<?php//------------------------------------------------------------------------------// src/Security/AvailabilityVoter.php//------------------------------------------------------------------------------namespace App\Security;use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;use Symfony\Component\Security\Core\Authorization\Voter\Voter;use Doctrine\Persistence\ManagerRegistry;use App\Entity\Access;use App\Entity\APIRest\AccessAPI;use App\Entity\Config\Config;use App\Entity\Config\Module;use App\Entity\HR\AccessFunction;use App\Entity\HR\Availability;use App\Entity\Security\Acl;use App\Entity\Security\AclAvailability;use App\Entity\Security\AclPermission;use App\Services\Config\ModuleTools;class AvailabilityVoter extends Voter{ //-------------------------------------------------------------------------------- // is_granted constants const USE = "declare_availability"; const IS_GRANTED_CONSTANTS = array( self::USE, ); //-------------------------------------------------------------------------------- // acl constants //-------------------------------------------------------------------------------- public function __construct(ManagerRegistry $doctrine, ModuleTools $moduleTools) { $this->em = $doctrine->getManager(); $this->moduleTools = $moduleTools; $this->aclRepository = $this->em->getRepository(Acl::class); $this->aclPermissionRepository = $this->em->getRepository(AclPermission::class); } // Plan.io Task #4453 [See AccessVoter for details] public function supportsAttribute(string $attribute): bool { return in_array($attribute, self::IS_GRANTED_CONSTANTS, true); } protected function supports(string $attribute, $subject): bool { // if the attribute isn't one we support, return false if (!in_array($attribute, self::IS_GRANTED_CONSTANTS)) { return false; } // only vote on Availability objects inside this voter if ($subject !== null && !$subject instanceof Availability) { return false; } return true; } protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { $user = $token->getUser(); // Plan.io Task #3707 if ($user instanceof AccessAPI) { if ($user->getAccess() === null) { return false; } $user = $user->getAccess(); } // Plan.io Task #3707 // At this point $user is an object of Access type // even if the $token->getUser() is AccessAPI if (!$user instanceof Access) { // the user must be logged in; if not, deny access return false; } // The user must have a function; if not deny access $function = $user->getFunction(); if ($function === null) return false; // Plan.io Task #3710 : Get current group $currentGroup = $user->getSocietyGroup(); if ($currentGroup === null) return false; // Access must have $hasAvailability : true if (!$function->getHasAvailability()) { return false; } // you know $subject is a Availability object, thanks to supports /** @var Availability $availability */ $availability = $subject; // Check current group affectation if ($subject !== null) { $subjectGroup = $subject->getSocietyGroup(); if ($subjectGroup === null) return false; if (!$currentGroup->equals($subjectGroup)) return false; } switch ($attribute) { case self::USE: { if ($subject === null) { return true; } else { return $this->isConcerned($availability, $user); } } } throw new \LogicException('This code should not be reached!'); } // $access is the user trying to load the resource // $availability is the resource being loaded private function isConcerned(Availability $availability, Access $access): bool { $owner = $availability->getAccess(); if ($owner === null) { return false; } return $owner->equals($access); }}