Part-DB.Part-DB-server/src/Security/Voter/AttachmentVoter.php

<?php
/**
 * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
 *
 * Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published
 * by the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

declare(strict_types=1);

/**
 * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
 *
 * Copyright (C) 2019 Jan Böhmer (https://github.com/jbtronics)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
 */

namespace App\Security\Voter;

use App\Entity\Attachments\Attachment;
use App\Entity\UserSystem\User;
use App\Services\UserSystem\PermissionManager;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\Security\Core\Security;

use function in_array;

class AttachmentVoter extends ExtendedVoter
{
    protected $security;

    public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, Security $security)
    {
        parent::__construct($resolver, $entityManager);
        $this->security = $security;
    }

    /**
     * Similar to voteOnAttribute, but checking for the anonymous user is already done.
     * The current user (or the anonymous user) is passed by $user.
     *
     * @param  string  $attribute
     */
    protected function voteOnUser(string $attribute, $subject, User $user): bool
    {
        //return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;

        //If the attachment has no element (which should not happen), we deny access, as we can not determine if the user is allowed to access the associated element
        $target_element = $subject->getElement();
        if (! $subject instanceof Attachment || null === $target_element) {
            return false;
        }

        //Depending on the operation delegate either to the attachments element or to the attachment permission
        switch ($attribute) {
            //We can view the attachment if we can view the element
            case 'read':
            case 'view':
                return $this->security->isGranted('read', $target_element);
            //We can edit/create/delete the attachment if we can edit the element
            case 'edit':
            case 'create':
            case 'delete':
                return $this->security->isGranted('edit', $target_element);

            case 'show_private':
                return $this->resolver->inherit($user, 'attachments', 'show_private') ?? false;
        }

        throw new \RuntimeException('Encountered unknown attribute "'.$attribute.'" in AttachmentVoter!');
    }

    /**
     * Determines if the attribute and subject are supported by this voter.
     *
     * @param  string  $attribute An attribute
     * @param mixed  $subject   The subject to secure, e.g. an object the user wants to access or any other PHP type
     *
     * @return bool True if the attribute and subject are supported, false otherwise
     */
    protected function supports(string $attribute, $subject): bool
    {
        if (is_a($subject, Attachment::class, true)) {
            //These are the allowed attributes
            return in_array($attribute, ['read', 'view', 'edit', 'delete', 'create', 'show_private'], true);
        }

        //Allow class name as subject
        return false;
    }
}
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`<?php`
Changed license to AGPL3+ 2020-02-22 18:14:36 +01:00			`/**`
			`* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).`
			`*`
			`* Copyright (C) 2019 - 2020 Jan Böhmer (https://github.com/jbtronics)`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as published`
			`* by the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`*/`
Applied code style rules to src/ 2020-01-05 15:46:58 +01:00
			`declare(strict_types=1);`

Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`/**`
Added an PHP CS fixer config file and applied it to files. We now use the same the same style as the symfony project, and it allows us to simply fix the style by executing php_cs_fixer fix in the project root. 2019-11-09 00:47:20 +01:00			`* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`*`
Updated copyright headers. 2019-11-01 13:40:30 +01:00			`* Copyright (C) 2019 Jan Böhmer (https://github.com/jbtronics)`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`*`
			`* This program is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU General Public License`
			`* as published by the Free Software Foundation; either version 2`
			`* of the License, or (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, write to the Free Software`
			`* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA`
			`*/`

			`namespace App\Security\Voter;`

Added entities and properties for some future features. 2019-08-12 15:47:57 +02:00			`use App\Entity\Attachments\Attachment;`
			`use App\Entity\UserSystem\User;`
Renamed PermissionResolver service to PermissionService 2022-11-14 20:15:06 +01:00			`use App\Services\UserSystem\PermissionManager;`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`use Doctrine\ORM\EntityManagerInterface;`
			`use Symfony\Component\Security\Core\Security;`

Applied symplify rules to codebase. 2020-01-05 22:49:00 +01:00			`use function in_array;`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00
			`class AttachmentVoter extends ExtendedVoter`
			`{`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`protected $security;`

Renamed PermissionResolver service to PermissionService 2022-11-14 20:15:06 +01:00			`public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, Security $security)`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`{`
			`parent::__construct($resolver, $entityManager);`
			`$this->security = $security;`
			`}`

Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`/**`
			`* Similar to voteOnAttribute, but checking for the anonymous user is already done.`
			`* The current user (or the anonymous user) is passed by $user.`
			`*`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`* @param string $attribute`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`*/`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`protected function voteOnUser(string $attribute, $subject, User $user): bool`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`{`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`//return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;`

			`//If the attachment has no element (which should not happen), we deny access, as we can not determine if the user is allowed to access the associated element`
			`$target_element = $subject->getElement();`
			`if (! $subject instanceof Attachment \|\| null === $target_element) {`
			`return false;`
			`}`

			`//Depending on the operation delegate either to the attachments element or to the attachment permission`
			`switch ($attribute) {`
			`//We can view the attachment if we can view the element`
			`case 'read':`
			`case 'view':`
			`return $this->security->isGranted('read', $target_element);`
			`//We can edit/create/delete the attachment if we can edit the element`
			`case 'edit':`
			`case 'create':`
			`case 'delete':`
			`return $this->security->isGranted('edit', $target_element);`

			`case 'show_private':`
			`return $this->resolver->inherit($user, 'attachments', 'show_private') ?? false;`
			`}`
Fixed PHPstan issues 2022-11-27 16:53:44 +01:00
			`throw new \RuntimeException('Encountered unknown attribute "'.$attribute.'" in AttachmentVoter!');`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`}`

			`/**`
			`* Determines if the attribute and subject are supported by this voter.`
			`*`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`* @param string $attribute An attribute`
Added an PHP CS fixer config file and applied it to files. We now use the same the same style as the symfony project, and it allows us to simply fix the style by executing php_cs_fixer fix in the project root. 2019-11-09 00:47:20 +01:00			`* @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`*`
			`* @return bool True if the attribute and subject are supported, false otherwise`
			`*/`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`protected function supports(string $attribute, $subject): bool`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`{`
Check permissions for time travel and element undo. 2020-03-07 20:49:52 +01:00			`if (is_a($subject, Attachment::class, true)) {`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`//These are the allowed attributes`
Fixed access to typeahead controllers. 2022-11-09 23:33:50 +01:00			`return in_array($attribute, ['read', 'view', 'edit', 'delete', 'create', 'show_private'], true);`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`}`

Check permissions for time travel and element undo. 2020-03-07 20:49:52 +01:00			`//Allow class name as subject`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`return false;`
			`}`
Added an PHP CS fixer config file and applied it to files. We now use the same the same style as the symfony project, and it allows us to simply fix the style by executing php_cs_fixer fix in the project root. 2019-11-09 00:47:20 +01:00			`}`