits\Security\Authorization\Voter\ClientSortingSessionTrait;
  11. use Override;
  12. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  13. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  14. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  15. use Symfony\Component\Security\Core\User\UserInterface;
  17. class SortingSessionDetailVoter implements VoterInterface
  18. {
  19. use ClientSortingSessionTrait;
  21. public const CREATE = 'CREATE';
  22. public const READ = 'READ';
  23. public const UPDATE = 'UPDATE';
  24. public const DELETE = 'DELETE';
  25. public const ADMINISTRATION = 'ADMINISTRATION';
  27. public function __construct(private AuthorizationCheckerInterface $authorizationChecker)
  28. {
  29. }
  31. public function supportsAttribute($attribute): bool
  32. {
  33. return in_array($attribute, [
  34. self::CREATE,
  35. self::READ,
  36. self::UPDATE,
  37. self::DELETE,
  38. self::ADMINISTRATION,
  39. ]);
  40. }
  42. public function supportsClass($class): bool
  43. {
  44. $supportedClass = SortingSessionDetail::class;
  46. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  47. }
  49. /**
  50. *
  51. * @param mixed $entity
  52. */
  53. #[Override]
  54. public function vote(TokenInterface $token, $entity, array $attributes)
  55. {
  56. /**
  57. * START: This is common code for all Voter::vote() methods
  58. */
  59. // check if class of this object is supported by this voter
  60. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  61. return VoterInterface::ACCESS_ABSTAIN;
  62. }
  64. // check if the voter is used correct, only allow one attribute
  65. // this isn't a requirement, it's just one easy way for you to
  66. // design your voter
  67. if (1 !== count($attributes)) {
  68. throw new InvalidArgumentException(
  69. 'Only one attribute is allowed for Medbrief Voters.'
  70. );
  71. }
  73. // set the attribute to check against
  74. $attribute = $attributes[0];
  76. // check if the given attribute is covered by this voter
  77. if (!$this->supportsAttribute($attribute)) {
  78. return VoterInterface::ACCESS_ABSTAIN;
  79. }
  81. /** @var SortingSessionDetail $sortingSessionDetail */
  82. $sortingSessionDetail = $entity;
  84. // Get the sortingSession the by using the SortingSessionDetail being passed into this voter in the $entity variable.
  85. /** @var SortingSession $sortingSession */
  86. $sortingSession = $sortingSessionDetail->getSortingSession();
  88. // Grab Project this SortingSession belongs to, so we can do permission checks at the Project level.
  89. /** @var Project $project */
  90. $project = $sortingSession->getProject();
  92. // get current logged in user.
  93. /** @var User $user */
  94. $user = $token->getUser();
  96. // make sure there is a user object (i.e. that the user is logged in)
  97. if (!$user instanceof UserInterface) {
  98. return VoterInterface::ACCESS_DENIED;
  99. }
  101. // Admin users can do everything
  102. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  103. return VoterInterface::ACCESS_GRANTED;
  104. }
  105. /**
  106. * END: Common code for all Voter:vote() methods. Put custom logic below.
  107. */
  109. // Check to see if the sorting session and project match
  110. if ($project->getId() !== $sortingSession->getProject()->getId()) {
  111. throw new InvalidArgumentException(
  112. 'The sorting session does not match with this project.'
  113. );
  114. }
  116. // if user is client, grant permission to DELETE
  117. if ($attribute === self::DELETE && $this->hasClientSessionAccess($project, $user, $sortingSession)) {
  118. return VoterInterface::ACCESS_GRANTED;
  119. ;
  120. }
  121. // If we get to the end of this function, then no decisions have been
  122. // made so we deny access
  123. return VoterInterface::ACCESS_DENIED;
  124. }
  125. }