src/Security/Voter/Users/UserVoter.php line 15

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter\Users;
  5. use App\Entity\Garages\Garage;
  6. use App\Entity\User;
  7. use App\Enum\MenuRolesManagerEnum;
  8. use App\Enum\UserRolesEnum;
  9. use App\Enum\VotersEnum;
  10. use App\Repository\Garages\GarageRepository;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  13. use Symfony\Component\Security\Core\Security;
  15. final class UserVoter extends Voter
  16. {
  17.     private Security $security;
  18.     private array $voters;
  19.     private GarageRepository $gr;
  21.     public function __construct(Security $securityGarageRepository $gr)
  22.     {
  23.         $this->security $security;
  24.         $this->voters = [
  25.             VotersEnum::LIST_USER,
  26.             VotersEnum::LIST_ASSOCIATED_EMPLOYEE,
  27.             VotersEnum::CREATE_USER,
  28.             VotersEnum::CREATE_ASSOCIATED_EMPLOYEE,
  29.             VotersEnum::READ,
  30.             VotersEnum::UPDATE,
  31.             VotersEnum::DELETE,
  32.             VotersEnum::STATISTICS_LIST,
  33.             VotersEnum::STATISTICS_VIEW,
  34.             VotersEnum::STATISTICS_ENABLE,
  35.             VotersEnum::STATISTICS_DISABLE,
  36.             VotersEnum::STATISTICS_DOWNLOAD,
  37.         ];
  38.         $this->gr $gr;
  39.     }
  41.     protected function supports(string $attribute$subject): bool
  42.     {
  43.         // first check the $subject and last if the $attribute is supported,
  44.         // because there are attributes (with subject) used as well by other voters (like UPDATE, ...)
  45.         if ($subject && !$subject instanceof User) {
  46.             // only vote on these objects
  47.             return false;
  48.         }
  49.         if (in_array($attribute$this->voters)) {
  50.             // if the attribute is one we support
  51.             return true;
  52.         }
  54.         return false;
  55.     }
  57.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  58.     {
  59.         $user $token->getUser();
  60.         if (!$user instanceof User) {
  61.             // the user must be logged in; if not, deny access
  62.             return false;
  63.         }
  64.         switch ($attribute) {
  65.             case VotersEnum::LIST_USER:
  66.                 return $this->canList();
  67.             case VotersEnum::LIST_ASSOCIATED_EMPLOYEE:
  68.                 return $this->canListAssociatedEmployee();
  69.             case VotersEnum::CREATE_USER:
  70.                 return $this->canCreate();
  71.             case VotersEnum::CREATE_ASSOCIATED_EMPLOYEE:
  72.                 return $this->canCreateAssociatedEmployee();
  73.             case VotersEnum::READ:
  74.                 return $this->canRead($subject$user);
  75.             case VotersEnum::UPDATE:
  76.                 return $this->canUpdate($subject$user);
  77.             case VotersEnum::DELETE:
  78.                 return $this->canDelete($subject$user);
  79.             case VotersEnum::STATISTICS_LIST:
  80.                 return $this->canListStatistics($subject$user);
  81.             case VotersEnum::STATISTICS_VIEW:
  82.                 return $this->canViewStatistics($subject$user);
  83.             case VotersEnum::STATISTICS_ENABLE:
  84.                 return $this->canEnableStatistics($subject);
  85.             case VotersEnum::STATISTICS_DISABLE:
  86.                 return $this->canDisableStatistics($subject);
  87.             case VotersEnum::STATISTICS_DOWNLOAD:
  88.                 return $this->canDownloadStatistics($subject$user);
  89.         }
  91.         throw new \LogicException('This code should not be reached!');
  92.     }
  94.     private function canList(): bool
  95.     {
  96.         return $this->isAdminUser();
  97.     }
  99.     private function canListAssociatedEmployee(): bool
  100.     {
  101.         return $this->isAdminUser() || $this->isAssociatedUser();
  102.     }
  104.     private function canCreate(): bool
  105.     {
  106.         return $this->isAdminUser();
  107.     }
  109.     private function canCreateAssociatedEmployee(): bool
  110.     {
  111.         return $this->isAdminUser() || $this->isAssociatedUser();
  112.     }
  114.     private function canRead(User $subjectUser $loggedUser): bool
  115.     {
  116.         return $this->isAdminUser() || $this->isMyEmployee($subject$loggedUser);
  117.     }
  119.     private function canUpdate(User $subjectUser $loggedUser): bool
  120.     {
  121.         if ((UserRolesEnum::ROLE_ADMIN === $subject->getUserRole()) || (UserRolesEnum::ROLE_SUPER_ADMIN === $subject->getUserRole())) {
  122.             // only users with ROLE_ADMIN can update ADMINS users
  123.             return $this->security->isGranted(UserRolesEnum::ROLE_ADMIN_LONG);
  124.         } else {
  125.             return $this->isAdminUser() || $this->isMyEmployee($subject$loggedUser);
  126.         }
  127.     }
  129.     private function canDelete(User $subjectUser $loggedUser): bool
  130.     {
  131.         return $this->canUpdate($subject$loggedUser);
  132.     }
  134.     private function canListStatistics(User $userUser $loggedUser): bool
  135.     {
  136.         if ($this->security->isGranted(UserRolesEnum::ROLE_COORDINATOR_LONG)) {
  137.             $found false;
  138.             $garages $this->gr->getEnabledGaragesByProvincesSortedByName($loggedUser->getWorkProvinces());
  139.             /** @var Garage $garage */
  140.             foreach ($garages as $garage) {
  141.                 if ($garage->isOwner($user)) {
  142.                     $found true;
  144.                     break;
  145.                 }
  146.             }
  148.             return $found && $user->isEnableStatisticsManagement();
  149.         }
  151.         return $this->isStatisticsAdminUser() && $user->isEnableStatisticsManagement();
  152.     }
  154.     private function canViewStatistics(User $userUser $loggedUser): bool
  155.     {
  156.         return $this->canListStatistics($user$loggedUser);
  157.     }
  159.     private function canEnableStatistics(User $user): bool
  160.     {
  161.         return $this->isStatisticsAdminUser() && !$user->isEnableStatisticsManagement();
  162.     }
  164.     private function canDisableStatistics(User $user): bool
  165.     {
  166.         return $this->isStatisticsAdminUser() && $user->isEnableStatisticsManagement();
  167.     }
  169.     private function canDownloadStatistics(User $userUser $loggedUser): bool
  170.     {
  171.         return $this->canListStatistics($user$loggedUser);
  172.     }
  174.     private function isStatisticsAdminUser(): bool
  175.     {
  176.         return ($this->isAdminUser() || $this->security->isGranted(MenuRolesManagerEnum::ROLE_MENU_BAROMETER_DATA)) && !$this->security->isGranted(UserRolesEnum::ROLE_COORDINATOR_LONG);
  177.     }
  179.     private function isAdminUser(): bool
  180.     {
  181.         return $this->security->isGranted(UserRolesEnum::ROLE_ADMIN_LONG);
  182.     }
  184.     private function isAssociatedUser(): bool
  185.     {
  186.         return $this->security->isGranted(UserRolesEnum::ROLE_ASSOCIATED_LONG);
  187.     }
  189.     private function isMyEmployee(User $employeeUser $loggedUser): bool
  190.     {
  191.         $employeeGarage $employee->getEmployeeGarage();
  192.         if ($employeeGarage) {
  193.             /** @var Garage $garage */
  194.             foreach ($loggedUser->getGarages() as $garage) {
  195.                 if ($employeeGarage->getId() === $garage->getId()) {
  196.                     return true;
  197.                 }
  198.             }
  199.         }
  201.         return false;
  202.     }
  203. }