src/Security/Voter/UserVoter.php line 10

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\User;
  6. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  7. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  8. use Symfony\Component\Security\Core\Security;
  10. class UserVoter extends Voter
  11. {
  12. // these strings are just invented: you can use anything
  13. const VIEW = 'view';
  14. const EDIT = 'edit';
  15. const DELETE = 'delete';
  16. /**
  17. * @var Security
  18. */
  19. private Security $security;
  21. public function __construct(Security $security)
  22. {
  23. $this->security = $security;
  24. }
  26. protected function supports(string $attribute, $subject): bool
  27. {
  28. // if the attribute isn't one we support, return false
  29. if (!in_array($attribute, [self::VIEW, self::EDIT, self::DELETE], true)) {
  30. return false;
  31. }
  33. // only vote on `Post` objects
  34. if (!$subject instanceof User) {
  35. return false;
  36. }
  38. return true;
  39. }
  41. protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
  42. {
  43. $loggedUser = $token->getUser();
  45. if (!$loggedUser instanceof User) {
  46. // the user must be logged in; if not, deny access
  47. return false;
  48. }
  50. // you know $subject is a Post object, thanks to `supports()`
  51. /** @var User $targetUser */
  52. $targetUser = $subject;
  54. switch ($attribute) {
  55. case self::VIEW:
  56. return $this->canSee($targetUser, $loggedUser);
  57. case self::EDIT:
  58. return $this->canEdit($targetUser, $loggedUser);
  59. case self::DELETE:
  60. return $this->canDelete($targetUser, $loggedUser);
  61. }
  63. throw new \LogicException('This code should not be reached!');
  64. }
  66. /**
  67. * @param User $targetUser
  68. * @param User $loggedUser
  69. * @return bool
  70. */
  71. private function canEdit(User $targetUser, User $loggedUser): bool
  72. {
  73. if ($this->security->isGranted('ROLE_ADMIN')) {
  74. return true;
  75. }
  76. if ($this->security->isGranted('ROLE_CAN_EDIT_USER') && $this->sameClient($targetUser) && $this->inUserHierarchy($targetUser, $loggedUser)) {
  77. return true;
  78. }
  80. return false;
  81. }
  83. /**
  84. * @param User $targetUser
  85. * @param User $loggedUser
  86. * @return bool
  87. */
  88. private function canDelete(User $targetUser, User $loggedUser): bool
  89. {
  90. if ($targetUser === $loggedUser) {
  91. return false;
  92. }
  93. if ($this->security->isGranted('ROLE_ADMIN')) {
  94. return true;
  95. }
  96. if ($this->security->isGranted('ROLE_CAN_DELETE_USER') && $this->sameClient($targetUser) && $this->inUserHierarchy($targetUser, $loggedUser)) {
  97. return true;
  98. }
  100. return false;
  101. }
  103. /**
  104. * @param User $targetUser
  105. * @param User $loggedUser
  106. * @return bool
  107. */
  108. private function canSee(User $targetUser, User $loggedUser): bool
  109. {
  110. if ($this->security->isGranted('ROLE_ADMIN')) {
  111. return true;
  112. }
  114. return $this->sameClient($targetUser) && $this->inUserHierarchy($targetUser, $loggedUser);
  115. }
  117. private function sameClient(User $targetUser): bool
  118. {
  119. /** @var User $loggedUser */
  120. $loggedUser = $this->security->getUser();
  121. return $loggedUser->getClient() === $targetUser->getClient();
  122. }
  124. private function sameBuildings(User $targetUser): bool
  125. {
  126. /** @var User $loggedUser */
  127. $loggedUser = $this->security->getUser();
  128. //pracovník manažer uvidí a může to co manažer ale jen u jemu přiřazených objektů
  129. if ($this->security->isGranted('ROLE_WORKER_MANAGER')) {
  130. foreach ($loggedUser->getBuildings() as $loggedUserBuilding) {
  131. foreach ($targetUser->getBuildings() as $targetUserBuilding) {
  132. if ($targetUserBuilding === $loggedUserBuilding) {
  133. return true;
  134. }
  135. }
  136. }
  137. return false;
  138. }
  139. return true;
  140. }
  142. private function inUserHierarchy(User $targetUser, User $loggedUser): bool
  143. {
  144. $hierarchy = [
  145. 'ROLE_ADMIN_MANAGER' => [
  146. 'ROLE_ADMIN_MANAGER',
  147. 'ROLE_MANAGER',
  148. 'ROLE_CLIENT_BOSS',
  149. 'ROLE_WORKER_MANAGER',
  150. 'ROLE_WORKER',
  151. 'ROLE_GUEST_EXPERT',
  152. 'ROLE_GUEST'
  153. ],
  154. 'ROLE_MANAGER' => [
  155. 'ROLE_MANAGER',
  156. 'ROLE_CLIENT_BOSS',
  157. 'ROLE_WORKER_MANAGER',
  158. 'ROLE_WORKER',
  159. 'ROLE_GUEST_EXPERT',
  160. 'ROLE_GUEST'
  161. ],
  162. 'ROLE_CLIENT_BOSS' => [
  163. 'ROLE_CLIENT_BOSS',
  164. 'ROLE_WORKER_MANAGER',
  165. 'ROLE_WORKER',
  166. 'ROLE_GUEST_EXPERT',
  167. 'ROLE_GUEST'
  168. ],
  169. 'ROLE_WORKER_MANAGER' => [
  170. 'ROLE_WORKER_MANAGER',
  171. 'ROLE_WORKER',
  172. 'ROLE_GUEST_EXPERT',
  173. 'ROLE_GUEST'
  174. ],
  175. 'ROLE_GUEST_EXPERT' => [
  176. 'ROLE_CLIENT_BOSS',
  177. 'ROLE_WORKER_MANAGER',
  178. 'ROLE_WORKER',
  179. 'ROLE_GUEST_EXPERT',
  180. 'ROLE_GUEST'
  181. ],
  182. ];
  184. $userRole = $loggedUser->getRole()->getName();
  186. if (isset($hierarchy[$userRole]) && in_array($targetUser->getRole()->getName(), $hierarchy[$userRole], true)) {
  187. return true;
  188. }
  190. return false;
  191. }
  192. }