src/Security/Voter/DocumentVoter.php line 13

  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\Document;
  6. use App\Enum\RoleType;
  7. use Symfony\Bundle\SecurityBundle\Security;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  10. use Symfony\Component\Security\Core\User\UserInterface;
  11. use function PHPUnit\Framework\isInstanceOf;
  13. class DocumentVoter extends Voter
  14. {
  15.     public const EDIT 'DOCUMENT_EDIT';
  16.     public const SHOW 'DOCUMENT_SHOW';
  17.     public const DELETE 'DOCUMENT_DELETE';
  19.     private $security;
  21.     public function __construct(Security $security)
  22.     {
  23.         $this->security $security;
  24.     }
  26.     protected function supports(string $attributemixed $subject): bool
  27.     {
  28. //        dd($subject);
  29.         return in_array($attribute, [self::EDITself::SHOWself::DELETE]) &&
  30.             isInstanceOf(Document::class);
  31.     }
  33.     /**
  34.      * @param string $attribute
  35.      * @param array $subject
  36.      * @param TokenInterface $token
  37.      * @return bool
  38.      */
  39.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  40.     {
  41.         $user $token->getUser();
  42.         // if the user is anonymous, do not grant access
  43.         if (!$user instanceof UserInterface) {
  44.             return false;
  45.         }
  47.         /**
  48.          * @var $isRelated bool controls if the document belongs to the student or parent
  49.          * @var $allow bool controls if the user is allowed to access the document
  50.          * both variables will help determine who can access the document
  51.          */
  52.         $isRelated false;
  53.         $allow false;
  55.         // Who it belongs to:
  56.         // Does it belong to a student?
  57.         if ($subject['document']->getStudent()) {
  58.             // does it belong to the student itself?
  59.             if ($subject['document']->getStudent()->getId() === $subject['id']) {
  60.                 $isRelated true;
  61.                 // Who can access it
  62.                 // Currently only the guardian who made the document can access it
  63.                 // When Parent and Student are associated to User, they should be able to access their related documents
  64.                 // Is the user the guardian who made this document?
  65.                 if ($user === $subject['document']->getStudent()->getGuardian()->getUser()) {
  66.                     $allow true;
  67.                 }
  69.             }
  70.         } // Does it belong to a parent?
  71.         elseif ($subject['document']->getParentalDocument()) {
  72.             // does it belong to the parent itself?
  73.             if ($subject['document']->getParentalDocument()->getParentData()->getId() === $subject['id']) {
  74.                 $isRelated true;
  75.                 // Is the user the guardian who made this document?
  76.                 if ($user === $subject['document']->getParentalDocument()->getParentData()->getGuardian()->getUser()) {
  77.                     $allow true;
  78.                 }
  79.             }
  80.         } else
  81.             return false;
  83.         $accessIsGranted = match ($attribute) {
  84.             'DOCUMENT_SHOW' =>
  85.                 $allow
  86.                 ||
  87.                 $isRelated && (
  88.                     $this->security->isGranted(RoleType::ROLE_ADMIN) ||
  89.                     $this->security->isGranted(RoleType::ROLE_EMPLOYEE) ||
  90.                     $this->security->isGranted(RoleType::ROLE_FINANCIAL_DIRECTOR) ||
  91.                     $this->security->isGranted(RoleType::ROLE_PEDAGOGICAL_DIRECTOR)
  92.                 ),
  94.             'DOCUMENT_EDIT' =>
  95.                 $allow
  96.                 ||
  97.                 $isRelated && $this->security->isGranted(RoleType::ROLE_ADMIN),
  98.             'DOCUMENT_DELETE' => $isRelated && $this->security->isGranted(RoleType::ROLE_ADMIN),
  99.         };
  100.         return $accessIsGranted;
  101.     }
  103. }