src/Security/EquipmentVoter.php line 21

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/EquipmentVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\Equipment\Equipment;
  15. use App\Entity\Equipment\Note;
  16. use App\Entity\HR\AccessFunction;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclPermission;
  19. use App\Services\Config\ModuleTools;
  21. class EquipmentVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  25.     const IS_ACTIVE "equipment_is_active";
  27.     const ADD "add_equipment";
  29.     const LISTING "list_equipments";
  30.     const LISTING_SOCIETY "list_equipments_society";
  31.     const LISTING_ANY "list_equipments_any";
  33.     const VIEW "view_equipment";
  34.     const EDIT "edit_equipment";
  35.     const DELETE "delete_equipment";
  37.     const ADD_NOTE "add_equipment_note";
  38.     const EDIT_NOTE "edit_equipment_note";
  39.     const DELETE_NOTE "delete_equipment_note";
  41.     const IS_GRANTED_CONSTANTS = array(
  42.         self::IS_ACTIVE,
  43.         self::ADD,
  44.         self::LISTING,
  45.         self::LISTING_SOCIETY,
  46.         self::LISTING_ANY,
  47.         self::VIEW,
  48.         self::EDIT,
  49.         self::DELETE,
  50.         self::ADD_NOTE,
  51.         self::EDIT_NOTE,
  52.         self::DELETE_NOTE,
  53.     );
  55.     //--------------------------------------------------------------------------------
  56.     // acl constants
  57.     const ACL_PERM_ADD "equipment_add";
  59.     const ACL_PERM_LISTING "equipment_list";
  60.     const ACL_PERM_LISTING_SOCIETY "equipment_list_society";
  62.     const ACL_PERM_VIEW "equipment_view";
  63.     const ACL_PERM_VIEW_SOCIETY "equipment_view_society";
  65.     const ACL_PERM_EDIT "equipment_edit";
  66.     const ACL_PERM_EDIT_SOCIETY "equipment_edit_society";
  68.     const ACL_PERM_DELETE "equipment_delete";
  69.     const ACL_PERM_DELETE_SOCIETY "equipment_delete_society";
  71.     const ACL_PERM_ADD_NOTE "equipment_add_note";
  72.     const ACL_PERM_ADD_NOTE_SOCIETY "equipment_add_note_society";
  73.     const ACL_PERM_EDIT_NOTE "equipment_edit_note";
  74.     const ACL_PERM_EDIT_NOTE_SOCIETY "equipment_edit_note_society";
  75.     const ACL_PERM_DELETE_NOTE "equipment_delete_note";
  76.     const ACL_PERM_DELETE_NOTE_SOCIETY "equipment_delete_note_society";
  78.     //--------------------------------------------------------------------------------
  80.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  81.     {
  82.         $this->em $doctrine->getManager();
  83.         $this->moduleTools $moduleTools;
  85.         $this->aclRepository $this->em->getRepository(Acl::class);
  86.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  87.     }
  89.     // Plan.io Task #4453 [See AccessVoter for details]
  90.     public function supportsAttribute(string $attribute): bool
  91.     {
  92.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  93.     }
  94.     
  95.     protected function supports(string $attribute$subject): bool
  96.     {
  97.         // if the attribute isn't one we support, return false
  98.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  99.         {
  100.             return false;
  101.         }
  103.         // only vote on Equipment objects inside this voter
  104.         if ($subject !== null && !($subject instanceof Equipment or $subject instanceof Note))
  105.         {
  106.             return false;
  107.         }
  109.         return true;
  110.     }
  112.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  113.     {
  114.         $user $token->getUser();
  116.         if (!$user instanceof Access)
  117.         {
  118.             // the user must be logged in; if not, deny access
  119.             return false;
  120.         }
  122.         // The user must have a function; if not deny access
  123.         $function $user->getFunction();
  124.         if ($function === null)        return false;
  126.         // Plan.io Task #3710 : Get current group
  127.         $currentGroup $user->getSocietyGroup();
  128.         if ($currentGroup === null)
  129.             return false;
  131.         // Module activated ?
  132.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_EQUIPMENT))
  133.         {
  134.             return false;
  135.         }
  137.         // Check current group affectation
  138.         if ($subject !== null)
  139.         {
  140.             $subjectSociety $subject->getSociety();
  141.             if ($subjectSociety === null)
  142.                 return false;
  143.             $subjectGroup $subjectSociety->getGroup();
  144.             if ($subjectGroup === null)
  145.                 return false;
  146.             if (!$currentGroup->equals($subjectGroup))
  147.                 return false;
  148.         }
  150.         // you know $subject is a Equipment / Note object, thanks to supports
  151.         $note null;
  152.         $equipment null;
  153.         if ($subject instanceof Equipment)
  154.         {
  155.             $equipment $subject;
  156.         }
  157.         else
  158.         {
  159.             if ($subject instanceof Note)
  160.             {
  161.                 $note $subject;
  162.             }
  163.         }
  165.         switch ($attribute)
  166.         {
  167.             // Check is done before, in the voteOnAttribute
  168.             case self::IS_ACTIVE:
  169.                 return true;
  171.             case self::ADD:
  172.                 return $this->canAdd($user$function);
  174.             case self::LISTING:
  175.                 return $this->canList($user$function);
  176.             case self::LISTING_SOCIETY:
  177.                 return $this->canListSociety($user$function);
  178.             case self::LISTING_ANY:
  179.                 return $this->canListAny($user$function);
  181.             case self::VIEW:
  182.                 return $this->canView($equipment$user$function);
  184.             case self::EDIT:
  185.                 return $this->canEdit($equipment$user$function);
  187.             case self::DELETE:
  188.                 return $this->canDelete($equipment$user$function);
  190.             case self::ADD_NOTE:
  191.                 return $this->canAddNote($equipment$user$function);
  192.             case self::EDIT_NOTE:
  193.                 return $this->canEditNote($note$user$function);
  194.             case self::DELETE_NOTE:
  195.                 return $this->canDeleteNote($note$user$function);
  196.         }
  198.         throw new \LogicException('This code should not be reached!');
  199.     }
  201.     // $access is the user trying to load the resource
  202.     // $object is the resource being loaded
  204.     // Check if the Society of the resource
  205.     // belongs to the societies of the $access
  206.     private function checkSociety($objectAccess $access)
  207.     {
  208.         // Get all the societies of the access
  209.         $societies $access->getSocieties();
  211.         // Get the Society of the Equipment
  212.         $objectSociety $object->getSociety();
  214.         if ($objectSociety === null)
  215.             return false;
  217.         $found false;
  218.         foreach ($societies as $society)
  219.         {
  220.             if ($society->getId() == $objectSociety->getId())
  221.             {
  222.                 $found true;
  223.                 break;
  224.             }
  225.         }
  226.         return $found;
  227.     }
  229.     private function canAdd(Access $userAccessFunction $function)
  230.     {
  231.         // Get Acl_Permission
  232.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  233.         if ($aclPerm === null)        return false;
  235.         // Get Acl
  236.         $acl $this->aclRepository->findOneBy(array(
  237.             'function'        =>    $function,
  238.             'permission'    =>    $aclPerm
  239.         ));
  240.         if ($acl === null)        return false;
  242.         // Since only one acl type can exist
  243.         // we can return the result of the acl_permission
  244.         return $acl->getValue();
  245.     }
  247.     private function canList(Access $userAccessFunction $function)
  248.     {
  249.         // Get Acl_Permission
  250.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  251.         if ($aclPerm === null)        return false;
  253.         // Get Acl
  254.         $acl $this->aclRepository->findOneBy(array(
  255.             'function'        =>    $function,
  256.             'permission'    =>    $aclPerm
  257.         ));
  258.         if ($acl === null)        return false;
  260.         // Since only one acl type can exist
  261.         // we can return the result of the acl_permission
  262.         return $acl->getValue();
  263.     }
  265.     private function canListSociety(Access $userAccessFunction $function)
  266.     {
  267.         // Get Acl_Permission
  268.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  269.         if ($aclPerm === null)        return false;
  271.         // Get Acl
  272.         $acl $this->aclRepository->findOneBy(array(
  273.             'function'        =>    $function,
  274.             'permission'    =>    $aclPerm
  275.         ));
  276.         if ($acl === null)        return false;
  278.         // Since only one acl type can exist
  279.         // we can return the result of the acl_permission
  280.         // Further filtering is done in the Controller
  281.         return $acl->getValue();
  282.     }
  284.     private function canListAny(Access $userAccessFunction $function)
  285.     {
  286.         // Two Acl_Permission may exist
  287.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  288.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING_SOCIETY);
  290.         // If all are null, exit
  291.         if ($aclPerm === null && $aclPermSociety === null)
  292.             return false;
  294.         // Get First one
  295.         if ($aclPerm !== null)
  296.         {
  297.             $acl $this->aclRepository->findOneBy(array(
  298.                 'function'        =>    $function,
  299.                 'permission'    =>    $aclPerm
  300.             ));
  301.             if ($acl !== null)
  302.             {
  303.                 if ($acl->getValue())
  304.                 {
  305.                     // A single positive answer is enough
  306.                     return true;
  307.                 }
  308.             }
  309.         }
  310.         // If we are here it means that nothing good has been found
  311.         // Load second permission
  312.         if ($aclPermSociety !== null)
  313.         {
  314.             $acl $this->aclRepository->findOneBy(array(
  315.                 'function'        =>    $function,
  316.                 'permission'    =>    $aclPermSociety
  317.             ));
  318.             if ($acl !== null)
  319.             {
  320.                 if ($acl->getValue())
  321.                 {
  322.                     // A single positive answer is enough
  323.                     return true;
  324.                 }
  325.             }
  326.         }
  328.         // If we are here, all hope is lost
  329.         return false;
  330.     }
  332.     private function canView(Equipment $equipmentAccess $userAccessFunction $function)
  333.     {
  334.         // Get Acl_Permissions
  335.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  336.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  338.         // If all are null, exit
  339.         if ($aclPerm === null && $aclPermSociety === null)
  340.             return false;
  342.         // Get First one
  343.         if ($aclPerm !== null)
  344.         {
  345.             $acl $this->aclRepository->findOneBy(array(
  346.                 'function'        =>    $function,
  347.                 'permission'    =>    $aclPerm
  348.             ));
  349.             if ($acl !== null)
  350.             {
  351.                 if ($acl->getValue())
  352.                 {
  353.                     // A single positive answer is enough
  354.                     return true;
  355.                 }
  356.             }
  357.         }
  359.         // If we are here it means that nothing good has been found
  360.         // Load second permission
  361.         if ($aclPermSociety !== null)
  362.         {
  363.             $acl $this->aclRepository->findOneBy(array(
  364.                 'function'        =>    $function,
  365.                 'permission'    =>    $aclPermSociety
  366.             ));
  367.             if ($acl !== null)
  368.             {
  369.                 if ($acl->getValue())
  370.                 {
  371.                     // A single positive answer is enough
  372.                     // In this case the good answer will be provided by the checkSociety
  373.                     return $this->checkSociety($equipment$user);
  374.                 }
  375.             }
  376.         }
  378.         // If we are here, all hope is lost
  379.         return false;
  380.     }
  382.     private function canEdit(Equipment $equipmentAccess $userAccessFunction $function)
  383.     {
  384.         // Three Acl_Permission may exist
  385.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  386.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  388.         // If all are null, exit
  389.         if ($aclPerm === null && $aclPermSociety === null)
  390.             return false;
  394.         // Get First one
  395.         if ($aclPerm !== null)
  396.         {
  397.             $acl $this->aclRepository->findOneBy(array(
  398.                 'function'        =>    $function,
  399.                 'permission'    =>    $aclPerm
  400.             ));
  401.             if ($acl !== null)
  402.             {
  403.                 if ($acl->getValue())
  404.                 {
  405.                     // A single positive answer is enough
  406.                     return true;
  407.                 }
  408.             }
  409.         }
  410.         // If we are here it means that nothing good has been found
  411.         // Load second permission
  412.         if ($aclPermSociety !== null)
  413.         {
  414.             $acl $this->aclRepository->findOneBy(array(
  415.                 'function'        =>    $function,
  416.                 'permission'    =>    $aclPermSociety
  417.             ));
  418.             if ($acl !== null)
  419.             {
  420.                 if ($acl->getValue())
  421.                 {
  422.                     // A single positive answer is enough
  423.                     // In this case the good answer will be provided by the checkSociety
  424.                     return $this->checkSociety($equipment$user);
  425.                 }
  426.             }
  427.         }
  429.         // If we are here, all hope is lost
  430.         return false;
  431.     }
  433.     private function canDelete(Equipment $equipmentAccess $userAccessFunction $function)
  434.     {
  435.         // Three Acl_Permission may exist
  436.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
  437.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_SOCIETY);
  439.         // If all are null, exit
  440.         if ($aclPerm === null && $aclPermSociety === null)
  441.             return false;
  445.         // Get First one
  446.         if ($aclPerm !== null)
  447.         {
  448.             $acl $this->aclRepository->findOneBy(array(
  449.                 'function'        =>    $function,
  450.                 'permission'    =>    $aclPerm
  451.             ));
  452.             if ($acl !== null)
  453.             {
  454.                 if ($acl->getValue())
  455.                 {
  456.                     // A single positive answer is enough
  457.                     return true;
  458.                 }
  459.             }
  460.         }
  461.         // If we are here it means that nothing good has been found
  462.         // Load second permission
  463.         if ($aclPermSociety !== null)
  464.         {
  465.             $acl $this->aclRepository->findOneBy(array(
  466.                 'function'        =>    $function,
  467.                 'permission'    =>    $aclPermSociety
  468.             ));
  469.             if ($acl !== null)
  470.             {
  471.                 if ($acl->getValue())
  472.                 {
  473.                     // A single positive answer is enough
  474.                     // In this case the good answer will be provided by the checkSociety
  475.                     return $this->checkSociety($equipment$user);
  476.                 }
  477.             }
  478.         }
  480.         // If we are here, all hope is lost
  481.         return false;
  482.     }
  484.     private function canAddNote(Equipment $equipmentAccess $userAccessFunction $function)
  485.     {
  486.         // Three Acl_Permission may exist
  487.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_NOTE);
  488.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD_NOTE_SOCIETY);
  490.         // If all are null, exit
  491.         if ($aclPerm === null && $aclPermSociety === null)
  492.             return false;
  494.         // Get First one
  495.         if ($aclPerm !== null)
  496.         {
  497.             $acl $this->aclRepository->findOneBy(array(
  498.                 'function'        =>    $function,
  499.                 'permission'    =>    $aclPerm
  500.             ));
  501.             if ($acl !== null)
  502.             {
  503.                 if ($acl->getValue())
  504.                 {
  505.                     // A single positive answer is enough
  506.                     return true;
  507.                 }
  508.             }
  509.         }
  510.         // If we are here it means that nothing good has been found
  511.         // Load second permission
  512.         if ($aclPermSociety !== null)
  513.         {
  514.             $acl $this->aclRepository->findOneBy(array(
  515.                 'function'        =>    $function,
  516.                 'permission'    =>    $aclPermSociety
  517.             ));
  518.             if ($acl !== null)
  519.             {
  520.                 if ($acl->getValue())
  521.                 {
  522.                     // A single positive answer is enough
  523.                     // In this case the good answer will be provided by the checkSociety
  524.                     return $this->checkSociety($equipment$user);
  525.                 }
  526.             }
  527.         }
  529.         // If we are here, all hope is lost
  530.         return false;
  531.     }
  533.     private function canEditNote(Note $noteAccess $userAccessFunction $function)
  534.     {
  535.         // Allow editing own notes
  536.         if ($user->equals($note->getAuthor()))
  537.         {
  538.             return true;
  539.         }
  541.         // Three Acl_Permission may exist
  542.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_NOTE);
  543.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_NOTE_SOCIETY);
  545.         // If all are null, exit
  546.         if ($aclPerm === null && $aclPermSociety === null)
  547.             return false;
  549.         // Get First one
  550.         if ($aclPerm !== null)
  551.         {
  552.             $acl $this->aclRepository->findOneBy(array(
  553.                 'function'        =>    $function,
  554.                 'permission'    =>    $aclPerm
  555.             ));
  556.             if ($acl !== null)
  557.             {
  558.                 if ($acl->getValue())
  559.                 {
  560.                     // A single positive answer is enough
  561.                     return true;
  562.                 }
  563.             }
  564.         }
  565.         // If we are here it means that nothing good has been found
  566.         // Load second permission
  567.         if ($aclPermSociety !== null)
  568.         {
  569.             $acl $this->aclRepository->findOneBy(array(
  570.                 'function'        =>    $function,
  571.                 'permission'    =>    $aclPermSociety
  572.             ));
  573.             if ($acl !== null)
  574.             {
  575.                 if ($acl->getValue())
  576.                 {
  577.                     // A single positive answer is enough
  578.                     // In this case the good answer will be provided by the checkSociety
  579.                     return $this->checkSociety($note$user);
  580.                 }
  581.             }
  582.         }
  584.         // If we are here, all hope is lost
  585.         return false;
  586.     }
  588.     private function canDeleteNote(Note $noteAccess $userAccessFunction $function)
  589.     {
  590.         // Allow deleting own notes
  591.         if ($user->equals($note->getAuthor()))
  592.         {
  593.             return true;
  594.         }
  596.         // Three Acl_Permission may exist
  597.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_NOTE);
  598.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE_NOTE_SOCIETY);
  600.         // If all are null, exit
  601.         if ($aclPerm === null && $aclPermSociety === null)
  602.             return false;
  604.         // Get First one
  605.         if ($aclPerm !== null)
  606.         {
  607.             $acl $this->aclRepository->findOneBy(array(
  608.                 'function'        =>    $function,
  609.                 'permission'    =>    $aclPerm
  610.             ));
  611.             if ($acl !== null)
  612.             {
  613.                 if ($acl->getValue())
  614.                 {
  615.                     // A single positive answer is enough
  616.                     return true;
  617.                 }
  618.             }
  619.         }
  620.         // If we are here it means that nothing good has been found
  621.         // Load second permission
  622.         if ($aclPermSociety !== null)
  623.         {
  624.             $acl $this->aclRepository->findOneBy(array(
  625.                 'function'        =>    $function,
  626.                 'permission'    =>    $aclPermSociety
  627.             ));
  628.             if ($acl !== null)
  629.             {
  630.                 if ($acl->getValue())
  631.                 {
  632.                     // A single positive answer is enough
  633.                     // In this case the good answer will be provided by the checkSociety
  634.                     return $this->checkSociety($note$user);
  635.                 }
  636.             }
  637.         }
  639.         // If we are here, all hope is lost
  640.         return false;
  641.     }
  642. }