<?php
namespace DW\GingerBundle\Security;
use DW\GingerBundle\Entity\PersonInterface;
use DW\GingerBundle\Entity\User;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use DW\GingerBundle\Entity\GroupInterface;
class PersonVoter extends Voter
{
const VIEW = 'view';
const EDIT = 'edit';
const CREATE = 'create';
const FIND = 'find';
const ANONYMIZE = 'anonymize';
const DELETE = 'delete';
const EDIT_TROUGH_API = 'editTroughApi';
private AccessDecisionManagerInterface $decisionManager;
public function __construct(AccessDecisionManagerInterface $decisionManager)
{
$this->decisionManager = $decisionManager;
}
protected function supports($attribute, $subject): bool
{
// if the attribute isn't one we support, return false
if (!in_array($attribute, array(self::VIEW, self::FIND, self::EDIT, self::CREATE, self::ANONYMIZE, self::DELETE, self::EDIT_TROUGH_API))) {
return false;
}
// only vote on person objects inside this voter
if (!$subject instanceof PersonInterface) {
return false;
}
return true;
}
protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
{
$user = $token->getUser();
if (!$user instanceof User) {
// the user must be logged in; if not, deny access
return false;
}
/** @var PersonInterface $person */
$person = $subject;
switch ($attribute) {
case self::VIEW:
return $this->canView($person, $token);
case self::FIND:
return $this->canFind($person, $token);
case self::EDIT:
return $this->canEdit($person, $token);
case self::CREATE:
return $this->canCreate($person, $token);
case self::ANONYMIZE:
return $this->canAnonymize($person, $token);
case self::DELETE:
return $this->canDelete($person, $token);
case self::EDIT_TROUGH_API:
return $this->canEditTroughApi($person, $token);
}
throw new \LogicException('This code should not be reached!');
}
private function canCreate(PersonInterface $person, TokenInterface $token): bool
{
if ($this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_CREATE'])) {
return true;
}
return false;
}
private function canView(PersonInterface $person, TokenInterface $token): bool
{
$user = $token->getUser();
if ($user->isGod()) {
return true;
}
// Users groups must share at least one tag with person
/**@var GroupInterface $group */
foreach ($user->getGroups() as $group) {
foreach ($group->getTags() as $groupTag) {
if ($person->getTags()->contains($groupTag)) {
return true;
}
}
}
return false;
}
private function canFind(PersonInterface $person, TokenInterface $token): bool
{
/*
* Temporarily, all registered users may find any persons.
* Review/Discussion to be done as part of #22083 et.al.
*
* @see https://mantis.dwerk.at/view.php?id=22083
*/
if ($this->canView($person, $token) || $this->decisionManager->decide($token, ['ROLE_USER'])) {
return true;
}
return false;
}
private function canEdit(PersonInterface $person, TokenInterface $token): bool
{
$user = $token->getUser();
if ($this->canView($person, $token) && $this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_EDIT'])) {
return true;
}
if ($user->getPerson() === $token->getUser() && $this->decisionManager->decide($token, ['ROLE_GINGER_USER_EDIT_MYPROFILE'])) {
// User is linked to contact
return true;
}
return false;
}
private function canAnonymize(PersonInterface $person, TokenInterface $token): bool
{
if ($this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_ANONYMIZE'])
&& $this->canEdit($person, $token)) {
return true;
}
return false;
}
private function canDelete(PersonInterface $person, TokenInterface $token): bool
{
if ($this->canEdit($person, $token) && $this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_DELETE'])) {
return true;
}
return false;
}
private function canEditTroughApi(PersonInterface $person, TokenInterface $token): bool
{
// Anyone can edit persons through the API
// Is there a better way?
return true;
}
}