From ff2aafabbd75cf0067abd3db107dc76b476d9d44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Tue, 6 Feb 2024 22:18:09 +0100
Subject: [PATCH] Fixed permission denied error on log details page for
 BOMEntries

---
 src/Security/Voter/BOMEntryVoter.php | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/src/Security/Voter/BOMEntryVoter.php b/src/Security/Voter/BOMEntryVoter.php
index b4783b82..f83e2eb3 100644
--- a/src/Security/Voter/BOMEntryVoter.php
+++ b/src/Security/Voter/BOMEntryVoter.php
@@ -23,6 +23,7 @@ declare(strict_types=1);
 
 namespace App\Security\Voter;
 
+use App\Entity\ProjectSystem\Project;
 use App\Entity\ProjectSystem\ProjectBOMEntry;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -31,7 +32,7 @@ use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 class BOMEntryVoter extends Voter
 {
 
-    private const ALLOWED_ATTRIBUTES = ['read', 'view', 'edit', 'delete', 'create'];
+    private const ALLOWED_ATTRIBUTES = ['read', 'view', 'edit', 'delete', 'create', 'show_history'];
 
     public function __construct(private readonly Security $security)
     {
@@ -39,20 +40,25 @@ class BOMEntryVoter extends Voter
 
     protected function supports(string $attribute, mixed $subject): bool
     {
-        return $this->supportsAttribute($attribute) && is_a($subject, ProjectBOMEntry::class);
+        return $this->supportsAttribute($attribute) && is_a($subject, ProjectBOMEntry::class, true);
     }
 
     protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
     {
-        if (!$subject instanceof ProjectBOMEntry) {
+        if (!is_a($subject, ProjectBOMEntry::class, true)) {
             return false;
         }
 
-        $project = $subject->getProject();
+        if (is_object($subject)) {
+            $project = $subject->getProject();
 
-        //Allow everything if the project was not set yet
-        if ($project === null) {
-            return true;
+            //Allow everything if the project was not set yet
+            if ($project === null) {
+                return true;
+            }
+        } else {
+            //If a string was given, use the general project permissions to resolve permissions
+            $project = Project::class;
         }
 
         //Entry can be read if the user has read access to the project
@@ -60,6 +66,11 @@ class BOMEntryVoter extends Voter
             return $this->security->isGranted('read', $project);
         }
 
+        //History can be shown if the user has show_history access to the project
+        if ($attribute === 'show_history') {
+            return $this->security->isGranted('show_history', $project);
+        }
+
         //Everything else can be done if the user has edit access to the project
         return $this->security->isGranted('edit', $project);
     }
@@ -71,6 +82,6 @@ class BOMEntryVoter extends Voter
 
     public function supportsType(string $subjectType): bool
     {
-        return is_a($subjectType, ProjectBOMEntry::class, true);
+        return $subjectType === 'string' || is_a($subjectType, ProjectBOMEntry::class, true);
     }
 }
\ No newline at end of file