src/Security/Voter/Profile/ProfileVoter.php line 16

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\Security\Voter\Profile;
  7. use App\Model\User\Entity\User\Role\Permission;
  8. use App\Model\User\Entity\User\Role\RoleConstants;
  9. use App\ReadModel\Profile\DetailView;
  10. use App\Security\UserIdentity;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  13. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  14. use Symfony\Component\Security\Core\Security;
  16. class ProfileVoter extends Voter
  17. {
  18.     public const PROFILE_CREATE 'profile_create';
  19.     public const PROFILE_EDIT 'profile_edit';
  20.     public const PROFILE_INDEX 'profile_index';
  21.     public const PROFILE_RECALL 'profile_recall';
  22.     public const ORGANIZATION_USERS_LIST 'organization_users_list';
  23.     public const ORGANIZATION_POSITION_LIST 'organization_position_list';
  25.     public const ORGANIZATION_USERS_CREATE 'organization_users_create';
  27.     public const ORGANIZATION_USERS_DELETE 'organization_users_delete';
  29.     public const CONTRACTS_LIST 'contracts_list';
  31.     public const PROCEDURE_MY_LIST 'procedure_my_list';
  32.     private Security $security;
  33.     public function __construct(Security $security)
  34.     {
  35.         $this->security $security;
  36.     }
  38.     protected function supports(string $attribute$subject): bool
  39.     {
  40.         return in_array($attribute, [
  41.                 self::PROFILE_CREATE,
  42.                 self::PROFILE_EDIT,
  43.                 self::PROFILE_INDEX,
  44.                 self::PROFILE_RECALL,
  45.                 self::ORGANIZATION_USERS_LIST,
  46.                 self::ORGANIZATION_POSITION_LIST,
  47.                 self::ORGANIZATION_USERS_CREATE,
  48.                 self::ORGANIZATION_USERS_DELETE,
  49.                 self::CONTRACTS_LIST,
  50.                 self::PROCEDURE_MY_LIST
  51.             ], true);
  52.     }
  54.     /**
  55.      * @param string $attribute
  56.      * @param $subject
  57.      * @param TokenInterface $token
  58.      * @return bool
  59.      */
  60.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  61.     {
  62.         // Moderators have full access
  63.         if ($this->security->isGranted('ROLE_MODERATOR')) {
  64.             return true;
  65.         }
  67.         $user $token->getUser();
  69.         // Only authenticated UserIdentity can proceed
  70.         if (!$user instanceof UserIdentity) {
  71.             return false;
  72.         }
  74.         $role = (new RoleConstants($user->getRole()));
  75.         if ($role->isOrganizerUser()) {
  76.             if ($this->checkPermissionEmployee($user$attribute$subject) === false) {
  77.                 return $this->handleException();
  78.             }
  79.         }
  81.         // Check specific permissions
  82.         switch ($attribute) {
  83.             case self::PROFILE_INDEX:
  84.                 if (!$this->isOwnerProfile($subject$user)) {
  85.                     return $this->handleException();
  86.                 }
  87.                 break;
  89.             case self::PROFILE_EDIT:
  90.                 // Only profile owner can proceed
  91.                 if (!$this->isOwnerProfile($subject$user)) {
  92.                     return $this->handleException();
  93.                 }
  95.                 return $user->isPermission(Permission::PROFILE_EDIT);
  96.                 break;
  98.             case self::CONTRACTS_LIST:
  99.                 // Only profile owner can proceed
  100.                 if (!$this->isOwnerProfile($subject$user)) {
  101.                     return $this->handleException();
  102.                 }
  104.                 return $user->isPermission(Permission::CONTRACTS_LIST);
  105.                 break;
  107.             case self::PROCEDURE_MY_LIST:
  109.                 if ($subject->id !== $user->getProfileId()) {
  110.                     return $this->handleException();
  111.                 }
  112.                 break;
  113.         }
  115.         return true;
  116.     }
  118.     private function handleException()
  119.     {
  120.         throw new AccessDeniedException('Доступ запрещен. У вас недостаточно прав для совершения этого действия.');
  121.     }
  123.     /**
  124.      * Проверка разрешений сотрудника
  125.      * @param UserIdentity $user
  126.      * @param string $attribute
  127.      * @param DetailView $subject
  128.      * @return bool
  129.      */
  130.     private function checkPermissionEmployee(UserIdentity $userstring $attributeDetailView $subject): bool
  131.     {
  132.         switch ($attribute) {
  133.             case self::PROFILE_INDEX:
  134.                 if (!$this->isOwnerProfile($subject$user)) {
  135.                     return false;
  136.                 }
  137.                 return true;
  138.                 break;
  140.             case self::PROFILE_EDIT:
  141.                 if (!$this->isOwnerProfile($subject$user)) {
  142.                     return false;
  143.                 }
  144.                 return $user->isPermission(Permission::PROFILE_EDIT);
  145.                 break;
  147.             case self::ORGANIZATION_USERS_LIST:
  148.                 // Only profile owner can proceed
  149.                 if (!$this->isOwnerProfile($subject$user)) {
  150.                     return false;
  151.                 }
  152.                 return $user->isPermission(Permission::ORGANIZATION_USERS_LIST);
  153.                 break;
  155.             case self::ORGANIZATION_POSITION_LIST:
  156.                 if (!$this->isOwnerProfile($subject$user)) {
  157.                     return false;
  158.                 }
  159.                 return $user->isPermission(Permission::ORGANIZATION_POSITION_LIST);
  160.                 break;
  162.             case self::ORGANIZATION_USERS_CREATE:
  163.                 if (!$this->isOwnerProfile($subject$user)) {
  164.                     return false;
  165.                 }
  166.                 return $user->isPermission(Permission::ORGANIZATION_USERS_CREATE);
  167.                 break;
  169.             case self::ORGANIZATION_USERS_DELETE:
  170.                 if (!$this->isOwnerProfile($subject$user)) {
  171.                     return false;
  172.                 }
  173.                 return $user->isPermission(Permission::ORGANIZATION_USERS_DELETE);
  174.                 break;
  176.             case self::CONTRACTS_LIST:
  178.                 if (!$this->isOwnerProfile($subject$user)) {
  179.                     return false;
  180.                 }
  181.                 return $user->isPermission(Permission::CONTRACTS_LIST);
  182.                 break;
  184.             case self::PROCEDURE_MY_LIST:
  186.                 if ($subject->id !== $user->getProfileId()) {
  187.                     return $this->handleException();
  188.                 }
  190.                 return true;
  191.                 break;
  193.             default:
  194.                 return false;
  195.         }
  196.     }
  198.     private function isOwnerProfile(DetailView $subjectUserIdentity $user): bool
  199.     {
  200.         // Only profile owner can proceed
  201.         if ($subject->id !== $user->getProfileId()) {
  202.             return false;
  203.         }
  205.         return true;
  206.     }
  207. }