src/Security/Voter/UserRequest/UserRequestVoter.php line 14

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter\UserRequest;
  5. use App\Entity\User;
  6. use App\Manager\UserRightsManagerInterface;
  7. use Psr\Log\LoggerInterface;
  8. use Symfony\Component\PropertyAccess\PropertyAccess;
  9. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. use WebServiceCollectionBundle\Model\AtlasPce\UserRequestRequestContext;
  12. use WebServiceCollectionBundle\Model\AtlasPce\UserRequestRequestModel;
  14. class UserRequestVoter extends Voter
  15. {
  16.     public const VIEW_REQUEST_ATTR 'VIEW_REQUEST';
  18.     /**
  19.      * @var LoggerInterface
  20.      */
  21.     protected $logger;
  23.     public function __construct(
  24.         LoggerInterface $logger
  25.     ) {
  26.         $this->logger            $logger;
  27.     }
  29.     /**
  30.      * {@inheritdoc}
  31.      */
  32.     public function supports($attribute$subject)
  33.     {
  34.         $isView           = static::VIEW_REQUEST_ATTR === $attribute;
  35.         $isSubjectUrModel = ($subject instanceof UserRequestRequestModel);
  37.         return $isView && $isSubjectUrModel;
  38.     }
  40.     /**
  41.      * {@inheritdoc}
  42.      */
  43.     public function voteOnAttribute($attribute$subjectTokenInterface $token)
  44.     {
  45.         $user $token->getUser();
  47.         switch ($attribute) {
  48.             case static::VIEW_REQUEST_ATTR:
  49.                 return $this->mayView($subject$user);
  50.         }
  52.         throw new \LogicException('This code should not be reached!');
  53.     }
  55.     /**
  56.      * Test if a user is allowed to view a request.
  57.      *
  58.      * @param  UserRequestRequestModel  $subject
  59.      * @param  User                     $tokenAttributes
  60.      *
  61.      * @return bool
  62.      */
  63.     protected function mayView(UserRequestRequestModel $requestUser $user): bool
  64.     {
  65.         $propertyAccessor PropertyAccess::createPropertyAccessor();
  66.         $userRoles        $user->getRoles();
  68.         $userIsAdminOrSuezOrManager = (count(array_intersect(
  69.             $userRoles,
  70.             [
  71.                 UserRightsManagerInterface::ROLE_ADMIN,
  72.                 UserRightsManagerInterface::ROLE_SUEZ,
  73.                 UserRightsManagerInterface::ROLE_MANAGER,
  74.             ]
  75.         )));
  77.         $userId            $user->getId(); // use for validation
  78.         $requestId         $request->getId(); // just for logging purposes
  79.         $requestContexts   $request->getContexts();
  80.         $requestData       $request->getData();
  81.         $requestCreatorId  $propertyAccessor->getValue($requestData'[userId]');
  83.         // Logging time
  84.         $loggableContexts array_map(function(UserRequestRequestContext $context) {
  85.             return $context->getEnvelope();
  86.         }, $requestContexts);
  88.         $this->logger->info('[UserRequestVoter] Logged user Id: {userId}', ['userId' => $userId ]);
  89.         $this->logger->info('[UserRequestVoter] Request creator id: {requestCreatorId}', ['requestCreatorId' => $requestCreatorId ]);
  90.         $this->logger->info('[UserRequestVoter] Request Id: {requestId}', ['requestId' => $requestId ]);
  91.         $this->logger->info('[UserRequestVoter] Request contexts: {requestContexts}', [
  92.             'requestContexts' => json_encode($loggableContexts)
  93.         ]);
  95.         // Voting time
  97.         // Admins can see everything
  98.         if ($userIsAdminOrSuezOrManager) {
  99.             $this->logger->info('[UserRequestVoter] User is admin');
  101.             return true;
  102.         }
  104.         $this->logger->info('[UserRequestVoter] User is not an admin');
  106.         $areaRights        $user->getAreaRights();
  107.         $userNarrowestArea $areaRights->getNarrowestRight();
  109.         $this->logger->info('[UserRequestVoter] User narrowest area: {area}', ['area' => json_encode($userNarrowestArea) ]);
  111.         // Look if any context ID matches the user's narrowest area
  113.         $matchedContext array_filter($requestContexts, function (UserRequestRequestContext $context) use ($userNarrowestArea) {
  114.             return $context->getId() === $userNarrowestArea['id'];
  115.         });
  117.         $this->logger->info('[UserRequestVoter] matched: {matchedContext}', ['matchedContext' => json_encode($matchedContext) ]);
  119.         // If there is one context left, then the request is within the user's area.
  120.         if (!empty($matchedContext)) {
  121.             $this->logger->info('[UserRequestVoter] Request in user area');
  123.             return true;
  124.         }
  126.         $this->logger->info('[UserRequestVoter] Request not in user area');
  128.         // If the user is the creator of the request, they may view it.
  129.         if ((string) $userId === (string) $requestCreatorId) {
  130.             $this->logger->info('[UserRequestVoter] User created request');
  132.             return true;
  133.         }
  135.         $this->logger->info('[UserRequestVoter] User {id} did not create request (by {creator})', [
  136.             'id'      => $userId,
  137.             'creator' => $requestCreatorId,
  138.         ]);
  140.         // Otherwise, user may not see the request.
  141.         return false;
  142.     }
  143. }