src/Security/Voter/BuildingVoter.php line 12

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\Building\Building;
  6. use App\Entity\User;
  7. use Doctrine\ORM\EntityManagerInterface;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Symfony\Component\Security\Core\Security;
  12. class BuildingVoter extends Voter
  13. {
  14. // these strings are just invented: you can use anything
  15. const VIEW = 'view';
  16. const EDIT = 'edit';
  17. const DELETE = 'delete';
  18. /**
  19. * @var Security
  20. */
  21. private Security $security;
  22. /**
  23. * @var EntityManagerInterface
  24. */
  25. private EntityManagerInterface $entityManager;
  27. public function __construct(Security $security, EntityManagerInterface $entityManager)
  28. {
  29. $this->security = $security;
  30. $this->entityManager = $entityManager;
  31. }
  33. protected function supports(string $attribute, $subject): bool
  34. {
  35. // if the attribute isn't one we support, return false
  36. if (!in_array($attribute, [self::VIEW, self::EDIT, self::DELETE], true)) {
  37. return false;
  38. }
  40. // only vote on `Building` objects
  41. if (!$subject instanceof Building) {
  42. return false;
  43. }
  45. return true;
  46. }
  48. protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
  49. {
  50. $loggedUser = $token->getUser();
  52. if (!$loggedUser instanceof User) {
  53. // the user must be logged in; if not, deny access
  54. return false;
  55. }
  57. // you know $subject is a Post object, thanks to `supports()`
  58. /** @var Building $targetBuilding */
  59. $targetBuilding = $subject;
  61. switch ($attribute) {
  62. case self::VIEW:
  63. return $this->canSee($targetBuilding, $loggedUser);
  64. case self::EDIT:
  65. case self::DELETE:
  66. return $this->canDealWith($targetBuilding, $loggedUser);
  67. }
  69. throw new \LogicException('This code should not be reached!');
  70. }
  73. /**
  74. * @param Building $targetBuilding
  75. * @param User $loggedUser
  76. * @return bool
  77. */
  78. private function canDealWith(Building $targetBuilding, User $loggedUser): bool
  79. {
  80. if ($this->canSee($targetBuilding, $loggedUser) && $this->security->isGranted('ROLE_CAN_EDIT_BUILDING')) {
  81. return true;
  82. }
  83. return false;
  84. }
  86. /**
  87. * @param Building $targetBuilding
  88. * @param User $loggedUser
  89. * @return bool
  90. */
  91. private function canSee(Building $targetBuilding, User $loggedUser): bool
  92. {
  93. // sanity check (different client than logged user client)
  94. if ($targetBuilding->getClient()->getId() !== $loggedUser->getClient()->getId()) {
  95. return false;
  96. }
  98. // after sanity check - this building is from logged user client
  99. if ($this->security->isGranted('ROLE_CAN_SEE_ALL_BUILDINGS')) {
  100. return true;
  101. }
  103. foreach ($loggedUser->getBuildings() as $building) {
  104. if ($building->getId() === $targetBuilding->getId()) {
  105. return true;
  106. }
  107. }
  109. return false;
  110. }
  111. }