src/Security/Voter/Documents/DocumentVoter.php line 14

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter\Documents;
  5. use App\Entity\Documents\Document;
  6. use App\Entity\User;
  7. use App\Enum\MenuRolesAssociatedEnum;
  8. use App\Enum\MenuRolesManagerEnum;
  9. use App\Enum\VotersEnum;
  10. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  11. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  12. use Symfony\Component\Security\Core\Security;
  14. class DocumentVoter extends Voter
  15. {
  16.     private Security $security;
  17.     private array $voters;
  19.     public function __construct(Security $security)
  20.     {
  21.         $this->security $security;
  22.         $this->voters = [
  23.             VotersEnum::LIST_DOCUMENT,
  24.             VotersEnum::CREATE_DOCUMENT,
  25.             VotersEnum::READ,
  26.             VotersEnum::UPDATE,
  27.             VotersEnum::DELETE,
  28.             VotersEnum::LIST_DOCUMENT_ASSOCIATED,
  29.             VotersEnum::VIEW,
  30.             VotersEnum::DOWNLOAD,
  31.         ];
  32.     }
  34.     protected function supports(string $attribute$subject): bool
  35.     {
  36.         // first check the $subject and last if the $attribute is supported,
  37.         // because there are attributes (with subject) used as well by other voters (like UPDATE, ...)
  38.         if ($subject && !$subject instanceof Document) {
  39.             // only vote on these objects
  40.             return false;
  41.         }
  42.         if (in_array($attribute$this->voters)) {
  43.             // if the attribute is one we support
  44.             return true;
  45.         }
  47.         return false;
  48.     }
  50.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  51.     {
  52.         $user $token->getUser();
  53.         if (!$user instanceof User) {
  54.             // the user must be logged in; if not, deny access
  55.             return false;
  56.         }
  57.         switch ($attribute) {
  58.             case VotersEnum::LIST_DOCUMENT:
  59.                 return $this->canlist();
  60.             case VotersEnum::CREATE_DOCUMENT:
  61.                 return $this->canCreate();
  62.             case VotersEnum::READ:
  63.                 return $this->canRead();
  64.             case VotersEnum::UPDATE:
  65.                 return $this->canUpdate();
  66.             case VotersEnum::DELETE:
  67.                 return $this->canDelete();
  68.             case VotersEnum::LIST_DOCUMENT_ASSOCIATED:
  69.                 return $this->canlistAssociated();
  70.             case VotersEnum::VIEW:
  71.                 return $this->canView($subject$user);
  72.             case VotersEnum::DOWNLOAD:
  73.                 return $this->canDownload($subject$user);
  74.         }
  76.         throw new \LogicException('This code should not be reached!');
  77.     }
  79.     private function canList(): bool
  80.     {
  81.         return $this->isAdminUser();
  82.     }
  84.     private function canCreate(): bool
  85.     {
  86.         return $this->isAdminUser();
  87.     }
  89.     private function canRead(): bool
  90.     {
  91.         return $this->isAdminUser();
  92.     }
  94.     private function canUpdate(): bool
  95.     {
  96.         return $this->isAdminUser();
  97.     }
  99.     private function canDelete(): bool
  100.     {
  101.         return $this->isAdminUser();
  102.     }
  104.     private function canListAssociated(): bool
  105.     {
  106.         return $this->isAdminUser()
  107.             || $this->isAssociatedUser()
  108.             ;
  109.     }
  111.     private function canView(Document $documentUser $user): bool
  112.     {
  113.         return $this->isAdminUser()
  114.             || ($this->isAssociatedUser() && !$document->isExcludedFor($user))
  115.             || ($this->isAssociatedUser() && !$document->isExcludedFor($user))
  116.             ;
  117.     }
  119.     private function canDownload(Document $documentUser $user): bool
  120.     {
  121.         return $this->isAdminUser()
  122.             || ($this->isAssociatedUser() && !$document->isExcludedFor($user))
  123.             ;
  124.     }
  126.     private function isAdminUser(): bool
  127.     {
  128.         return $this->security->isGranted(MenuRolesManagerEnum::ROLE_MENU_DOCUMENTS_MANAGEMENT);
  129.     }
  131.     private function isAssociatedUser(): bool
  132.     {
  133.         return $this->security->isGranted(MenuRolesAssociatedEnum::ROLE_MENU_DOCUMENTS_MANAGEMENT_ASSOCIATED);
  134.     }
  135. }