src/Security/SocietyGroupCommandVoter.php line 21

Open in your IDE?
  1. <?php
  2. //------------------------------------------------------------------------------
  3. // src/Security/SocietyGroupCommandVoter.php
  4. //------------------------------------------------------------------------------
  5. namespace App\Security;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Doctrine\Persistence\ManagerRegistry;
  11. use App\Entity\Access;
  12. use App\Entity\Config\Config;
  13. use App\Entity\Config\Module;
  14. use App\Entity\HR\AccessFunction;
  15. use App\Entity\Platform\SocietyGroup\SocietyGroupCommand;
  16. use App\Entity\Platform\SocietyGroup\SocietyGroupInvoice;
  17. use App\Entity\Security\Acl;
  18. use App\Entity\Security\AclPermission;
  19. use App\Services\Config\ModuleTools;
  21. class SocietyGroupCommandVoter extends Voter
  22. {
  23.     //--------------------------------------------------------------------------------
  24.     // is_granted constants
  25.     const ADD "add_society_group_command";
  27.     const VIEW "view_society_group_command";
  28.     const VIEW_PDF "view_pdf_society_group_command";
  30.     const EDIT "edit_society_group_command";
  31.     const EDIT_RECEIVER_SOCIETY "edit_society_group_command_receiver_society";
  33.     // This one is tricky
  34.     // We don't actually care for permissions here
  35.     // We just want to know if there is anything to display
  36.     // If the societyGroup has no SocietyGroupCommands, there is no need to even show the tab
  37.     const LIST = "list_society_group_commands";
  39.     const IS_GRANTED_CONSTANTS = array(
  40.         self::ADD,
  42.         self::VIEW,
  43.         self::VIEW_PDF,
  45.         self::EDIT,
  46.         self::EDIT_RECEIVER_SOCIETY,
  48.         self::LIST,
  49.     );
  51.     //--------------------------------------------------------------------------------
  52.     // acl constants
  53.     const ACL_PERM_VIEW "society_group_command_view";
  54.     const ACL_PERM_VIEW_PDF "society_group_command_view_pdf";
  55.     const ACL_PERM_EDIT "society_group_command_edit";
  56.     const ACL_PERM_LIST "society_group_command_list";
  58.     public function __construct(ManagerRegistry $doctrineModuleTools $moduleTools)
  59.     {
  60.         $this->em $doctrine->getManager();
  61.         $this->moduleTools $moduleTools;
  63.         $this->aclRepository $this->em->getRepository(Acl::class);
  64.         $this->aclPermissionRepository $this->em->getRepository(AclPermission::class);
  65.     }
  67.     // Plan.io Task #4453 [See AccessVoter for details]
  68.     public function supportsAttribute(string $attribute): bool
  69.     {
  70.         return in_array($attributeself::IS_GRANTED_CONSTANTStrue);
  71.     }
  72.     
  73.     protected function supports(string $attribute$subject null): bool
  74.     {
  75.         // if the attribute isn't one we support, return false
  76.         if (!in_array($attributeself::IS_GRANTED_CONSTANTS))
  77.         {
  78.             return false;
  79.         }
  81.         // Only vote on Invoice / Devis objects inside this voter
  82.         if ($subject !== null && !($subject instanceof SocietyGroupCommand || $subject instanceof SocietyGroupInvoice))
  83.         {
  84.             return false;
  85.         }
  87.         return true;
  88.     }
  90.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  91.     {
  92.         $user $token->getUser();
  94.         if (!$user instanceof Access)
  95.         {
  96.             // the user must be logged in; if not, deny access
  97.             return false;
  98.         }
  100.         // The user must have a function; if not deny access
  101.         $function $user->getFunction();
  102.         if ($function === null)        return false;
  104.         // Plan.io Task #3710 : Get current group
  105.         $currentGroup $user->getSocietyGroup();
  106.         if ($currentGroup === null)
  107.             return false;
  109.         $this->currentGroup $currentGroup;
  111.         $this->command null;
  112.         $this->emitter null;
  113.         $this->receiver null;
  115.         if ($subject instanceof SocietyGroupCommand)
  116.         {
  117.             $this->command $subject;
  118.             $this->emitter $subject->getEmitter();
  119.             $this->receiver $subject->getReceiver();
  121.             if ($this->emitter === null || $this->receiver === null)
  122.             {
  123.                 return false;
  124.             }
  125.         }
  127.         switch ($attribute)
  128.         {
  129.             // canAdd : subject is SocietyGroupInvoice
  130.             case self::ADD:
  131.                 return $this->canAdd($subject);
  133.             case self::LIST:
  134.                 return $this->canList($user$function);
  136.             // for all those below : subject is SocietyGroupCommand
  137.             case self::VIEW:
  138.                 return $this->canView($subject$user$function);
  139.             case self::VIEW_PDF:
  140.                 return $this->canViewPdf($subject$user$function);
  142.             case self::EDIT:
  143.                 return $this->canEdit($subject$user$function);
  144.             case self::EDIT_RECEIVER_SOCIETY:
  145.                 return $this->canEditReceiverSociety($subject$user$function);
  146.         }
  148.         throw new \LogicException('This code should not be reached!');
  149.     }
  151.     private function canAdd(SocietyGroupInvoice $invoice)
  152.     {
  153.         // Only JCAF SocietyGroup can add a SocietyGroupCommand for now
  154.         if ($this->currentGroup->isNotJcaf())
  155.         {
  156.             return false;
  157.         }
  159.         // Plan.io Task #3229 Commissions
  160.         $mission $invoice->getMission();
  161.         if ($mission === null)
  162.         {
  163.             return false;
  164.         }
  166.         // Deny actions on archivedRefused objects
  167.         if ($mission->isArchivedRefused())
  168.         {
  169.             return false;
  170.         }
  172.         // Only for JCAF Devis with commission
  173.         // Plan.io Task #3229 Commissions
  175.         // Restrictions on Devis
  176.         $devis $invoice->getDevis();
  177.         if ($devis !== null)
  178.         {
  179.             if ($devis->isNotJcaf())
  180.             {
  181.                 return false;
  182.             }
  183.             if (empty($devis->getShareCommission()))
  184.             {
  185.                 return false;
  186.             }
  187.             // Deny for annulled and refused
  188.             if ($devis->isAnnulled() || $devis->isRefused())
  189.             {
  190.                 return false;
  191.             }
  192.         }
  194.         // Do we already have a SocietyGroupCommand for this SocietyGroupInvoice ?
  195.         $command $this->em->getRepository(SocietyGroupCommand::class)
  196.             ->findOneByInvoice($invoice);
  197.         if ($command !== null)
  198.         {
  199.             return false;
  200.         }
  202.         // Restrictions on Mission
  203.         if ($mission !== null)
  204.         {
  205.             if ($mission->getSocietyGroupAuthor() === null)
  206.             {
  207.                 return false;
  208.             }
  209.             if ($mission->getSocietyGroupAuthor()->isNotJcaf())
  210.             {
  211.                 return false;
  212.             }
  213.             if (empty($mission->getCommissionAmount()) && empty($mission->getCommissionPercentage()))
  214.             {
  215.                 return false;
  216.             }
  217.         }
  219.         // If we are here all went well
  220.         return true;
  221.     }
  223.     private function canList(Access $userAccessFunction $function)
  224.     {
  225.         // Always show tab for JCAF SocietyGroup
  226.         if ($this->currentGroup->isJcaf())
  227.         {
  228.             return true;
  229.         }
  231.         // if ($this->currentGroup->isNotJcaf())
  232.         // {
  233.         //     $sql = "SELECT COUNT(*) as nb
  234.         //             FROM society_group_command
  235.         //             WHERE society_group_command.emitter_society_group_id = ".$this->currentGroup->getId();
  236.         //     $stmt = $this->em->getConnection()->prepare($sql);
  237.         //     $stmt->execute();
  238.         //     $result = $stmt->fetch()['nb'];
  239.         //     if ($result < 1)
  240.         //     {
  241.         //         return false;
  242.         //     }
  243.         // }
  245.         // If the current society group is not JCAF
  246.         // only show the society_group_command tab if at least one command is available
  247.         // Test emitter
  248.         $command $this->em->getRepository(SocietyGroupCommand::class)
  249.             ->findOneByEmitter($this->currentGroup);
  250.         if ($command === null)
  251.         {
  252.             // None available, die hard
  253.             return false;
  254.         }
  256.         // If we are here it means that we have at least one command to show
  257.         // Test permissions
  259.         // Get Acl_Permission
  260.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_LIST);
  261.         if ($aclPerm === null)        return false;
  263.         // Get Acl
  264.         $acl $this->aclRepository->findOneBy(array(
  265.             'function'        =>    $function,
  266.             'permission'    =>    $aclPerm
  267.         ));
  268.         if ($acl === null)        return false;
  270.         // Since only one acl type can exist
  271.         // we can return the result of the acl_permission
  272.         return $acl->getValue();
  274.         // All hope is lost
  275.         return false;
  276.     }
  278.     private function canView(SocietyGroupCommand $commandAccess $userAccessFunction $function)
  279.     {
  280.         // Both emitter and receiver can view society group commands
  281.         if (!($this->currentGroup->equals($this->emitter) || $this->currentGroup->equals($this->receiver)))
  282.         {
  283.             return false;
  284.         }
  286.         // Get Acl_Permission
  287.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  288.         if ($aclPerm === null)        return false;
  290.         // Get Acl
  291.         $acl $this->aclRepository->findOneBy(array(
  292.             'function'        =>    $function,
  293.             'permission'    =>    $aclPerm
  294.         ));
  295.         if ($acl === null)        return false;
  297.         // Since only one acl type can exist
  298.         // we can return the result of the acl_permission
  299.         return $acl->getValue();
  301.         // All hope is lost
  302.         return false;
  303.     }
  305.     private function canViewPdf(SocietyGroupCommand $commandAccess $userAccessFunction $function)
  306.     {
  307.         // Both emitter and receiver can view society group commands
  308.         if (!($this->currentGroup->equals($this->emitter) || $this->currentGroup->equals($this->receiver)))
  309.         {
  310.             return false;
  311.         }
  313.         // Get Acl_Permission
  314.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_VIEW);
  315.         if ($aclPerm === null)        return false;
  317.         // Get Acl
  318.         $acl $this->aclRepository->findOneBy(array(
  319.             'function'        =>    $function,
  320.             'permission'    =>    $aclPerm
  321.         ));
  322.         if ($acl === null)        return false;
  324.         // Since only one acl type can exist
  325.         // we can return the result of the acl_permission
  326.         return $acl->getValue();
  328.         // All hope is lost
  329.         return false;
  330.     }
  332.     private function canEdit(SocietyGroupCommand $commandAccess $userAccessFunction $function)
  333.     {
  334.         // Only JCAF for now
  335.         if ($this->currentGroup->isNotJcaf())
  336.         {
  337.             return false;
  338.         }
  340.         $mission $command->getMission();
  341.         if ($mission === null)
  342.         {
  343.             return false;
  344.         }
  346.         // Deny edit on archivedRefused objects
  347.         if ($mission->isArchivedRefused())
  348.         {
  349.             return false;
  350.         }
  352.         // Get Acl_Permission
  353.         $aclPerm $this->aclPermissionRepository->findOneByName(self::ACL_PERM_EDIT);
  354.         if ($aclPerm === null)        return false;
  356.         // Get Acl
  357.         $acl $this->aclRepository->findOneBy(array(
  358.             'function'        =>    $function,
  359.             'permission'    =>    $aclPerm
  360.         ));
  361.         if ($acl === null)        return false;
  363.         // Since only one acl type can exist
  364.         // we can return the result of the acl_permission
  365.         return $acl->getValue();
  367.         // All hope is lost
  368.         return false;
  369.     }
  371.     private function canEditReceiverSociety(SocietyGroupCommand $commandAccess $userAccessFunction $function)
  372.     {
  373.         // For now receiver can only be JCAF
  374.         // So no need to actually edit the receiver ;)
  375.         return true;
  376.     }
  377. }