mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-24 18:58:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Made the access to an attachment depending on the access rights of the associated elemenst

Browse source
This commit is contained in:
Jan Böhmer 2022-11-02 23:27:44 +01:00
parent 676235a2d3
commit 2f9e9c5279
1 changed files with 38 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

40
src/Security/Voter/AttachmentVoter.php
View file

@ -44,10 +44,23 @@ namespace App\Security\Voter;
use App\Entity\Attachments\Attachment;
use App\Entity\UserSystem\User;
use App\Services\PermissionResolver;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\Security\Core\Security;
use function in_array;
class AttachmentVoter extends ExtendedVoter
{
protected $security;
public function __construct(PermissionResolver $resolver, EntityManagerInterface $entityManager, Security $security)
{
parent::__construct($resolver, $entityManager);
$this->security = $security;
}
/**
* Similar to voteOnAttribute, but checking for the anonymous user is already done.
* The current user (or the anonymous user) is passed by $user.
@ -56,7 +69,29 @@ class AttachmentVoter extends ExtendedVoter
*/
protected function voteOnUser(string $attribute, $subject, User $user): bool
{
return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;
//return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;
//If the attachment has no element (which should not happen), we deny access, as we can not determine if the user is allowed to access the associated element
$target_element = $subject->getElement();
if (! $subject instanceof Attachment || null === $target_element) {
return false;
}
//Depending on the operation delegate either to the attachments element or to the attachment permission
switch ($attribute) {
//We can view the attachment if we can view the element
case 'read':
case 'view':
return $this->security->isGranted('read', $target_element);
//We can edit/create/delete the attachment if we can edit the element
case 'edit':
case 'create':
case 'delete':
return $this->security->isGranted('edit', $target_element);
case 'show_private':
return $this->resolver->inherit($user, 'attachments', 'show_private') ?? false;
}
}
/**
@ -70,7 +105,8 @@ class AttachmentVoter extends ExtendedVoter
protected function supports(string $attribute, $subject): bool
{
if (is_a($subject, Attachment::class, true)) {
return in_array($attribute, $this->resolver->listOperationsForPermission('attachments'), false);
//These are the allowed attributes
return in_array($attribute, ['view', 'edit', 'delete', 'create', 'show_private'], true);
}
//Allow class name as subject