<?php
namespace App\Security;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
class RecordVoter extends Voter
{
private $container;
public function __construct(ContainerInterface $container)
{
$this->container = $container;
}
/*
* Record based should support CREATE, VIEW, EDIT, DELETE
*/
protected function supports($attribute, $subject)
{
return in_array($attribute, ['RECORD_EDIT', 'RECORD_VIEW', 'RECORD_CREATE']);
}
/*
* Check if we return access for user based on the permission set for user role
* for VIEW, EDIT, DELETE, we should also check securitygroups_records for permission
*/
protected function voteOnAttribute($attribute, $object, TokenInterface $token)
{
$module = $object['module'];
if(isset($object['record_id'])){
$record_id = $object['record_id'];
}
$has_access = false;
$suiteUtils = $this->container->get('strategic_plan_utils');
$user = $token->getUser();
$result_access = array();
//For all actions, we need to check access set for role first
switch ($attribute) {
case "RECORD_CREATE":
$result_access = $suiteUtils->hasAccessToRole($user->getID(), $module, 'create');
foreach ($result_access as $row) {
if ($row['access_override'] >= 0) {
return true;
}
}
break;
case "RECORD_VIEW":
$result_access = $suiteUtils->hasAccessToRole($user->getID(), $module, 'view');
break;
case "RECORD_EDIT":
$result_access = $suiteUtils->hasAccessToRole($user->getID(), $module, 'edit');
break;
case "RECORD_DELETE":
$result_access = $suiteUtils->hasAccessToRole($user->getID(), $module, 'delete');
break;
default:
}
//For view, edit and delete, we also need to check with security groups
foreach($result_access as $row) {
switch ($row['access_override']) {
case -99: //if "none" then deny access
$has_access = false;
break;
case 0: //if "not set" then grant access
$has_access = true;
break;
case 75: //if "user" then deny access
$has_access = false;
break;
case 80:
$has_access=$suiteUtils->hasAccessToRecord($user->getID(), $record_id);
break;
case 90: // if "all" then grant access
$has_access = true;
break;
}
}
return $has_access;
}
}