Restrict part lot withdraw/add/move operations to the owner of a part lot

src/Controller/PartController.php

@@ -55,8 +55,11 @@ use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
+use function Symfony\Component\Translation\t;
+
 /**
  * @Route("/part")
  */
@@ -360,7 +363,7 @@ class PartController extends AbstractController
             $action = $request->request->get('action');
 
 
-
+            try {
                 switch ($action) {
                     case "withdraw":
                     case "remove":
@@ -373,11 +376,16 @@ class PartController extends AbstractController
                         break;
                     case "move":
                         $this->denyAccessUnlessGranted('move', $partLot);
+                        $this->denyAccessUnlessGranted('move', $targetLot);
                         $withdrawAddHelper->move($partLot, $targetLot, $amount, $comment);
                         break;
                     default:
                         throw new \RuntimeException("Unknown action!");
                 }
+            } catch (AccessDeniedException $exception) {
+                $this->addFlash('error', t('part.withdraw.access_denied'));
+                goto err;
+            }
 
             //Save the changes to the DB
             $em->flush();
@@ -387,6 +395,7 @@ class PartController extends AbstractController
             $this->addFlash('error', 'CSRF Token invalid!');
         }
 
+        err:
         //If an redirect was passed, then redirect there
         if($request->request->get('_redirect')) {
             return $this->redirect($request->request->get('_redirect'));

src/Security/Voter/PartLotVoter.php

@@ -67,7 +67,15 @@ class PartLotVoter extends ExtendedVoter
 
         if (in_array($attribute, ['withdraw', 'add', 'move']))
         {
-            return $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
+            $base_permission = $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
+
+            $lot_permission = true;
+            //If the lot has an owner, we need to check if the user is the owner of the lot to be allowed to withdraw it.
+            if ($subject instanceof PartLot && $subject->getOwner()) {
+                $lot_permission = $subject->getOwner() === $user || $subject->getOwner()->getID() === $user->getID();
+            }
+
+            return $base_permission && $lot_permission;
         }
 
         switch ($attribute) {

translations/messages.en.xlf

@@ -11229,5 +11229,29 @@ Element 3</target>
         <target>Only the owner can withdraw or add stock to this lot.</target>
       </segment>
     </unit>
+    <unit id="61.yfNy" name="log.element_edited.changed_fields.owner">
+      <segment>
+        <source>log.element_edited.changed_fields.owner</source>
+        <target>Owner</target>
+      </segment>
+    </unit>
+    <unit id="YkZAIS8" name="log.element_edited.changed_fields.instock_unknown">
+      <segment>
+        <source>log.element_edited.changed_fields.instock_unknown</source>
+        <target>Amount unknown</target>
+      </segment>
+    </unit>
+    <unit id="xf7NNZ9" name="log.element_edited.changed_fields.needs_refill">
+      <segment>
+        <source>log.element_edited.changed_fields.needs_refill</source>
+        <target>Refill needed</target>
+      </segment>
+    </unit>
+    <unit id="Gfw_MWL" name="part.withdraw.access_denied">
+      <segment>
+        <source>part.withdraw.access_denied</source>
+        <target>Not allowed to do the desired action. Please check your permissions and the owner of the part lots.</target>
+      </segment>
+    </unit>
   </file>
 </xliff>