Check for permissions before showing user infos or allow the user to change its own infos.

2025-06-25 03:08:51 +02:00 · 2019-03-19 18:36:05 +01:00 · 2019-03-19 18:36:05 +01:00 · 6ed2eeabae
commit 6ed2eeabae
parent b9cd2fcc7f
5 changed files with 130 additions and 10 deletions
--- a/src/Security/Voter/UserVoter.php
+++ b/src/Security/Voter/UserVoter.php
@ -0,0 +1,91 @@
+<?php
+/**
+ *
+ * part-db version 0.1
+ * Copyright (C) 2005 Christoph Lechner
+ * http://www.cl-projects.de/
+ *
+ * part-db version 0.2+
+ * Copyright (C) 2009 K. Jacobs and others (see authors.php)
+ * http://code.google.com/p/part-db/
+ *
+ * Part-DB Version 0.4+
+ * Copyright (C) 2016 - 2019 Jan Böhmer
+ * https://github.com/jbtronics
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ *
+ */
+
+namespace App\Security\Voter;
+
+
+use App\Entity\User;
+
+class UserVoter extends ExtendedVoter
+{
+
+    /**
+     * Determines if the attribute and subject are supported by this voter.
+     *
+     * @param string $attribute An attribute
+     * @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type
+     *
+     * @return bool True if the attribute and subject are supported, false otherwise
+     */
+    protected function supports($attribute, $subject)
+    {
+        if($subject instanceof User)
+        {
+            return in_array($attribute, array_merge(
+                $this->resolver->listOperationsForPermission('users'),
+                $this->resolver->listOperationsForPermission('self')),
+            false
+            );
+        }
+
+        return false;
+    }
+
+    /**
+     * Similar to voteOnAttribute, but checking for the anonymous user is already done.
+     * The current user (or the anonymous user) is passed by $user.
+     * @param $attribute
+     * @param $subject
+     * @param User $user
+     * @return bool
+     */
+    protected function voteOnUser($attribute, $subject, User $user): bool
+    {
+        if($subject instanceof User)
+        {
+            //Check if the checked user is the user itself
+            if($subject->getID() === $user->getID() &&
+                $this->resolver->isValidOperation('self', $attribute)) {
+                //Then we also need to check the self permission
+                $tmp = $this->resolver->inherit($user, 'self', $attribute) ?? false;
+                //But if the self value is not allowed then use just the user value:
+                if($tmp)
+                    return $tmp;
+            }
+            //Else just check users permission:
+            return $this->resolver->inherit($user, 'users', $attribute) ?? false;
+        }
+
+        return false;
+    }
+
+
+}