src/Security/ProductVoter.php line 25

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/ProductVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\APIRest\AccessAPI;
  13. use App\Entity\Config\Config;
  14. use App\Entity\Config\Module;
  15. use App\Entity\HR\AccessFunction;
  16. use App\Entity\Product\Charge;
  17. use App\Entity\Product\Product;
  18. use App\Entity\Security\Acl;
  19. use App\Entity\Security\AclPermission;
  21. use App\Services\LogTools;
  22. use App\Services\Config\ModuleTools;
  23. use App\Services\Config\OptionConfigTools;
  25. class ProductVoter extends Voter
  26. {
  27.     //--------------------------------------------------------------------------------
  28.     // is_granted constants
  29.     const IS_ACTIVE "product_is_active";
  30.     const IS_ACTIVE_ECO_BONUS "eco_bonus_is_active";    // #4328
  32.     const ADD "add_product";
  34.     const LISTING "list_products";
  35.     const VIEW "view_product";
  36.     const EDIT "edit_product";
  37.     const DELETE "delete_product";
  39.     const IMPORT "import_products";
  41.     // Plan.io Task #3605
  42.     const EDIT_GHOST_PARAMS "edit_product_ghost_params";
  44.     const IS_GRANTED_CONSTANTS = array(
  45.         self::IS_ACTIVE,
  46.         self::IS_ACTIVE_ECO_BONUS,
  48.         self::ADD,
  49.         self::LISTING,
  50.         self::VIEW,
  51.         self::EDIT,
  52.         self::DELETE,
  53.         self::IMPORT,
  54.         // Plan.io Task #3605
  55.         self::EDIT_GHOST_PARAMS,
  56.     );
  58.     //--------------------------------------------------------------------------------
  59.     // acl constants
  61.     const ACL_PERM_ADD "product_add";
  62.     const ACL_PERM_LISTING "product_list";
  63.     const ACL_PERM_VIEW "product_view";
  64.     const ACL_PERM_EDIT "product_edit";
  65.     const ACL_PERM_DELETE "product_delete";
  66.     const ACL_PERM_IMPORT "product_import";
  68.     //--------------------------------------------------------------------------------
  70.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleToolsOptionConfigTools $optionConfigToolsLogTools $logTools)
  71.     {
  72.         $this->em $doctrine->getManager();
  73.         $this->moduleTools $moduleTools;
  74.         $this->optionConfigTools $optionConfigTools;
  75.         $this->logTools $logTools;
  77.         $this->aclRepository $this->em->getRepository(Acl::class);
  78.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  79.     }
  81.     // Plan.io Task #4453 [See AccessVoter for details]
  82.     public function supportsAttribute(string $attribute): bool
  83.     {
  84.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  85.     }
  87.     protected function supports(string $attribute$subject): bool
  88.     {
  89.         // if the attribute isn't one we support, return false
  90.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  91.         {
  92.             return false;
  93.         }
  95.         // only vote on Product objects inside this voter
  96.         if ($subject !== null && (!$subject instanceof Product && !$subject instanceof Charge))
  97.         {
  98.             return false;
  99.         }
  101.         return true;
  102.     }
  104.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  105.     {
  106.         $user $token->getUser();
  108.         // Plan.io Task #3707
  109.         if ($user instanceof AccessAPI)
  110.         {
  111.             if ($user->getAccess() === null)
  112.             {
  113.                 return false;
  114.             }
  115.             $user $user->getAccess();
  116.         }
  118.         if (!$user instanceof Access)
  119.         {
  120.             // the user must be logged in; if not, deny access
  121.             return false;
  122.         }
  124.         // The user must have a function; if not deny access
  125.         $function $user->getFunction();
  126.         if ($function === null)        return false;
  128.         // Plan.io Task #3710 : Get current group
  129.         $currentGroup $user->getSocietyGroup();
  130.         if ($currentGroup === null)
  131.             return false;
  133.         // Plan.io Task #3605
  134.         $this->currentGroup $currentGroup;
  136.         // Module activated ?
  137.         if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_PRODUCT))
  138.         {
  139.             return false;
  140.         }
  142.         // Check current group affectation
  143.         if ($subject !== null)
  144.         {
  145.             $subjectGroup $subject->getSocietyGroup();
  146.             if ($subjectGroup === null)
  147.                 return false;
  148.             if (!$currentGroup->equals($subjectGroup))
  149.                 return false;
  150.         }
  152.         switch ($attribute)
  153.         {
  154.             case self::IS_ACTIVE:
  155.                 return true;
  157.             case self::IS_ACTIVE_ECO_BONUS:
  158.             {
  159.                 if ($this->moduleTools->isInactiveByCode($currentGroupModule::MODULE_ECO_BONUS))
  160.                 {
  161.                     return false;
  162.                 }
  163.                 return true;
  164.             }
  166.             case self::IMPORT:
  167.                 return $this->canImport($user$function);
  169.             case self::ADD:
  170.                 return $this->canAdd($user$function);
  172.             case self::LISTING:
  173.                 return $this->canList($user$function);
  175.             case self::VIEW:
  176.                 return $this->canView($user$function);
  177.             case self::EDIT:
  178.                 return $this->canEdit($subject$user$function);
  179.             case self::DELETE:
  180.                 return $this->canDelete($subject$user$function);
  182.             // Plan.io task #3605
  183.             case self::EDIT_GHOST_PARAMS:
  184.             {
  185.                 if ($subject instanceof Charge)
  186.                 {
  187.                     return false;
  188.                 }
  189.                 return $this->canEditGhostParams($subject$user$function);
  190.             }
  191.         }
  193.         throw new \LogicException('This code should not be reached!');
  194.     }
  196.     private function canImport(Access $accessAccessFunction $function)
  197.     {
  198.         // Get Acl_Permission
  199.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_IMPORT);
  200.         if ($aclPerm === null)        return false;
  202.         // Get Acl
  203.         $acl $this->aclRepository->findOneBy(array(
  204.             'function'        =>    $function,
  205.             'permission'    =>    $aclPerm
  206.         ));
  207.         if ($acl === null)        return false;
  209.         return $acl->getValue();
  210.     }
  212.     private function canAdd(Access $accessAccessFunction $function)
  213.     {
  214.         // Get Acl_Permission
  215.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_ADD);
  216.         if ($aclPerm === null)        return false;
  218.         // Get Acl
  219.         $acl $this->aclRepository->findOneBy(array(
  220.             'function'        =>    $function,
  221.             'permission'    =>    $aclPerm
  222.         ));
  223.         if ($acl === null)        return false;
  225.         return $acl->getValue();
  226.     }
  228.     private function canList(Access $accessAccessFunction $function)
  229.     {
  230.         // Restrictions are also applied in the Controller
  231.         // But this helps speeding page loading if the access is not even allowed to load the page
  232.         // (ie. if it has no list privileges whatsoever)
  234.         // Get Acl_Permission
  235.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LISTING);
  236.         if ($aclPerm === null)        return false;
  238.         // Get Acl
  239.         $acl $this->aclRepository->findOneBy(array(
  240.             'function'        =>    $function,
  241.             'permission'    =>    $aclPerm
  242.         ));
  243.         if ($acl === null)        return false;
  245.         // Since only one list type can exist for the Products,
  246.         // we can return the result of the acl_permission
  247.         return $acl->getValue();
  248.     }
  250.     private function canView(Access $accessAccessFunction $function)
  251.     {
  252.         // Several Acl_Permission exist
  253.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  255.         // If all are null, exit
  256.         if ($aclPerm === null)
  257.             return false;
  259.         // Get First one (view all)
  260.         if ($aclPerm !== null)
  261.         {
  262.             $acl $this->aclRepository->findOneBy(array(
  263.                 'function'        =>    $function,
  264.                 'permission'    =>    $aclPerm
  265.             ));
  266.             if ($acl !== null)
  267.             {
  268.                 if ($acl->getValue())
  269.                 {
  270.                     // A single positive answer is enough
  271.                     return true;
  272.                 }
  273.             }
  274.         }
  276.         // If we are here, all hope is lost
  277.         return false;
  278.     }
  280.     private function canEdit(Product|Charge $subjectAccess $accessAccessFunction $function)
  281.     {
  282.         // Do not allow editing the free product
  283.         if ($subject instanceof Product)
  284.         {
  285.             if ($subject->isFree())
  286.             {
  287.                 return false;
  288.             }
  289.         }
  291.         // Several Acl_Permission exist
  292.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  294.         // If all are null, exit
  295.         if ($aclPerm === null)
  296.             return false;
  298.         // Get First one (view all)
  299.         if ($aclPerm !== null)
  300.         {
  301.             $acl $this->aclRepository->findOneBy(array(
  302.                 'function'        =>    $function,
  303.                 'permission'    =>    $aclPerm
  304.             ));
  305.             if ($acl !== null)
  306.             {
  307.                 if ($acl->getValue())
  308.                 {
  309.                     // A single positive answer is enough
  310.                     return true;
  311.                 }
  312.             }
  313.         }
  315.         // If we are here, all hope is lost
  316.         return false;
  317.     }
  319.     // Plan.io task #3605
  320.     private function canEditGhostParams(Product $productAccess $accessAccessFunction $function)
  321.     {
  322.         // Deny on discounts
  323.         if ($product->isDiscount())
  324.         {
  325.             return false;
  326.         }
  328.         // Check OptionConfig
  329.         if (!$this->optionConfigTools->isActive_GhostInvoicing($this->currentGroup))
  330.         {
  331.             return false;
  332.         }
  334.         // Finally check edit permissions
  335.         return $this->canEdit($product$access$function);
  336.     }
  338.     private function canDelete(Product|Charge $subjectAccess $accessAccessFunction $function)
  339.     {
  340.         // Do not allow editing the free product
  341.         if ($subject instanceof Product)
  342.         {
  343.             if ($subject->isFree())
  344.             {
  345.                 return false;
  346.             }
  347.         }
  349.         // Several Acl_Permission exist
  350.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_DELETE);
  352.         // If all are null, exit
  353.         if ($aclPerm === null)
  354.             return false;
  356.         // Get First one (view all)
  357.         if ($aclPerm !== null)
  358.         {
  359.             $acl $this->aclRepository->findOneBy(array(
  360.                 'function'        =>    $function,
  361.                 'permission'    =>    $aclPerm
  362.             ));
  363.             if ($acl !== null)
  364.             {
  365.                 if ($acl->getValue())
  366.                 {
  367.                     // A single positive answer is enough
  368.                     return true;
  369.                 }
  370.             }
  371.         }
  373.         // If we are here, all hope is lost
  374.         return false;
  375.     }
  376. }