src/Security/Voter/ClientVoter.php line 11

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\Client\Client;
  6. use App\Entity\User;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Symfony\Component\Security\Core\Security;
  11. class ClientVoter extends Voter
  12. {
  13. private const VIEW = 'view';
  14. private const EDIT = 'edit';
  15. private const SELECT = 'select';
  16. private const DELETE = 'delete';
  17. /**
  18. * @var Security
  19. */
  20. private Security $security;
  22. /**
  23. * ClientVoter constructor.
  24. * @param Security $security
  25. */
  26. public function __construct(Security $security)
  27. {
  28. $this->security = $security;
  29. }
  31. /**
  32. * @inheritDoc
  33. */
  34. protected function supports(string $attribute, $subject): bool
  35. {
  36. // if the attribute isn't one we support, return false
  37. if (!in_array($attribute, [self::VIEW, self::EDIT, self::DELETE, self::SELECT], true)) {
  38. return false;
  39. }
  41. // only vote on `Client` objects
  42. if ($subject instanceof Client === false) {
  43. return false;
  44. }
  46. return true;
  47. }
  49. /**
  50. * @inheritDoc
  51. */
  52. protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
  53. {
  54. $loggedUser = $token->getUser();
  56. if (!$loggedUser instanceof User) {
  57. // the user must be logged in; if not, deny access
  58. return false;
  59. }
  61. switch ($attribute) {
  62. case self::VIEW:
  63. return $this->canSee($subject, $loggedUser);
  64. case self::EDIT:
  65. case self::DELETE:
  66. return $this->canEdit($subject, $loggedUser);
  67. case self::SELECT:
  68. return $this->canSelect($subject, $loggedUser);
  69. }
  70. throw new \LogicException('This code should not be reached!');
  71. }
  73. /**
  74. * @param Client $client
  75. * @param User $loggedUser
  76. * @return bool
  77. */
  78. private function canSee(Client $client, User $loggedUser): bool
  79. {
  80. if ($this->security->isGranted('ROLE_ADMIN')) {
  81. return true;
  82. }
  84. if ($this->security->isGranted('ROLE_CAN_SEE_ALL_CLIENTS')) {
  85. return true;
  86. }
  88. if ($this->security->isGranted('ROLE_ADMIN_MANAGER')) {
  89. if ($loggedUser->getClient()->getId() === $client->getId()) {
  90. return true;
  91. }
  93. if ($loggedUser->getClientGroup() !== null && $client->getClientGroup() !== null) {
  94. if ($loggedUser->getClientGroup() === $client->getClientGroup()) {
  95. // client is from allowed group of clients of logged user
  96. return true;
  97. }
  98. }
  99. }
  101. if ($this->security->isGranted('ROLE_CAN_SEE_CLIENT_DETAIL') && $loggedUser->getClient()->getId() === $client->getId()) {
  102. return true;
  103. }
  105. return false;
  106. }
  108. /**
  109. * @param Client $client
  110. * @param User $loggedUser
  111. * @return bool
  112. */
  113. private function canEdit(Client $client, User $loggedUser): bool
  114. {
  115. if ($this->canSee($client, $loggedUser) && $this->security->isGranted('ROLE_CAN_EDIT_CLIENT')) {
  116. return true;
  117. }
  119. return false;
  120. }
  123. /**
  124. * @param Client $client
  125. * @param User $loggedUser
  126. * @return bool
  127. */
  128. private function canSelect(Client $client, User $loggedUser): bool
  129. {
  130. if (!$this->security->isGranted('ROLE_CAN_ASSIGN_CLIENT')
  131. || !$this->canSee($client, $loggedUser)
  132. ) {
  133. return false;
  134. }
  136. return true;
  137. }
  138. }