src/Security/Voter/HeiVoter.php line 15

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter;
  5. use ApiPlatform\Core\Bridge\Doctrine\Orm\Paginator;
  6. use App\Entity\Hei;
  7. use App\Entity\User;
  8. use App\HeiAdministration\StaffDirectory;
  9. use App\Repository\HeiRepository;
  10. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  11. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  12. use Symfony\Component\Security\Core\Security;
  13. use Symfony\Component\Security\Core\User\UserInterface;
  15. class HeiVoter extends Voter
  16. {
  17.     public const VIEW 'HEI_VIEW';
  18.     public const EDIT 'HEI_EDIT';
  19.     public const CREATE 'HEI_CREATE';
  20.     public const DELETE 'HEI_DELETE';
  21.     public const VIEW_INCOMING_MOBILITIES 'VIEW_INCOMING_MOBILITIES';
  22.     public const VIEW_OUTGOING_MOBILITIES 'VIEW_INCOMING_MOBILITIES';
  24.     private Security $security;
  25.     private StaffDirectory $staffDirectory;
  26.     private HeiRepository $heiRepository;
  28.     public function __construct(
  29.         Security $security,
  30.         StaffDirectory $staffDirectory,
  31.         HeiRepository $heiRepository
  32.     ) {
  33.         $this->security $security;
  34.         $this->staffDirectory $staffDirectory;
  35.         $this->heiRepository $heiRepository;
  36.     }
  38.     protected function supports(string $attributemixed $subject): bool
  39.     {
  40.         return in_array($attribute, [
  41.                 self::VIEW,
  42.                 self::CREATE,
  43.                 self::EDIT,
  44.                 self::DELETE,
  45.                 self::VIEW_INCOMING_MOBILITIES,
  46.                 self::VIEW_OUTGOING_MOBILITIES,
  47.             ])
  48.             && (
  49.                 $subject instanceof Paginator
  50.                 || null === $subject
  51.                 || $subject instanceof Hei
  52.             )
  53.         ;
  54.     }
  56.     protected function voteOnAttribute(string $attributemixed $subjectTokenInterface $token): bool
  57.     {
  58.         /**
  59.          * @var User $user
  60.          */
  61.         $user $token->getUser();
  62.         // if the user is anonymous, do not grant access
  63.         if (!$user instanceof UserInterface) {
  64.             return false;
  65.         }
  67.         if ($this->security->isGranted('ROLE_SUPER_ADMIN')) {
  68.             return true;
  69.         }
  71.         // TODO this should just be temporary until Api Platform allows security check on the owning side
  72.         if ($subject instanceof Paginator) {
  73.             $query $subject
  74.                 ->getQuery()
  75.             ;
  76.             $queryParameters $query->getParameters();
  77.             $id $queryParameters[0]
  78.                 ->getValue()
  79.             ;
  81.             $hei $this->heiRepository->findOneBy(['schacCode' => $id]);
  82.         } else {
  83.             $hei $subject;
  84.         }
  86.         switch ($attribute) {
  87.             case self::VIEW:
  88.                 $student $user->getStudent();
  90.                 return $this->staffDirectory->isStaffAtHei($user$hei)
  91.                     || (null !== $student && $student->getHomeHei()->getId() === $hei->getId())
  92.                     ;
  93.             case self::EDIT:
  94.             case self::VIEW_INCOMING_MOBILITIES:
  95.             case self::VIEW_OUTGOING_MOBILITIES:
  96.                 return $this->staffDirectory->isStaffAtHei($user$hei);
  97.             case self::CREATE:
  98.                 return $this->security->isGranted('ROLE_ADMIN');
  99.             case self::DELETE:
  100.                 // This should never be reached as we already check for SUPER_ADMIN role higher up
  101.                 return false;
  102.         }
  104.         return false;
  105.     }
  106. }