src/Security/Voter/EventVoter.php line 15

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\Client\Client;
  6. use App\Entity\Event\Action;
  7. use App\Entity\Event\Event;
  8. use App\Entity\Event\Notice;
  9. use App\Entity\User;
  10. use Doctrine\ORM\EntityManagerInterface;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  13. use Symfony\Component\Security\Core\Security;
  15. class EventVoter extends Voter
  16. {
  17. // these strings are just invented: you can use anything
  18. const VIEW = 'view';
  19. const EDIT = 'edit';
  20. const DELETE = 'delete';
  21. /**
  22. * @var Security
  23. */
  24. private Security $security;
  25. /**
  26. * @var EntityManagerInterface
  27. */
  28. private EntityManagerInterface $entityManager;
  30. public function __construct(Security $security, EntityManagerInterface $entityManager)
  31. {
  32. $this->security = $security;
  33. $this->entityManager = $entityManager;
  34. }
  36. protected function supports(string $attribute, $subject): bool
  37. {
  38. // if the attribute isn't one we support, return false
  39. if (!in_array($attribute, [self::VIEW, self::EDIT, self::DELETE], true)) {
  40. return false;
  41. }
  43. // only vote on `File` objects
  44. if (!$subject instanceof Event) {
  45. return false;
  46. }
  48. return true;
  49. }
  51. protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
  52. {
  53. $loggedUser = $token->getUser();
  55. if (!$loggedUser instanceof User) {
  56. // the user must be logged in; if not, deny access
  57. return false;
  58. }
  60. // you know $subject is a Post object, thanks to `supports()`
  61. /** @var Event $targetEvent */
  62. $targetEvent = $subject;
  64. switch ($attribute) {
  65. case self::VIEW:
  66. return $this->canSee($targetEvent, $loggedUser);
  67. case self::EDIT:
  68. return $this->canEdit($targetEvent, $loggedUser);
  69. case self::DELETE:
  70. return $this->canDelete($targetEvent, $loggedUser);
  71. }
  73. throw new \LogicException('This code should not be reached!');
  74. }
  76. /**
  77. * @param Event $targetEvent
  78. * @param User $loggedUser
  79. * @return bool
  80. */
  81. private function canSee(Event $targetEvent, User $loggedUser): bool
  82. {
  83. // sanity check (different client than logged user client)
  84. if ($targetEvent->getClient()->getId() !== $loggedUser->getClient()->getId()) {
  85. return false;
  86. }
  88. if ($targetEvent instanceof Notice && !$this->security->isGranted('ROLE_CAN_SEE_NOTICE_DETAIL')) {
  89. return false;
  90. }
  92. if ($targetEvent instanceof Action && !$this->security->isGranted('ROLE_CAN_SEE_ACTION_DETAIL')) {
  93. return false;
  94. }
  96. return true;
  97. }
  99. /**
  100. * @param Event $targetEvent
  101. * @param User $loggedUser
  102. * @return bool
  103. */
  104. private function canEdit(Event $targetEvent, User $loggedUser): bool
  105. {
  106. if (!$this->canSee($targetEvent, $loggedUser)) {
  107. return false;
  108. }
  110. if ($targetEvent instanceof Notice) {
  111. // Check specific permission for custom messages
  112. if ($targetEvent->isCustomMessage()) {
  113. if (!$this->security->isGranted('ROLE_CAN_EDIT_TYPE_CUSTOM_MESSAGE')) {
  114. return false;
  115. }
  116. } else {
  117. // Regular notices need standard edit permission
  118. if (!$this->security->isGranted('ROLE_CAN_EDIT_NOTICE')) {
  119. return false;
  120. }
  121. }
  122. }
  124. if ($targetEvent instanceof Action && !$this->security->isGranted('ROLE_CAN_EDIT_ACTION')) {
  125. return false;
  126. }
  128. return true;
  129. }
  131. /**
  132. * @param Event $targetEvent
  133. * @param User $loggedUser
  134. * @return bool
  135. */
  136. private function canDelete(Event $targetEvent, User $loggedUser): bool
  137. {
  138. if (!$this->canSee($targetEvent, $loggedUser)) {
  139. return false;
  140. }
  142. if ($targetEvent instanceof Notice && !$this->security->isGranted('ROLE_CAN_DELETE_NOTICE')) {
  143. return false;
  144. }
  146. if ($targetEvent instanceof Action && !$this->security->isGranted('ROLE_CAN_DELETE_ACTION')) {
  147. return false;
  148. }
  150. return true;
  151. }
  152. }