From 2f9e9c5279a744bcdcf1e42bd186ae08cf83906e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Wed, 2 Nov 2022 23:27:44 +0100
Subject: [PATCH] Made the access to an attachment depending on the access
 rights of the associated elemenst

---
 src/Security/Voter/AttachmentVoter.php | 40 ++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/src/Security/Voter/AttachmentVoter.php b/src/Security/Voter/AttachmentVoter.php
index 16d9e5b9..ad04010e 100644
--- a/src/Security/Voter/AttachmentVoter.php
+++ b/src/Security/Voter/AttachmentVoter.php
@@ -44,10 +44,23 @@ namespace App\Security\Voter;
 
 use App\Entity\Attachments\Attachment;
 use App\Entity\UserSystem\User;
+use App\Services\PermissionResolver;
+use Doctrine\ORM\EntityManagerInterface;
+
+use Symfony\Component\Security\Core\Security;
+
 use function in_array;
 
 class AttachmentVoter extends ExtendedVoter
 {
+    protected $security;
+
+    public function __construct(PermissionResolver $resolver, EntityManagerInterface $entityManager, Security $security)
+    {
+        parent::__construct($resolver, $entityManager);
+        $this->security = $security;
+    }
+
     /**
      * Similar to voteOnAttribute, but checking for the anonymous user is already done.
      * The current user (or the anonymous user) is passed by $user.
@@ -56,7 +69,29 @@ class AttachmentVoter extends ExtendedVoter
      */
     protected function voteOnUser(string $attribute, $subject, User $user): bool
     {
-        return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;
+        //return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;
+
+        //If the attachment has no element (which should not happen), we deny access, as we can not determine if the user is allowed to access the associated element
+        $target_element = $subject->getElement();
+        if (! $subject instanceof Attachment || null === $target_element) {
+            return false;
+        }
+
+        //Depending on the operation delegate either to the attachments element or to the attachment permission
+        switch ($attribute) {
+            //We can view the attachment if we can view the element
+            case 'read':
+            case 'view':
+                return $this->security->isGranted('read', $target_element);
+            //We can edit/create/delete the attachment if we can edit the element
+            case 'edit':
+            case 'create':
+            case 'delete':
+                return $this->security->isGranted('edit', $target_element);
+
+            case 'show_private':
+                return $this->resolver->inherit($user, 'attachments', 'show_private') ?? false;
+        }
     }
 
     /**
@@ -70,7 +105,8 @@ class AttachmentVoter extends ExtendedVoter
     protected function supports(string $attribute, $subject): bool
     {
         if (is_a($subject, Attachment::class, true)) {
-            return in_array($attribute, $this->resolver->listOperationsForPermission('attachments'), false);
+            //These are the allowed attributes
+            return in_array($attribute, ['view', 'edit', 'delete', 'create', 'show_private'], true);
         }
 
         //Allow class name as subject