<?phpnamespace DW\GingerBundle\Security;use DW\GingerBundle\Entity\PersonInterface;use DW\GingerBundle\Entity\User;use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;use Symfony\Component\Security\Core\Authorization\Voter\Voter;use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;use DW\GingerBundle\Entity\GroupInterface;class PersonVoter extends Voter{ const VIEW = 'view'; const EDIT = 'edit'; const CREATE = 'create'; const FIND = 'find'; const ANONYMIZE = 'anonymize'; const DELETE = 'delete'; const EDIT_TROUGH_API = 'editTroughApi'; private AccessDecisionManagerInterface $decisionManager; public function __construct(AccessDecisionManagerInterface $decisionManager) { $this->decisionManager = $decisionManager; } protected function supports($attribute, $subject): bool { // if the attribute isn't one we support, return false if (!in_array($attribute, array(self::VIEW, self::FIND, self::EDIT, self::CREATE, self::ANONYMIZE, self::DELETE, self::EDIT_TROUGH_API))) { return false; } // only vote on person objects inside this voter if (!$subject instanceof PersonInterface) { return false; } return true; } protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool { $user = $token->getUser(); if (!$user instanceof User) { // the user must be logged in; if not, deny access return false; } /** @var PersonInterface $person */ $person = $subject; switch ($attribute) { case self::VIEW: return $this->canView($person, $token); case self::FIND: return $this->canFind($person, $token); case self::EDIT: return $this->canEdit($person, $token); case self::CREATE: return $this->canCreate($person, $token); case self::ANONYMIZE: return $this->canAnonymize($person, $token); case self::DELETE: return $this->canDelete($person, $token); case self::EDIT_TROUGH_API: return $this->canEditTroughApi($person, $token); } throw new \LogicException('This code should not be reached!'); } private function canCreate(PersonInterface $person, TokenInterface $token): bool { if ($this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_CREATE'])) { return true; } return false; } private function canView(PersonInterface $person, TokenInterface $token): bool { $user = $token->getUser(); if ($user->isGod()) { return true; } // Users groups must share at least one tag with person /**@var GroupInterface $group */ foreach ($user->getGroups() as $group) { foreach ($group->getTags() as $groupTag) { if ($person->getTags()->contains($groupTag)) { return true; } } } return false; } private function canFind(PersonInterface $person, TokenInterface $token): bool { /* * Temporarily, all registered users may find any persons. * Review/Discussion to be done as part of #22083 et.al. * * @see https://mantis.dwerk.at/view.php?id=22083 */ if ($this->canView($person, $token) || $this->decisionManager->decide($token, ['ROLE_USER'])) { return true; } return false; } private function canEdit(PersonInterface $person, TokenInterface $token): bool { $user = $token->getUser(); if ($this->canView($person, $token) && $this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_EDIT'])) { return true; } if ($user->getPerson() === $token->getUser() && $this->decisionManager->decide($token, ['ROLE_GINGER_USER_EDIT_MYPROFILE'])) { // User is linked to contact return true; } return false; } private function canAnonymize(PersonInterface $person, TokenInterface $token): bool { if ($this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_ANONYMIZE']) && $this->canEdit($person, $token)) { return true; } return false; } private function canDelete(PersonInterface $person, TokenInterface $token): bool { if ($this->canEdit($person, $token) && $this->decisionManager->decide($token, ['ROLE_GINGER_CONTACT_DELETE'])) { return true; } return false; } private function canEditTroughApi(PersonInterface $person, TokenInterface $token): bool { // Anyone can edit persons through the API // Is there a better way? return true; }}