Added permission checking for part price edit page.

2025-07-01 14:04:30 +02:00 · 2019-09-13 17:46:26 +02:00 · 2019-09-13 17:46:26 +02:00 · 3374153b73
commit 3374153b73
parent da14ee942d
5 changed files with 101 additions and 10 deletions
--- a/src/Security/Voter/PermissionVoter.php
+++ b/src/Security/Voter/PermissionVoter.php
@ -0,0 +1,81 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Security\Voter;
+
+
+use App\Entity\UserSystem\User;
+
+/**
+ * This voter allows you to directly check permissions from the permission structure, without passing an object.
+ * However you should use the "normal" object based voters if possible, because they are needed for a future ACL system.
+ * @package App\Security\Voter
+ */
+class PermissionVoter extends ExtendedVoter
+{
+
+    /**
+     * Similar to voteOnAttribute, but checking for the anonymous user is already done.
+     * The current user (or the anonymous user) is passed by $user.
+     *
+     * @param $attribute
+     * @param $subject
+     * @param User $user
+     *
+     * @return bool
+     */
+    protected function voteOnUser($attribute, $subject, User $user): bool
+    {
+        $attribute = ltrim($attribute, '@');
+        [$perm, $op] = explode('.', $attribute);
+        return $this->resolver->inherit($user, $perm, $op);
+    }
+
+    /**
+     * Determines if the attribute and subject are supported by this voter.
+     *
+     * @param string $attribute An attribute
+     * @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
+     *
+     * @return bool True if the attribute and subject are supported, false otherwise
+     */
+    protected function supports($attribute, $subject)
+    {
+        //Check if the attribute has the form @permission.operation
+        if (preg_match('/^@\\w+\\.\\w+$/', $attribute)) {
+            $attribute = ltrim($attribute, '@');
+            [$perm, $op] = explode('.', $attribute);
+            return $this->resolver->isValidOperation($perm, $op);
+        }
+
+        return false;
+    }
+}
--- a/src/Security/Voter/StructureVoter.php
+++ b/src/Security/Voter/StructureVoter.php
@ -56,9 +56,11 @@ class StructureVoter extends ExtendedVoter
     */
    protected function supports($attribute, $subject)
    {
-        $permission_name = $this->instanceToPermissionName($subject);
-        //If permission name is null, then the subject is not supported
-        return ($permission_name !== null) && $this->resolver->isValidOperation($permission_name, $attribute);
+        if(is_object($subject)) {
+            $permission_name = $this->instanceToPermissionName($subject);
+            //If permission name is null, then the subject is not supported
+            return ($permission_name !== null) && $this->resolver->isValidOperation($permission_name, $attribute);
+        }

    }