src/Security/Voter/EnrollmentVoter.php line 13

  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\Enrollment;
  6. use App\Enum\RoleType;
  7. use Doctrine\ORM\NonUniqueResultException;
  8. use Symfony\Bundle\SecurityBundle\Security;
  9. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. use Symfony\Component\Security\Core\User\UserInterface;
  13. /**
  14. * @extends Voter<string, Enrollment>
  15. */
  16. class EnrollmentVoter extends Voter
  17. {
  18. public const EDIT = 'ENROLLMENT_EDIT';
  19. public const NEW = 'ENROLLMENT_NEW';
  20. public const VIEW = 'ENROLLMENT_VIEW';
  21. public const INDEX = 'ENROLLMENT_INDEX';
  22. public const SUBMIT = 'ENROLLMENT_SUBMIT';
  23. public const APPROVE = 'ENROLLMENT_APPROVE';
  24. public const RENEW = 'ENROLLMENT_RENEW';
  27. public function __construct(private readonly Security $security)
  28. {
  29. }
  31. protected function supports(string $attribute, mixed $subject): bool
  32. {
  33. if ($subject !== null) {
  34. return in_array($attribute, [self::EDIT, self::INDEX, self::VIEW, self::SUBMIT, self::APPROVE, self::RENEW])
  35. && $subject instanceof Enrollment;
  36. } else {
  37. return in_array($attribute, [
  38. self::EDIT,
  39. self::INDEX,
  40. self::VIEW,
  41. self::SUBMIT,
  42. self::APPROVE,
  43. self::RENEW
  44. ]);
  45. }
  46. }
  48. /**
  49. * @param mixed $subject is the Enrollment
  50. * @throws NonUniqueResultException
  51. */
  52. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  53. {
  54. $user = $token->getUser();
  55. // if the user is anonymous, do not grant access
  56. if (!$user instanceof UserInterface) {
  57. return false;
  58. }
  61. return match ($attribute) {
  62. // Who can view a certain enrollment and edit it:
  63. // Who can create and approve a new enrollment manually:
  64. 'ENROLLMENT_VIEW', 'ENROLLMENT_EDIT', 'ENROLLMENT_NEW', 'ENROLLMENT_APPROVE' =>
  65. $this->security->isGranted(RoleType::ROLE_PEDAGOGICAL_DIRECTOR) ||
  66. $this->security->isGranted(RoleType::ROLE_FINANCIAL_DIRECTOR) ||
  67. $this->security->isGranted(RoleType::ROLE_EMPLOYEE),
  69. // Who can view the list of enrollments:
  70. 'ENROLLMENT_INDEX' =>
  71. $this->security->isGranted(RoleType::ROLE_PEDAGOGICAL_DIRECTOR) ||
  72. $this->security->isGranted(RoleType::ROLE_FINANCIAL_DIRECTOR) ||
  73. $this->security->isGranted(RoleType::ROLE_EMPLOYEE) ||
  74. $this->security->isGranted(RoleType::ROLE_GUARDIAN),
  76. // Who can submit an enrollment:
  77. 'ENROLLMENT_SUBMIT' =>
  78. $this->security->isGranted(RoleType::ROLE_EMPLOYEE),
  80. // Who can renew an enrollment:
  81. 'ENROLLMENT_RENEW' =>
  82. $this->security->isGranted(RoleType::ROLE_EMPLOYEE) ||
  83. ($this->security->isGranted(RoleType::ROLE_GUARDIAN) &&
  84. $subject->getGuardian()->getUser()
  85. === $user), // Guardian(user) who submitted the enrollment
  87. default => false,
  88. };
  89. }
  90. }