src/Security/FinancialScopeVoter.php line 11

Open in your IDE?
  1. <?php
  2. namespace App\Security;
  4. use App\Entity\FinancialScope;
  5. use App\Service\ScopeResolverService;
  6. use App\Service\HierarchyChecker;
  7. use App\Repository\FinancialScopeRepository;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. class FinancialScopeVoter extends Voter
  12. {
  13. public const MANAGE = 'FIN_MANAGE';
  15. private $scopeResolver;
  16. private $scopeRepo;
  17. private $hierarchyChecker;
  19. public function __construct(ScopeResolverService $scopeResolver, FinancialScopeRepository $scopeRepo, HierarchyChecker $hierarchyChecker)
  20. {
  21. $this->scopeResolver = $scopeResolver;
  22. $this->scopeRepo = $scopeRepo;
  23. $this->hierarchyChecker = $hierarchyChecker;
  24. }
  26. protected function supports(string $attribute, $subject): bool
  27. {
  28. if ($attribute !== self::MANAGE) return false;
  29. // support any object we can resolve
  30. return true;
  31. }
  33. protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
  34. {
  35. $user = $token->getUser();
  36. if (!$user || !is_object($user)) return false;
  37. // quick role check: must have ROLE_FINANCIAL or higher
  38. if (!in_array('ROLE_FINANCIAL', $user->getRoles()) && !in_array('ROLE_ADMIN', $user->getRoles())) {
  39. return false;
  40. }
  42. // get user's scopes
  43. $scopes = $this->scopeRepo->findBy(['financialManager' => $user]);
  45. // resolve target
  46. $targetScope = $this->scopeResolver->resolve($subject);
  47. return $this->hierarchyChecker->isCovered($scopes, $targetScope);
  48. }
  49. }