From 6be55d18371db77cf72f0547f909f2c5e52e529e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Mon, 28 Aug 2023 22:00:25 +0200 Subject: [PATCH] Use the new VoterHelper in voters --- src/Security/Voter/AttachmentVoter.php | 25 +++---- src/Security/Voter/ExtendedVoter.php | 68 ------------------- src/Security/Voter/GroupVoter.php | 16 +++-- .../Voter/HasAccessPermissionsVoter.php | 15 +++- src/Security/Voter/ImpersonateUserVoter.php | 20 ++---- src/Security/Voter/LabelProfileVoter.php | 14 ++-- src/Security/Voter/LogEntryVoter.php | 20 +++--- src/Security/Voter/OrderdetailVoter.php | 12 ++-- src/Security/Voter/ParameterVoter.php | 12 ++-- src/Security/Voter/PartLotVoter.php | 18 ++--- src/Security/Voter/PartVoter.php | 15 ++-- src/Security/Voter/PermissionVoter.php | 4 +- src/Security/Voter/PricedetailVoter.php | 16 ++--- src/Security/Voter/StructureVoter.php | 16 +++-- src/Security/Voter/UserVoter.php | 23 +++++-- src/Services/UserSystem/VoterHelper.php | 14 ++++ 16 files changed, 146 insertions(+), 162 deletions(-) delete mode 100644 src/Security/Voter/ExtendedVoter.php diff --git a/src/Security/Voter/AttachmentVoter.php b/src/Security/Voter/AttachmentVoter.php index 0b32188c..5750855c 100644 --- a/src/Security/Voter/AttachmentVoter.php +++ b/src/Security/Voter/AttachmentVoter.php @@ -22,6 +22,7 @@ declare(strict_types=1); namespace App\Security\Voter; +use App\Services\UserSystem\VoterHelper; use Symfony\Bundle\SecurityBundle\Security; use App\Entity\Attachments\AttachmentContainingDBElement; use App\Entity\Attachments\Attachment; @@ -37,29 +38,21 @@ use App\Entity\Attachments\ProjectAttachment; use App\Entity\Attachments\StorelocationAttachment; use App\Entity\Attachments\SupplierAttachment; use App\Entity\Attachments\UserAttachment; -use App\Entity\UserSystem\User; -use App\Services\UserSystem\PermissionManager; -use Doctrine\ORM\EntityManagerInterface; use RuntimeException; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; + use function in_array; -class AttachmentVoter extends ExtendedVoter +final class AttachmentVoter extends Voter { - public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, protected Security $security) + public function __construct(private readonly Security $security, private readonly VoterHelper $helper) { - parent::__construct($resolver, $entityManager); } - /** - * Similar to voteOnAttribute, but checking for the anonymous user is already done. - * The current user (or the anonymous user) is passed by $user. - * - * @param string $attribute - */ - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { - //return $this->resolver->inherit($user, 'attachments', $attribute) ?? false; //This voter only works for attachments if (!is_a($subject, Attachment::class, true)) { @@ -67,7 +60,7 @@ class AttachmentVoter extends ExtendedVoter } if ($attribute === 'show_private') { - return $this->resolver->inherit($user, 'attachments', 'show_private') ?? false; + return $this->helper->isGranted($token, 'attachments', 'show_private'); } @@ -113,7 +106,7 @@ class AttachmentVoter extends ExtendedVoter throw new RuntimeException('Encountered unknown Parameter type: ' . $subject); } - return $this->resolver->inherit($user, $param, $this->mapOperation($attribute)) ?? false; + return $this->helper->isGranted($token, $param, $this->mapOperation($attribute)); } return false; diff --git a/src/Security/Voter/ExtendedVoter.php b/src/Security/Voter/ExtendedVoter.php deleted file mode 100644 index 279944fc..00000000 --- a/src/Security/Voter/ExtendedVoter.php +++ /dev/null @@ -1,68 +0,0 @@ -. - */ - -declare(strict_types=1); - -namespace App\Security\Voter; - -use App\Entity\UserSystem\User; -use App\Repository\UserRepository; -use App\Services\UserSystem\PermissionManager; -use Doctrine\ORM\EntityManagerInterface; -use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; -use Symfony\Component\Security\Core\Authorization\Voter\Voter; - -/** - * The purpose of this class is, to use the anonymous user from DB in the case, that nobody is logged in. - */ -abstract class ExtendedVoter extends Voter -{ - public function __construct(protected PermissionManager $resolver, protected EntityManagerInterface $entityManager) - { - } - - final protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool - { - $user = $token->getUser(); - - //An allowed user is not allowed to do anything... - if ($user instanceof User && $user->isDisabled()) { - return false; - } - - // if the user is anonymous (meaning $user is null), we use the anonymous user. - if (!$user instanceof User) { - /** @var UserRepository $repo */ - $repo = $this->entityManager->getRepository(User::class); - $user = $repo->getAnonymousUser(); - if (!$user instanceof User) { - return false; - } - } - - return $this->voteOnUser($attribute, $subject, $user); - } - - /** - * Similar to voteOnAttribute, but checking for the anonymous user is already done. - * The current user (or the anonymous user) is passed by $user. - */ - abstract protected function voteOnUser(string $attribute, $subject, User $user): bool; -} diff --git a/src/Security/Voter/GroupVoter.php b/src/Security/Voter/GroupVoter.php index e1e21543..ef81524f 100644 --- a/src/Security/Voter/GroupVoter.php +++ b/src/Security/Voter/GroupVoter.php @@ -24,18 +24,26 @@ namespace App\Security\Voter; use App\Entity\UserSystem\Group; use App\Entity\UserSystem\User; +use App\Services\UserSystem\VoterHelper; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; -class GroupVoter extends ExtendedVoter +final class GroupVoter extends Voter { + + public function __construct(private readonly VoterHelper $helper) + { + } + /** * Similar to voteOnAttribute, but checking for the anonymous user is already done. * The current user (or the anonymous user) is passed by $user. * * @param string $attribute */ - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { - return $this->resolver->inherit($user, 'groups', $attribute) ?? false; + return $this->helper->isGranted($token, 'groups', $attribute); } /** @@ -49,7 +57,7 @@ class GroupVoter extends ExtendedVoter protected function supports(string $attribute, $subject): bool { if (is_a($subject, Group::class, true)) { - return $this->resolver->isValidOperation('groups', $attribute); + return $this->helper->isValidOperation('groups', $attribute); } return false; diff --git a/src/Security/Voter/HasAccessPermissionsVoter.php b/src/Security/Voter/HasAccessPermissionsVoter.php index 3ea6dd36..8145f7b1 100644 --- a/src/Security/Voter/HasAccessPermissionsVoter.php +++ b/src/Security/Voter/HasAccessPermissionsVoter.php @@ -24,18 +24,27 @@ declare(strict_types=1); namespace App\Security\Voter; use App\Entity\UserSystem\User; +use App\Services\UserSystem\PermissionManager; +use App\Services\UserSystem\VoterHelper; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; /** * This voter implements a virtual role, which can be used if the user has any permission set to allowed. * We use this to restrict access to the homepage. */ -class HasAccessPermissionsVoter extends ExtendedVoter +final class HasAccessPermissionsVoter extends Voter { public const ROLE = "HAS_ACCESS_PERMISSIONS"; - protected function voteOnUser(string $attribute, $subject, User $user): bool + public function __construct(private readonly PermissionManager $permissionManager, private readonly VoterHelper $helper) { - return $this->resolver->hasAnyPermissionSetToAllowInherited($user); + } + + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool + { + $user = $this->helper->resolveUser($token); + return $this->permissionManager->hasAnyPermissionSetToAllowInherited($user); } protected function supports(string $attribute, mixed $subject): bool diff --git a/src/Security/Voter/ImpersonateUserVoter.php b/src/Security/Voter/ImpersonateUserVoter.php index f1392568..00751cfc 100644 --- a/src/Security/Voter/ImpersonateUserVoter.php +++ b/src/Security/Voter/ImpersonateUserVoter.php @@ -25,36 +25,26 @@ namespace App\Security\Voter; use App\Entity\UserSystem\User; use App\Services\UserSystem\PermissionManager; +use App\Services\UserSystem\VoterHelper; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Authorization\Voter\Voter; use Symfony\Component\Security\Core\User\UserInterface; -class ImpersonateUserVoter extends Voter +final class ImpersonateUserVoter extends Voter { - public function __construct(private PermissionManager $permissionManager) + public function __construct(private readonly VoterHelper $helper) { } protected function supports(string $attribute, mixed $subject): bool { - return $attribute == 'CAN_SWITCH_USER' + return $attribute === 'CAN_SWITCH_USER' && $subject instanceof UserInterface; } protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool { - $user = $token->getUser(); - - if (!$user instanceof User || !$subject instanceof UserInterface) { - return false; - } - - //An disabled user is not allowed to do anything... - if ($user->isDisabled()) { - return false; - } - - return $this->permissionManager->inherit($user, 'users', 'impersonate') ?? false; + return $this->helper->isGranted($token, 'users', 'impersonate'); } } \ No newline at end of file diff --git a/src/Security/Voter/LabelProfileVoter.php b/src/Security/Voter/LabelProfileVoter.php index 5a3699a2..7f27d8d0 100644 --- a/src/Security/Voter/LabelProfileVoter.php +++ b/src/Security/Voter/LabelProfileVoter.php @@ -43,8 +43,11 @@ namespace App\Security\Voter; use App\Entity\LabelSystem\LabelProfile; use App\Entity\UserSystem\User; +use App\Services\UserSystem\VoterHelper; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; -class LabelProfileVoter extends ExtendedVoter +final class LabelProfileVoter extends Voter { protected const MAPPING = [ 'read' => 'read_profiles', @@ -55,9 +58,12 @@ class LabelProfileVoter extends ExtendedVoter 'revert_element' => 'revert_element', ]; - protected function voteOnUser(string $attribute, $subject, User $user): bool + public function __construct(private readonly VoterHelper $helper) + {} + + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { - return $this->resolver->inherit($user, 'labels', self::MAPPING[$attribute]) ?? false; + return $this->helper->isGranted($token, 'labels', self::MAPPING[$attribute]); } protected function supports($attribute, $subject): bool @@ -67,7 +73,7 @@ class LabelProfileVoter extends ExtendedVoter return false; } - return $this->resolver->isValidOperation('labels', self::MAPPING[$attribute]); + return $this->helper->isValidOperation('labels', self::MAPPING[$attribute]); } return false; diff --git a/src/Security/Voter/LogEntryVoter.php b/src/Security/Voter/LogEntryVoter.php index 20c34863..e60b66d1 100644 --- a/src/Security/Voter/LogEntryVoter.php +++ b/src/Security/Voter/LogEntryVoter.php @@ -22,41 +22,45 @@ declare(strict_types=1); namespace App\Security\Voter; +use App\Services\UserSystem\VoterHelper; use Symfony\Bundle\SecurityBundle\Security; use App\Entity\LogSystem\AbstractLogEntry; use App\Entity\UserSystem\User; use App\Services\UserSystem\PermissionManager; use Doctrine\ORM\EntityManagerInterface; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; -class LogEntryVoter extends ExtendedVoter +final class LogEntryVoter extends Voter { final public const ALLOWED_OPS = ['read', 'show_details', 'delete']; - public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, private readonly Security $security) + public function __construct(private readonly Security $security, private readonly VoterHelper $helper) { - parent::__construct($resolver, $entityManager); } - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { + $user = $this->helper->resolveUser($token); + if (!$subject instanceof AbstractLogEntry) { throw new \InvalidArgumentException('The subject must be an instance of '.AbstractLogEntry::class); } if ('delete' === $attribute) { - return $this->resolver->inherit($user, 'system', 'delete_logs') ?? false; + return $this->helper->isGranted($token, 'system', 'delete_logs'); } if ('read' === $attribute) { //Allow read of the users own log entries if ( $subject->getUser() === $user - && $this->resolver->inherit($user, 'self', 'show_logs') + && $this->helper->isGranted($token, 'self', 'show_logs') ) { return true; } - return $this->resolver->inherit($user, 'system', 'show_logs') ?? false; + return $this->helper->isGranted($token, 'system', 'show_logs'); } if ('show_details' === $attribute) { @@ -67,7 +71,7 @@ class LogEntryVoter extends ExtendedVoter } //In other cases, this behaves like the read permission - return $this->voteOnUser('read', $subject, $user); + return $this->voteOnAttribute('read', $subject, $token); } return false; diff --git a/src/Security/Voter/OrderdetailVoter.php b/src/Security/Voter/OrderdetailVoter.php index 96ff609e..625732b5 100644 --- a/src/Security/Voter/OrderdetailVoter.php +++ b/src/Security/Voter/OrderdetailVoter.php @@ -41,23 +41,25 @@ declare(strict_types=1); namespace App\Security\Voter; +use App\Services\UserSystem\VoterHelper; use Symfony\Bundle\SecurityBundle\Security; use App\Entity\Parts\Part; use App\Entity\PriceInformations\Orderdetail; use App\Entity\UserSystem\User; use App\Services\UserSystem\PermissionManager; use Doctrine\ORM\EntityManagerInterface; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; -class OrderdetailVoter extends ExtendedVoter +final class OrderdetailVoter extends Voter { - public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, protected Security $security) + public function __construct(private readonly Security $security, private readonly VoterHelper $helper) { - parent::__construct($resolver, $entityManager); } protected const ALLOWED_PERMS = ['read', 'edit', 'create', 'delete', 'show_history', 'revert_element']; - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { if (! is_a($subject, Orderdetail::class, true)) { throw new \RuntimeException('This voter can only handle Orderdetail objects!'); @@ -73,7 +75,7 @@ class OrderdetailVoter extends ExtendedVoter //If we have no part associated use the generic part permission if (is_string($subject) || !$subject->getPart() instanceof Part) { - return $this->resolver->inherit($user, 'parts', $operation) ?? false; + return $this->helper->isGranted($token, 'parts', $operation); } //Otherwise vote on the part diff --git a/src/Security/Voter/ParameterVoter.php b/src/Security/Voter/ParameterVoter.php index 6f752518..96bd6060 100644 --- a/src/Security/Voter/ParameterVoter.php +++ b/src/Security/Voter/ParameterVoter.php @@ -22,6 +22,7 @@ declare(strict_types=1); */ namespace App\Security\Voter; +use App\Services\UserSystem\VoterHelper; use Symfony\Bundle\SecurityBundle\Security; use App\Entity\Base\AbstractDBElement; use App\Entity\Parameters\AbstractParameter; @@ -40,16 +41,17 @@ use App\Entity\UserSystem\User; use App\Services\UserSystem\PermissionManager; use Doctrine\ORM\EntityManagerInterface; use RuntimeException; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; -class ParameterVoter extends ExtendedVoter +final class ParameterVoter extends Voter { - public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, protected Security $security) + public function __construct(private readonly Security $security, private readonly VoterHelper $helper) { - parent::__construct($resolver, $entityManager); } - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { //return $this->resolver->inherit($user, 'attachments', $attribute) ?? false; @@ -104,7 +106,7 @@ class ParameterVoter extends ExtendedVoter throw new RuntimeException('Encountered unknown Parameter type: ' . (is_object($subject) ? $subject::class : $subject)); } - return $this->resolver->inherit($user, $param, $attribute) ?? false; + return $this->helper->isGranted($token, $param, $attribute); } protected function supports(string $attribute, $subject): bool diff --git a/src/Security/Voter/PartLotVoter.php b/src/Security/Voter/PartLotVoter.php index c9ddb89e..36fb230f 100644 --- a/src/Security/Voter/PartLotVoter.php +++ b/src/Security/Voter/PartLotVoter.php @@ -41,31 +41,31 @@ declare(strict_types=1); namespace App\Security\Voter; +use App\Services\UserSystem\VoterHelper; use Symfony\Bundle\SecurityBundle\Security; use App\Entity\Parts\Part; use App\Entity\Parts\PartLot; use App\Entity\UserSystem\User; use App\Services\UserSystem\PermissionManager; use Doctrine\ORM\EntityManagerInterface; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; -class PartLotVoter extends ExtendedVoter +final class PartLotVoter extends Voter { - public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, protected Security $security) + public function __construct(private readonly Security $security, private readonly VoterHelper $helper) { - parent::__construct($resolver, $entityManager); } protected const ALLOWED_PERMS = ['read', 'edit', 'create', 'delete', 'show_history', 'revert_element', 'withdraw', 'add', 'move']; - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { - if (! is_a($subject, PartLot::class, true)) { - throw new \RuntimeException('This voter can only handle PartLot objects!'); - } + $user = $this->helper->resolveUser($token); if (in_array($attribute, ['withdraw', 'add', 'move'], true)) { - $base_permission = $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false; + $base_permission = $this->helper->isGranted($token, 'parts_stock', $attribute); $lot_permission = true; //If the lot has an owner, we need to check if the user is the owner of the lot to be allowed to withdraw it. @@ -86,7 +86,7 @@ class PartLotVoter extends ExtendedVoter //If we have no part associated use the generic part permission if (is_string($subject) || !$subject->getPart() instanceof Part) { - return $this->resolver->inherit($user, 'parts', $operation) ?? false; + return $this->helper->isGranted($token, 'parts', $operation); } //Otherwise vote on the part diff --git a/src/Security/Voter/PartVoter.php b/src/Security/Voter/PartVoter.php index 878fc6a4..c2c37563 100644 --- a/src/Security/Voter/PartVoter.php +++ b/src/Security/Voter/PartVoter.php @@ -24,29 +24,36 @@ namespace App\Security\Voter; use App\Entity\Parts\Part; use App\Entity\UserSystem\User; +use App\Services\UserSystem\VoterHelper; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; /** * A Voter that votes on Part entities. * * See parts permissions for valid operations. */ -class PartVoter extends ExtendedVoter +final class PartVoter extends Voter { final public const READ = 'read'; + public function __construct(private readonly VoterHelper $helper) + { + } + protected function supports($attribute, $subject): bool { if (is_a($subject, Part::class, true)) { - return $this->resolver->isValidOperation('parts', $attribute); + return $this->helper->isValidOperation('parts', $attribute); } //Allow class name as subject return false; } - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { //Null concealing operator means, that no - return $this->resolver->inherit($user, 'parts', $attribute) ?? false; + return $this->helper->isGranted($token, 'parts', $attribute); } } diff --git a/src/Security/Voter/PermissionVoter.php b/src/Security/Voter/PermissionVoter.php index f7d84bf7..01b34215 100644 --- a/src/Security/Voter/PermissionVoter.php +++ b/src/Security/Voter/PermissionVoter.php @@ -32,7 +32,7 @@ use Symfony\Component\Security\Core\Authorization\Voter\Voter; * This use the syntax like "@permission.op" * However you should use the "normal" object based voters if possible, because they are needed for a future ACL system. */ -class PermissionVoter extends Voter +final class PermissionVoter extends Voter { public function __construct(private readonly VoterHelper $helper) { @@ -62,7 +62,7 @@ class PermissionVoter extends Voter $attribute = ltrim($attribute, '@'); [$perm, $op] = explode('.', $attribute); - $valid = $this->resolver->isValidOperation($perm, $op); + $valid = $this->helper->isValidOperation($perm, $op); //if an invalid operation is encountered, throw an exception so the developer knows it if(!$valid) { diff --git a/src/Security/Voter/PricedetailVoter.php b/src/Security/Voter/PricedetailVoter.php index c4def709..9be5c4ed 100644 --- a/src/Security/Voter/PricedetailVoter.php +++ b/src/Security/Voter/PricedetailVoter.php @@ -41,6 +41,7 @@ declare(strict_types=1); namespace App\Security\Voter; +use App\Services\UserSystem\VoterHelper; use Symfony\Bundle\SecurityBundle\Security; use App\Entity\PriceInformations\Orderdetail; use App\Entity\Parts\Part; @@ -48,22 +49,19 @@ use App\Entity\PriceInformations\Pricedetail; use App\Entity\UserSystem\User; use App\Services\UserSystem\PermissionManager; use Doctrine\ORM\EntityManagerInterface; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; -class PricedetailVoter extends ExtendedVoter +final class PricedetailVoter extends Voter { - public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, protected Security $security) + public function __construct(private readonly Security $security, private readonly VoterHelper $helper) { - parent::__construct($resolver, $entityManager); } protected const ALLOWED_PERMS = ['read', 'edit', 'create', 'delete', 'show_history', 'revert_element']; - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { - if (!is_a($subject, Pricedetail::class, true)) { - throw new \RuntimeException('This voter can only handle Pricedetails objects!'); - } - $operation = match ($attribute) { 'read' => 'read', 'edit', 'create', 'delete' => 'edit', @@ -74,7 +72,7 @@ class PricedetailVoter extends ExtendedVoter //If we have no part associated use the generic part permission if (is_string($subject) || !$subject->getOrderdetail() instanceof Orderdetail || !$subject->getOrderdetail()->getPart() instanceof Part) { - return $this->resolver->inherit($user, 'parts', $operation) ?? false; + return $this->helper->isGranted($token, 'parts', $operation); } //Otherwise vote on the part diff --git a/src/Security/Voter/StructureVoter.php b/src/Security/Voter/StructureVoter.php index 79cef811..477bc28d 100644 --- a/src/Security/Voter/StructureVoter.php +++ b/src/Security/Voter/StructureVoter.php @@ -32,10 +32,14 @@ use App\Entity\Parts\Storelocation; use App\Entity\Parts\Supplier; use App\Entity\PriceInformations\Currency; use App\Entity\UserSystem\User; +use App\Services\UserSystem\VoterHelper; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; + use function get_class; use function is_object; -class StructureVoter extends ExtendedVoter +final class StructureVoter extends Voter { protected const OBJ_PERM_MAP = [ AttachmentType::class => 'attachment_types', @@ -49,6 +53,10 @@ class StructureVoter extends ExtendedVoter MeasurementUnit::class => 'measurement_units', ]; + public function __construct(private readonly VoterHelper $helper) + { + } + /** * Determines if the attribute and subject are supported by this voter. * @@ -62,7 +70,7 @@ class StructureVoter extends ExtendedVoter if (is_object($subject) || is_string($subject)) { $permission_name = $this->instanceToPermissionName($subject); //If permission name is null, then the subject is not supported - return (null !== $permission_name) && $this->resolver->isValidOperation($permission_name, $attribute); + return (null !== $permission_name) && $this->helper->isValidOperation($permission_name, $attribute); } return false; @@ -99,10 +107,10 @@ class StructureVoter extends ExtendedVoter * * @param string $attribute */ - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { $permission_name = $this->instanceToPermissionName($subject); //Just resolve the permission - return $this->resolver->inherit($user, $permission_name, $attribute) ?? false; + return $this->helper->isGranted($token, $permission_name, $attribute); } } diff --git a/src/Security/Voter/UserVoter.php b/src/Security/Voter/UserVoter.php index e98e1701..f6502f6e 100644 --- a/src/Security/Voter/UserVoter.php +++ b/src/Security/Voter/UserVoter.php @@ -23,10 +23,19 @@ declare(strict_types=1); namespace App\Security\Voter; use App\Entity\UserSystem\User; +use App\Services\UserSystem\PermissionManager; +use App\Services\UserSystem\VoterHelper; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; +use Symfony\Component\Security\Core\Authorization\Voter\Voter; + use function in_array; -class UserVoter extends ExtendedVoter +final class UserVoter extends Voter { + public function __construct(private readonly VoterHelper $helper, private readonly PermissionManager $resolver) + { + } + /** * Determines if the attribute and subject are supported by this voter. * @@ -57,8 +66,10 @@ class UserVoter extends ExtendedVoter * * @param string $attribute */ - protected function voteOnUser(string $attribute, $subject, User $user): bool + protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { + $user = $this->helper->resolveUser($token); + if ($attribute === 'info') { //Every logged-in user (non-anonymous) can see the info pages of other users if (!$user->isAnonymousUser()) { @@ -71,9 +82,9 @@ class UserVoter extends ExtendedVoter //Check if the checked user is the user itself if (($subject instanceof User) && $subject->getID() === $user->getID() && - $this->resolver->isValidOperation('self', $attribute)) { + $this->helper->isValidOperation('self', $attribute)) { //Then we also need to check the self permission - $tmp = $this->resolver->inherit($user, 'self', $attribute) ?? false; + $tmp = $this->helper->isGranted($token, 'self', $attribute); //But if the self value is not allowed then use just the user value: if ($tmp) { return $tmp; @@ -81,8 +92,8 @@ class UserVoter extends ExtendedVoter } //Else just check user permission: - if ($this->resolver->isValidOperation('users', $attribute)) { - return $this->resolver->inherit($user, 'users', $attribute) ?? false; + if ($this->helper->isValidOperation('users', $attribute)) { + return $this->helper->isGranted($token, 'users', $attribute); } return false; diff --git a/src/Services/UserSystem/VoterHelper.php b/src/Services/UserSystem/VoterHelper.php index 3f78a1aa..c13cf22a 100644 --- a/src/Services/UserSystem/VoterHelper.php +++ b/src/Services/UserSystem/VoterHelper.php @@ -107,4 +107,18 @@ final class VoterHelper //Otherwise throw an exception throw new \RuntimeException('The user could not be resolved.'); } + + /** + * Checks if the permission operation combination with the given names is existing. + * Just a proxy to the permission manager. + * + * @param string $permission the name of the permission which should be checked + * @param string $operation the name of the operation which should be checked + * + * @return bool true if the given permission operation combination is existing + */ + public function isValidOperation(string $permission, string $operation): bool + { + return $this->permissionManager->isValidOperation($permission, $operation); + } } \ No newline at end of file