src/Security/RecordVoter.php line 11

Open in your IDE?
  1. <?php
  3. namespace App\Security;
  5. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  6. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  7. use Symfony\Component\Security\Core\User\UserInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  9. use Symfony\Component\DependencyInjection\ContainerInterface;
  11. class RecordVoter extends Voter
  12. {
  13.     private $container;
  15.    public function __construct(ContainerInterface $container)
  16.    {
  17.        $this->container $container;
  18.    }
  20.     /*
  21.      * Record based should support CREATE, VIEW, EDIT, DELETE
  22.      */
  23.     protected function supports($attribute$subject)
  24.     {
  25.         return in_array($attribute, ['RECORD_EDIT''RECORD_VIEW''RECORD_CREATE']);
  26.     }
  28.     /*
  29.      * Check if we return access for user based on the permission set for user role
  30.      * for VIEW, EDIT, DELETE, we should also check securitygroups_records for permission
  31.      */
  32.     protected function voteOnAttribute($attribute$objectTokenInterface $token)
  33.     {
  34.         $module $object['module'];
  35.         if(isset($object['record_id'])){
  36.             $record_id $object['record_id'];
  37.         }
  38.         $has_access false;
  40.         $suiteUtils $this->container->get('strategic_plan_utils');
  41.         $user $token->getUser();
  42.         $result_access = array();
  44.         //For all actions, we need to check access set for role first
  45.         switch ($attribute) {
  46.             case "RECORD_CREATE":
  47.                 $result_access $suiteUtils->hasAccessToRole($user->getID(), $module'create');
  49.                 foreach ($result_access as $row) {
  50.                     if ($row['access_override'] >= 0) {
  51.                         return true;
  52.                     }
  53.                 }
  54.                 break;
  56.             case "RECORD_VIEW":
  57.                 $result_access $suiteUtils->hasAccessToRole($user->getID(), $module'view');
  58.                 break;
  60.             case "RECORD_EDIT":
  61.                 $result_access $suiteUtils->hasAccessToRole($user->getID(), $module'edit');
  62.                 break;
  64.             case "RECORD_DELETE":
  65.                 $result_access $suiteUtils->hasAccessToRole($user->getID(), $module'delete');
  66.                 break;
  67.             default:
  68.         }
  70.         //For view, edit and delete, we also need to check with security groups
  71.         foreach($result_access as $row) {
  72.             switch ($row['access_override']) {
  73.                 case -99//if "none" then deny access
  74.                     $has_access false;
  75.                     break;
  76.                 case 0//if "not set" then grant access
  77.                     $has_access true;
  78.                     break;
  79.                 case 75:  //if "user" then deny access
  80.                     $has_access false;
  81.                     break;
  82.                 case 80:
  83.                     $has_access=$suiteUtils->hasAccessToRecord($user->getID(), $record_id);
  84.                     break;
  85.                 case 90// if "all" then grant access
  86.                     $has_access true;
  87.                     break;
  88.             }
  89.         }
  91.         return $has_access;
  92.     }
  95. }