src/Security/IkeaVoter.php line 27

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/IkeaVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Doctrine\Persistence\ManagerRegistry;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  10. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use App\Entity\Access;
  13. use App\Entity\APIRest\AccessAPI;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Ikea\ServiceOrder;
  17. use App\Entity\Platform\Devis\Devis;
  18. use App\Entity\Platform\Invoice\Invoice;
  19. use App\Entity\Security\Acl;
  20. use App\Entity\Security\AclPermission;
  21. use App\Entity\Webapp\Document;
  23. use App\Services\Config\ModuleTools;
  24. use App\Services\Config\OptionConfigTools;
  25. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  27. class IkeaVoter extends Voter
  28. {
  29.     const IS_ACTIVE "ikea_service_order_is_active";
  30.     const IS_ACTIVE_IKEA_BP "ikea_bp_is_active";
  31.     const USE_IKEA_BP "use_ikea_bp";
  33.     const LISTING "list_ikea_service_orders";
  35.     const LISTING_SOCIETY "list_ikea_service_orders_society";
  36.     const LISTING_ANY "list_ikea_service_orders_any";
  38.     const VIEW "view_ikea_service_order";
  39.     const EDIT "edit_ikea_service_order";
  40.     const EDIT_SOCIETY "edit_ikea_service_order_society";
  42.     const CONVERT_TO_MISSION "convert_ikea_service_order_to_mission";
  43.     const LINK_TO_MISSION "link_ikea_service_order_to_mission";
  44.     const CHANGE_MISSION "change_ikea_service_mission";
  46.     const VIEW_ERRORS "view_ikea_service_order_errors";
  48.     // Plan.io Task #3846
  49.     const UPDATE_STATUS_FORCED "update_status_forced";
  51.     const IS_GRANTED_CONSTANTS = array(
  52.         self::IS_ACTIVE,
  53.         self::IS_ACTIVE_IKEA_BP,
  54.         self::USE_IKEA_BP,
  56.         self::LISTING,
  57.         self::LISTING_SOCIETY,
  58.         self::LISTING_ANY,
  60.         self::VIEW,
  62.         self::EDIT,
  63.         self::EDIT_SOCIETY,
  65.         self::CONVERT_TO_MISSION,
  66.         self::LINK_TO_MISSION,
  67.         self::CHANGE_MISSION,
  69.         self::VIEW_ERRORS,
  71.         self::UPDATE_STATUS_FORCED,        // Plan.io Task #3846
  72.     );
  74.     // Plan.io Task #3846
  75.     const UPDATE_STATUS_FORCED_ACCESSES = array(
  76.         'johann''alexandre''oanalivia''dylan'
  77.     );
  79.     //--------------------------------------------------------------------------------
  80.     // acl constants
  82.     const ACL_PERM_ADD 'ikea_service_order_add';
  84.     const ACL_PERM_LIST 'ikea_service_order_list';
  85.     const ACL_PERM_LIST_SOCIETY 'ikea_service_order_list_society';
  87.     const ACL_PERM_VIEW 'ikea_service_order_view';
  88.     const ACL_PERM_VIEW_SOCIETY 'ikea_service_order_view_society';
  90.     const ACL_PERM_EDIT 'ikea_service_order_edit';
  91.     const ACL_PERM_EDIT_SOCIETY 'ikea_service_order_edit_society';
  93.     const ACL_PERM_SOCIETY_EDIT 'ikea_service_order_society_edit';
  94.     const ACL_PERM_SOCIETY_EDIT_SOCIETY 'ikea_service_order_society_edit_society';
  96.     const ACL_PERM_VIEW_ERRORS 'ikea_service_order_view_errors';
  98.     // Plan.io Task #4040
  99.     const ACL_PERM_UPDATE_STATUS_FORCED 'ikea_service_order_edit_status_forced';
  100.     
  101.     // Plan.io Task #4448
  102.     const ACL_PERM_USE_IKEA_BP 'use_ikea_bp';
  103.     //--------------------------------------------------------------------------------
  105.     public function __construct(AccessDecisionManagerInterface $accessDecisionManagerManagerRegistry $doctrine,
  106.         ModuleTools $moduleToolsOptionConfigTools $optionConfigTools)
  107.     {
  108.         $this->accessDecisionManager $accessDecisionManager;
  109.         $this->em $doctrine->getManager();
  110.         $this->moduleTools $moduleTools;
  111.         $this->optionConfigTools $optionConfigTools;
  113.         $this->aclRepository $this->em->getRepository(Acl::class);
  114.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  115.     }
  117.     // Plan.io Task #4453 [See AccessVoter for details]
  118.     public function supportsAttribute(string $attribute): bool
  119.     {
  120.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  121.     }
  123.     protected function supports(string $attribute$subject): bool
  124.     {
  125.         // if the attribute isn't one we support, return false
  126.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  127.         {
  128.             return false;
  129.         }
  131.         // only vote on ServiceOrder objects inside this voter
  132.         if ($subject !== null && !$subject instanceof ServiceOrder)
  133.         {
  134.             return false;
  135.         }
  137.         return true;
  138.     }
  140.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  141.     {
  142.         $user $token->getUser();
  144.         $originalUserIsAccess true;
  146.         // Plan.io Task #3707
  147.         if ($user instanceof AccessAPI)
  148.         {
  149.             if ($user->getAccess() === null)
  150.             {
  151.                 return false;
  152.             }
  153.             $user $user->getAccess();
  154.             $originalUserIsAccess false;
  155.         }
  157.         // Plan.io Task #3707
  158.         // At this point $user is an object of Access type
  159.         // even if the $token->getUser() is AccessAPI
  160.         if (!$user instanceof Access)
  161.         {
  162.             // the user must be logged in; if not, deny access
  163.             return false;
  164.         }
  166.         // The user must have a function; if not deny access
  167.         $function $user->getFunction();
  168.         if ($function === null)        return false;
  170.         // Plan.io Task #3710 : Get current group
  171.         $currentGroup $user->getSocietyGroup();
  172.         if ($currentGroup === null)
  173.             return false;
  175.         $this->currentGroup $currentGroup;
  177.         // Module activated ?
  178.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_IKEA_SERVICE_ORDER))
  179.         {
  180.             return false;
  181.         }
  183.         // you know $subject is a ServiceOrder object, thanks to supports
  184.         /** @var ServiceOrder $serviceOrder */
  185.         $serviceOrder $subject;
  187.         // Check current group affectation
  188.         if ($subject !== null)
  189.         {
  190.             $subjectSociety $subject->getSociety();
  191.             if ($subjectSociety === null)
  192.                 return false;
  193.             $subjectGroup $subjectSociety->getSocietyGroup();
  194.             if ($subjectGroup === null)
  195.                 return false;
  196.             if (!$currentGroup->equals($subjectGroup))
  197.                 return false;
  198.         }
  200.         $this->currentGroup $currentGroup;
  202.         switch ($attribute)
  203.         {
  204.             case self::IS_ACTIVE:
  205.                 return true;
  207.             case self::IS_ACTIVE_IKEA_BP:
  208.             {                
  209.                 // TODO_4448 : Remove this before test / prod
  210.                 // if (!$this->accessDecisionManager->decide($token, ['open_sesame']))
  211.                 //     return false;
  212.                 
  213.                 return $this->optionConfigTools->isActive_IkeaBP($currentGroup);
  214.             }
  216.             case self::USE_IKEA_BP:
  217.             {                
  218.                 // TODO_4448 : Remove this before test / prod
  219.                 // if (!$this->accessDecisionManager->decide($token, ['open_sesame']))
  220.                 //     return false;
  222.                 // This also checks OptionConfig :: isActive_IkeaBP
  223.                 // So it can be used to check both if option is active and user can use option
  224.                 return $this->canUseIkeaBp($user$function);
  225.             }                
  227.             case self::VIEW:
  228.                 return $this->canView($serviceOrder$user$function);
  230.             case self::EDIT:
  231.                 return $this->canEdit($serviceOrder$user$function);
  233.             case self::EDIT_SOCIETY:
  234.                 return $this->canEditSociety($serviceOrder$user$function);
  236.             case self::LISTING:
  237.                 return $this->canList($user$function);
  238.             case self::LISTING_SOCIETY:
  239.                 return $this->canListSociety($user$function);
  240.             case self::LISTING_ANY:
  241.                 return $this->canListAny($user$function);
  243.             case self::CONVERT_TO_MISSION:
  244.                 return $this->canConvertToMission($serviceOrder$user$function$token);
  245.             case self::LINK_TO_MISSION:
  246.                 return $this->canLinkToMission($serviceOrder$user$function$token);
  247.             case self::CHANGE_MISSION:
  248.                 return $this->canChangeMission($serviceOrder$user$function$token);
  250.             case self::VIEW_ERRORS:
  251.                 return $this->canViewErrors($user$function);
  253.             // Plan.io Task #3846, #4040
  254.             case self::UPDATE_STATUS_FORCED:
  255.                 return $this->canUpdateStatusForced($user$function$token);
  256.         }
  258.         throw new \LogicException('This code should not be reached!');
  259.     }
  261.     // Check if the Society of the Demand
  262.     // belongs to the societies of the $access
  263.     private function checkSociety(ServiceOrder $serviceOrderAccess $access)
  264.     {
  265.         // Get all the societies of the access
  266.         $societies $access->getSocieties();
  268.         // Get the Society of the Demand
  269.         $serviceOrderSociety $serviceOrder->getSociety();
  271.         if ($serviceOrderSociety === null)
  272.             return false;
  274.         $found false;
  275.         foreach ($societies as $society)
  276.         {
  277.             if ($society->getId() == $serviceOrderSociety->getId())
  278.             {
  279.                 $found true;
  280.                 break;
  281.             }
  282.         }
  283.         return $found;
  284.     }
  286.     private function canView(ServiceOrder $serviceOrderAccess $userAccessFunction $function)
  287.     {
  288.         // Get Acl_Perdemands
  289.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  290.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_SOCIETY);
  292.         // If all are null, exit
  293.         if ($aclPerm === null && $aclPermSociety === null)
  294.             return false;
  296.         // Get First one
  297.         if ($aclPerm !== null)
  298.         {
  299.             $acl $this->aclRepository->findOneBy(array(
  300.                 'function'        =>    $function,
  301.                 'permission'    =>    $aclPerm
  302.             ));
  303.             if ($acl !== null)
  304.             {
  305.                 if ($acl->getValue())
  306.                 {
  307.                     // A single positive answer is enough
  308.                     return true;
  309.                 }
  310.             }
  311.         }
  313.         // If we are here it means that nothing good has been found
  314.         // Load second permission
  315.         if ($aclPermSociety !== null)
  316.         {
  317.             $acl $this->aclRepository->findOneBy(array(
  318.                 'function'        =>    $function,
  319.                 'permission'    =>    $aclPermSociety
  320.             ));
  321.             if ($acl !== null)
  322.             {
  323.                 if ($acl->getValue())
  324.                 {
  325.                     return $this->checkSociety($serviceOrder$user);
  326.                 }
  327.             }
  328.         }
  330.         // If we are here, all hope is lost
  331.         return false;
  332.     }
  334.     private function canEdit(ServiceOrder $serviceOrderAccess $userAccessFunction $function)
  335.     {
  336.         // Get Acl_Permissions
  337.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  338.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT_SOCIETY);
  340.         // If all are null, exit
  341.         if ($aclPerm === null && $aclPermSociety === null)
  342.             return false;
  344.         // Get First one
  345.         if ($aclPerm !== null)
  346.         {
  347.             $acl $this->aclRepository->findOneBy(array(
  348.                 'function'        =>    $function,
  349.                 'permission'    =>    $aclPerm
  350.             ));
  351.             if ($acl !== null)
  352.             {
  353.                 if ($acl->getValue())
  354.                 {
  355.                     // A single positive answer is enough
  356.                     return true;
  357.                 }
  358.             }
  359.         }
  361.         // If we are here it means that nothing good has been found
  362.         // Load second permission
  363.         if ($aclPermSociety !== null)
  364.         {
  365.             $acl $this->aclRepository->findOneBy(array(
  366.                 'function'        =>    $function,
  367.                 'permission'    =>    $aclPermSociety
  368.             ));
  369.             if ($acl !== null)
  370.             {
  371.                 if ($acl->getValue())
  372.                 {
  373.                     return $this->checkSociety($serviceOrder$user);
  374.                 }
  375.             }
  376.         }
  378.         // If we are here, all hope is lost
  379.         return false;
  380.     }
  382.     private function canEditSociety(ServiceOrder $serviceOrderAccess $userAccessFunction $function)
  383.     {
  384.         // Get Acl_Perdemands
  385.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT);
  386.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_SOCIETY_EDIT_SOCIETY);
  388.         // If all are null, exit
  389.         if ($aclPerm === null && $aclPermSociety === null)
  390.             return false;
  392.         // Get First one
  393.         if ($aclPerm !== null)
  394.         {
  395.             $acl $this->aclRepository->findOneBy(array(
  396.                 'function'        =>    $function,
  397.                 'permission'    =>    $aclPerm
  398.             ));
  399.             if ($acl !== null)
  400.             {
  401.                 if ($acl->getValue())
  402.                 {
  403.                     // A single positive answer is enough
  404.                     return true;
  405.                 }
  406.             }
  407.         }
  409.         // If we are here it means that nothing good has been found
  410.         // Load second permission
  411.         if ($aclPermSociety !== null)
  412.         {
  413.             $acl $this->aclRepository->findOneBy(array(
  414.                 'function'        =>    $function,
  415.                 'permission'    =>    $aclPermSociety
  416.             ));
  417.             if ($acl !== null)
  418.             {
  419.                 if ($acl->getValue())
  420.                 {
  421.                     return $this->checkSociety($serviceOrder$user);
  422.                 }
  423.             }
  424.         }
  426.         // If we are here, all hope is lost
  427.         return false;
  428.     }
  430.     private function canList(Access $userAccessFunction $function)
  431.     {
  432.         // If canView, then canList ;)
  433.         // Get Acl_Perdemand
  434.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  435.         if ($aclPerm === null)        return false;
  437.         // Get Acl
  438.         $acl $this->aclRepository->findOneBy(array(
  439.             'function'        =>    $function,
  440.             'permission'    =>    $aclPerm
  441.         ));
  442.         if ($acl === null)        return false;
  444.         // Since only one acl type can exist
  445.         // we can return the result of the acl_permission
  446.         return $acl->getValue();
  447.     }
  449.     private function canListSociety(Access $userAccessFunction $function)
  450.     {
  451.         // If canView, then canList ;)
  452.         // Get Acl_Perdemand
  453.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  454.         if ($aclPerm === null)        return false;
  456.         // Get Acl
  457.         $acl $this->aclRepository->findOneBy(array(
  458.             'function'        =>    $function,
  459.             'permission'    =>    $aclPerm
  460.         ));
  461.         if ($acl === null)        return false;
  463.         // Since only one acl type can exist
  464.         // we can return the result of the acl_permission
  465.         return $acl->getValue();
  466.     }
  468.     private function canListAny(Access $userAccessFunction $function)
  469.     {
  470.         // Three Acl_Perdemand may exist
  471.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  472.         $aclPermSociety $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST_SOCIETY);
  474.         // If all are null, exit
  475.         if ($aclPerm === null && $aclPermSociety === null)
  476.             return false;
  478.         // Get First one
  479.         if ($aclPerm !== null)
  480.         {
  481.             $acl $this->aclRepository->findOneBy(array(
  482.                 'function'        =>    $function,
  483.                 'permission'    =>    $aclPerm
  484.             ));
  485.             if ($acl !== null)
  486.             {
  487.                 if ($acl->getValue())
  488.                 {
  489.                     // A single positive answer is enough
  490.                     return true;
  491.                 }
  492.             }
  493.         }
  495.         // If we are here it means that nothing good has been found
  496.         // Load second permission
  497.         if ($aclPermSociety !== null)
  498.         {
  499.             $acl $this->aclRepository->findOneBy(array(
  500.                 'function'        =>    $function,
  501.                 'permission'    =>    $aclPermSociety
  502.             ));
  503.             if ($acl !== null)
  504.             {
  505.                 if ($acl->getValue())
  506.                 {
  507.                     // A single positive answer is enough
  508.                     return true;
  509.                 }
  510.             }
  511.         }
  513.         // If we are here, all hope is lost
  514.         return false;
  515.     }
  517.     private function canConvertToMission(ServiceOrder $serviceOrderAccess $userAccessFunction $function$token)
  518.     {
  519.         if ($serviceOrder->getClient() === null)
  520.         {
  521.             // This should not happen
  522.             return false;
  523.         }
  524.         if ($serviceOrder->getMission() !== null)
  525.         {
  526.             // Already attached to a mission
  527.             return false;
  528.         }
  529.         // if ($serviceOrder->getResultingMission() !== null)
  530.         // {
  531.         //     // Already converted to a mission
  532.         //     return false;
  533.         // }
  535.         // Request permission to add missions
  536.         $canAddMissions $this->accessDecisionManager->decide($token, ['add_mission']);
  538.         // Request permission to edit this demand
  539.         $canEditServiceOrder $this->canEdit($serviceOrder$user$function);
  541.         if ($canAddMissions && $canEditServiceOrder)
  542.         {
  543.             return true;
  544.         }
  546.         return false;
  547.     }
  549.     private function canLinkToMission(ServiceOrder $serviceOrderAccess $userAccessFunction $function$token)
  550.     {
  551.         if ($serviceOrder->getClient() === null)
  552.         {
  553.             // This should not happen
  554.             return false;
  555.         }
  557.         if ($serviceOrder->getMission() !== null)
  558.         {
  559.             // Already attached to a mission
  560.             return false;
  561.         }
  562.         // if ($serviceOrder->getResultingMission() !== null)
  563.         // {
  564.         //     // Already converted to a mission
  565.         //     return false;
  566.         // }
  568.         // Request permission to edit this demand
  569.         $canEditServiceOrder $this->canEdit($serviceOrder$user$function);
  571.         if ($canEditServiceOrder)
  572.         {
  573.             return true;
  574.         }
  576.         return false;
  577.     }
  579.     private function canChangeMission(ServiceOrder $serviceOrderAccess $userAccessFunction $function$token)
  580.     {
  581.         if ($serviceOrder->getClient() === null)
  582.         {
  583.             // This should not happen
  584.             return false;
  585.         }
  587.         if ($serviceOrder->getMission() === null)
  588.         {
  589.             // No changing if no mission at all
  590.             return false;
  591.         }
  593.         // TODO.3621
  594.         // Get only the distinct orderNumbers from the ServiceOrders attached to the mission
  595.         // // Get all service orders linked to the same mission
  596.         // // or with the potential to be linked to the same mission
  597.         // $twinServiceOrders = $this->em->getRepository(ServiceOrder::class)
  598.         //     ->getTwinsForMission($serviceOrder, $serviceOrder->getMission());
  599.         // // Add the current one
  600.         // $twinServiceOrders[] = $serviceOrder;
  601.         // foreach ($twinServiceOrders as $so)
  602.         // {
  603.         //     $object = $this->em->getRepository(Devis::class)->findOneByIkeaServiceOrder($so);
  604.         //     if ($object !== null)
  605.         //     {
  606.         //         return false;
  607.         //     }
  608.         //     $object = $this->em->getRepository(Invoice::class)->findOneByIkeaServiceOrder($so);
  609.         //     if ($object !== null)
  610.         //     {
  611.         //         return false;
  612.         //     }
  613.         //     $object = $this->em->getRepository(Document::class)->findOneByIkeaServiceOrder($so);
  614.         //     if ($object !== null)
  615.         //     {
  616.         //         return false;
  617.         //     }
  618.         // }
  620.         // Request permission to edit this demand
  621.         $canEditServiceOrder $this->canEdit($serviceOrder$user$function);
  623.         if ($canEditServiceOrder)
  624.         {
  625.             return true;
  626.         }
  628.         return false;
  629.     }
  631.     private function canViewErrors(Access $userAccessFunction $function)
  632.     {
  633.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW_ERRORS);
  634.         if ($aclPerm === null)        return false;
  636.         // Get Acl
  637.         $acl $this->aclRepository->findOneBy(array(
  638.             'function'        =>    $function,
  639.             'permission'    =>    $aclPerm
  640.         ));
  641.         if ($acl === null)        return false;
  643.         // Since only one acl type can exist
  644.         // we can return the result of the acl_permission
  645.         return $acl->getValue();
  646.     }
  648.     // Plan.io Task #3846
  649.     private function canUpdateStatusForced(Access $userAccessFunction $functionTokenInterface $token)
  650.     {
  651.         // Keep original code also
  652.         // I want the real user here, not the impersonated one
  653.         $originalUser null;
  655.         if ($token instanceof SwitchUserToken)
  656.         {
  657.             $originalUser $token->getOriginalToken()->getUser();
  658.         }
  659.         else
  660.         {
  661.             $originalUser $user;
  662.         }
  664.         if (in_array($originalUser->getUserIdentifier(), self::UPDATE_STATUS_FORCED_ACCESSES))
  665.         {
  666.             return true;
  667.         }
  669.         // Plan.io Task #4040 : Add Acl based code
  670.         // Get Acl_Permissions
  671.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_UPDATE_STATUS_FORCED);
  673.         // If all are null, exit
  674.         if ($aclPerm === null)
  675.             return false;
  677.         // Get First one
  678.         if ($aclPerm !== null)
  679.         {
  680.             $acl $this->aclRepository->findOneBy(array(
  681.                 'function'        =>    $function,
  682.                 'permission'    =>    $aclPerm
  683.             ));
  684.             if ($acl !== null)
  685.             {
  686.                 if ($acl->getValue())
  687.                 {
  688.                     // A single positive answer is enough
  689.                     return true;
  690.                 }
  691.             }
  692.         }
  694.         // If we are here, all hope is lost
  695.         return false;
  696.     }
  698.     private function canUseIkeaBp(Access $userAccessFunction $function)
  699.     {
  700.         // Check Option Active first
  701.         if (!$this->optionConfigTools->isActive_IkeaBP($this->currentGroup))
  702.         {
  703.             return false;
  704.         }
  706.         $aclPerm $this->aclPermissionRepository->findOneByName(self::USE_IKEA_BP);
  707.         if ($aclPerm === null)        return false;
  709.         // Get Acl
  710.         $acl $this->aclRepository->findOneBy(array(
  711.             'function'        =>    $function,
  712.             'permission'    =>    $aclPerm
  713.         ));
  714.         if ($acl === null)        return false;
  716.         // Since only one acl type can exist
  717.         // we can return the result of the acl_permission
  718.         return $acl->getValue();
  719.     }
  720. }