src/Security/Voter/UserVoter.php line 14

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Security\Voter;
  5. use InvalidArgumentException;
  6. use MedBrief\MSR\Entity\User;
  7. use Override;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  11. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  12. use Symfony\Component\Security\Core\User\UserInterface;
  14. class UserVoter implements VoterInterface
  15. {
  16. public const CREATE = 'CREATE';
  17. public const READ = 'READ';
  18. public const UPDATE = 'UPDATE';
  19. public const DELETE = 'DELETE';
  20. public const ADMINISTRATION = 'ADMINISTRATION';
  21. public const SIMULATE = 'SIMULATE';
  22. public const SIMULATE_WITH_TFA = 'SIMULATE_WITH_TFA';
  23. public const MANAGE_LINKED_EMAIL_ADDRESS = 'MANAGE_LINKED_EMAIL_ADDRESS';
  24. public const CREATE_LINKED_EMAIL_ADDRESS_INVITATION = 'CREATE_LINKED_EMAIL_ADDRESS_INVITATION';
  26. public function __construct(
  27. private readonly AuthorizationCheckerInterface $authorizationChecker
  28. ) {
  29. }
  31. public function supportsAttribute($attribute): bool
  32. {
  33. return in_array($attribute, [
  34. self::CREATE,
  35. self::READ,
  36. self::UPDATE,
  37. self::DELETE,
  38. self::ADMINISTRATION,
  39. self::SIMULATE,
  40. self::SIMULATE_WITH_TFA,
  41. self::MANAGE_LINKED_EMAIL_ADDRESS,
  42. self::CREATE_LINKED_EMAIL_ADDRESS_INVITATION,
  43. ]);
  44. }
  46. public function supportsClass($class): bool
  47. {
  48. $supportedClass = User::class;
  50. return $supportedClass === $class || is_subclass_of($class, $supportedClass);
  51. }
  53. /**
  54. *
  55. * @param mixed $entity
  56. */
  57. #[Override]
  58. public function vote(TokenInterface $token, $entity, array $attributes)
  59. {
  60. /**
  61. * START: This is common code for all Voter::vote() methods
  62. */
  63. // check if class of this object is supported by this voter
  64. if (!$this->supportsClass($entity && !is_array($entity) ? $entity::class : '')) {
  65. return VoterInterface::ACCESS_ABSTAIN;
  66. }
  68. // check if the voter is used correct, only allow one attribute
  69. // this isn't a requirement, it's just one easy way for you to
  70. // design your voter
  71. if (1 !== count($attributes)) {
  72. throw new InvalidArgumentException(
  73. 'Only one attribute is allowed for medbrief Voters.'
  74. );
  75. }
  77. // set the attribute to check against
  78. $attribute = $attributes[0];
  80. // check if the given attribute is covered by this voter
  81. if (!$this->supportsAttribute($attribute)) {
  82. return VoterInterface::ACCESS_ABSTAIN;
  83. }
  85. // get current logged in user
  86. /** @var User $user */
  87. $user = $token->getUser();
  89. // make sure there is a user object (i.e. that the user is logged in)
  90. if (!$user instanceof UserInterface) {
  91. return VoterInterface::ACCESS_DENIED;
  92. }
  94. // Super Admin users can do everything
  95. if ($this->authorizationChecker->isGranted('ROLE_ADMIN')) {
  96. return VoterInterface::ACCESS_GRANTED;
  97. }
  98. /**
  99. * END: Common code for all Voter:vote() methods. Put custom logic below.
  100. */
  102. // If we are looking if the user can manage the linked email addresses for this user
  103. if ($attribute === self::MANAGE_LINKED_EMAIL_ADDRESS && $user->getId() === $entity->getId()) {
  104. return VoterInterface::ACCESS_GRANTED;
  105. }
  107. // If we are looking if the user can create a linked email addresses for this user
  108. if ($attribute === self::CREATE_LINKED_EMAIL_ADDRESS_INVITATION && $user->getId() === $entity->getId()) {
  109. return VoterInterface::ACCESS_GRANTED;
  110. }
  112. // If we get to the end of this function, then no decisions have been
  113. // made so we deny access
  114. return VoterInterface::ACCESS_DENIED;
  115. }
  116. }