src/Ox/HoardBundle/Security/Authorization/Voter/HoardVoter.php line 14

Open in your IDE?
  1. <?php
  2. /**
  3.  * Created by PhpStorm.
  4.  * User: ouit0097
  5.  * Date: 24/06/15
  6.  * Time: 14:21
  7.  */
  8. namespace App\Ox\HoardBundle\Security\Authorization\Voter;
  10. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use NUCLEOS\UserBundle\Model\UserInterface;
  14. class HoardVoter implements VoterInterface
  15. {
  16.     const VIEW 'view';
  17.     const VIEW_COINS 'view_coins';
  18.     const VIEW_COINS_SUMMARY 'view_coins_summary';
  19.     const EDIT 'edit';
  20.     const DELETE 'delete';
  22.     private $supportedClass 'App\Ox\HoardBundle\Entity\Hoard';
  24.     public function supportsAttribute($attribute)
  25.     {
  26.         return in_array($attribute, array(
  27.             self::VIEW,
  28.             self::VIEW_COINS,
  29.             self::VIEW_COINS_SUMMARY,
  30.             self::EDIT,
  31.             self::DELETE,
  32.         ));
  33.     }
  35.     public function supportsClass($class)
  36.     {
  37.         return $this->supportedClass === $class || $this->isChildofSupportedClass($class);
  38.     }
  40.     public function isChildofSupportedClass($class)
  41.     {
  42.         return is_subclass_of($class$this->supportedClass);
  43.     }
  45.     // validate whether a particular user can access a particular hoard based on country and access grants
  46.     private function checkUserCanAccessHoardByCountry($user$hoard) {
  47.         // check for user exception access
  48.         foreach($user->getAccessibleHoards() as $userHoard) {
  49.             if($userHoard->getHoard() == $hoard)
  50.                 return true;
  51.         }
  52.         
  53.         $forbiddenCountryFlag false;
  54.         // check for country access
  55.         foreach($hoard->getCountries() as $country) {
  56.             if (!in_array($country$user->getAccessibleCountries()->toArray())){
  57.                 $forbiddenCountryFlag true;
  58.             }
  59.         }
  60.         if (!$forbiddenCountryFlag){
  61.             return true;
  62.         }
  63.         
  64.         return false;
  65.     }
  66.     
  67.     // the haord (or some part of it) is hidden from the user
  68.     private function getHoardIsHiddenFromUser($user$hoard) {
  69.         //public
  70.         if(!$user instanceof UserInterface || !($user->getId() > 0) ) {
  71.             return $hoard->getHideFrom()->getId() != 3// != 'none'
  72.         }
  73.         //admin
  74.         elseif($user && ( $user->hasRole('ROLE_ADMIN') || $user->hasRole('ROLE_SUPER_ADMIN'))) {
  75.             return false;
  76.         }
  77.         //user
  78.         elseif($this->checkUserCanAccessHoardByCountry($user$hoard)) {
  79.             return false;
  80.         }
  81.         else {
  82.             return $hoard->getHideFrom()->getHideFrom() == 2//"public + collaborator";
  83.         }
  84.     }
  86.     /**
  87.      * @param TokenInterface $token      A TokenInterface instance
  88.      * @param object|null    $object     The hoard to secure
  89.      * @param array          $attributes An array of attributes associated with the method being invoked
  90.      *
  91.      * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
  92.      */
  93.     public function vote(TokenInterface $token$object, array $attributes)
  94.     {       
  95.         // check if class of this object is supported by this voter
  96.         if (!is_object($object) || !$this->supportsClass(get_class($object))) {
  97.             return VoterInterface::ACCESS_ABSTAIN;
  98.         }
  100.         // check if the voter is used correct, only allow one attribute
  101.         // this isn't a requirement, it's just one easy way for you to
  102.         // design your voter
  103.         if (!== count($attributes)) {
  104.             throw new \InvalidArgumentException(
  105.                 'Only one attribute is allowed for VIEW or EDIT'
  106.             );
  107.         }
  109.         // set the attribute to check against
  110.         $attribute $attributes[0];
  112.         // check if the given attribute is covered by this voter
  113.         if (!$this->supportsAttribute($attribute)) {
  114.             return VoterInterface::ACCESS_ABSTAIN;
  115.         }
  117.         // get current logged in user
  118.         $user $token->getUser();
  120.         $hoard $object;
  121.         //not doing what we expect. Returns true when we are querying about a hoard.
  122.         // if($this->isChildofSupportedClass(get_class($object)))
  123.         //     $hoard = $object->getHoard();
  126.         switch($attribute) {
  127.             case self::VIEW:
  128.                 // check if hidden value is set
  129.                 $hideFromNone $hoard->getHideFrom()->getId() == 3;// || $hoard->getHideFrom()->getHideFrom()=='none';
  130.                 $hideAll $hoard->getHideWhat() && $hoard->getHideWhat()->getId() == 3;    //'all'
  131.                 if($hideFromNone || !$hideAll) {
  132.                     // check if marked as hidden
  133.                     if(!$hoard->getValidatedByUser())
  134.                     {
  135.                         if(!$user instanceof UserInterface || !($user->getId() > 0) ) 
  136.                         {
  137.                             return VoterInterface::ACCESS_DENIED;
  138.                         }
  139.                     }
  140.                     return VoterInterface::ACCESS_GRANTED;
  141.                 }
  142.                 // check if user is authenticated
  143.                 elseif(!$user instanceof UserInterface || !($user->getId() > 0) ) {
  144.                     return VoterInterface::ACCESS_DENIED;
  145.                 }
  146.                 elseif($user && ( $user->hasRole('ROLE_ADMIN') || $user->hasRole('ROLE_SUPER_ADMIN'))) {
  147.                     return VoterInterface::ACCESS_GRANTED;
  148.                 }
  149.                 // check if user is the creator of the hoard
  150.                 elseif( $hoard->getCreated() && $user->getId() == $hoard->getCreated()->getId()) {
  151.                     return VoterInterface::ACCESS_GRANTED;
  152.                 }
  153.                 // check if user has access by country or specific access grant
  154.                 elseif($this->checkUserCanAccessHoardByCountry($user$hoard)) {
  155.                     return VoterInterface::ACCESS_GRANTED;
  156.                 }
  157.                 // check if hoard is hidden from users from other countries
  158.                 elseif($hoard->getHideFrom()->getId() == 2) { //"public + collaborator with view rights") {
  159.                     return VoterInterface::ACCESS_DENIED;
  160.                 }
  162.                 return VoterInterface::ACCESS_GRANTED;
  164.             case self::VIEW_COINS:
  165.                 if($this->getHoardIsHiddenFromUser($user$hoard))
  166.                 {
  167.                     $hideCoins $hoard->getHideWhat() && $hoard->getHideWhat()->getId() == 1//'the coins'
  168.                     $hideCoinsAndSummary $hoard->getHideWhat() && $hoard->getHideWhat()->getId() == 2//'the coins + the coin summary';
  169.                     if(!$hideCoins && !$hideCoinsAndSummary)
  170.                     {
  171.                         return VoterInterface::ACCESS_GRANTED;
  172.                     }
  173.                     return VoterInterface::ACCESS_DENIED;
  174.                 }
  175.                 return VoterInterface::ACCESS_GRANTED;
  176.                 
  177.             case self::VIEW_COINS_SUMMARY:
  178.                 if($this->getHoardIsHiddenFromUser($user$hoard))
  179.                 {
  180.                     $hideCoinsAndSummary $hoard->getHideWhat() && $hoard->getHideWhat()->getId() == 2;//'the coins + the coin summary';
  181.                     if(!$hideCoinsAndSummary)
  182.                     {
  183.                         return VoterInterface::ACCESS_GRANTED;
  184.                     }
  185.                     return VoterInterface::ACCESS_DENIED;
  186.                 }
  187.                 return VoterInterface::ACCESS_GRANTED;
  189.             case self::EDIT: case self::DELETE:
  190.                 // check if user is authenticated
  191.                 if(!$user instanceof UserInterface || !($user->getId() > 0) ) {
  192.                     return VoterInterface::ACCESS_DENIED;
  193.                 }
  194.                 // check if user is the creator of the hoard
  195.                 elseif( $hoard->getCreated() && $user->getId() == $hoard->getCreated()->getId()) {
  196.                     return VoterInterface::ACCESS_GRANTED;
  197.                 }
  198.                 // check if user has access by country or specific access grant
  199.                 elseif($this->checkUserCanAccessHoardByCountry($user$hoard)) {
  200.                     return VoterInterface::ACCESS_GRANTED;
  201.                 }
  202.                 elseif($user && ( $user->hasRole('ROLE_ADMIN') || $user->hasRole('ROLE_SUPER_ADMIN'))) {
  203.                     return VoterInterface::ACCESS_GRANTED;
  204.                 }
  205.                 
  206.                 return VoterInterface::ACCESS_DENIED;
  207.         }
  209.         return VoterInterface::ACCESS_DENIED;
  210.     }
  211. }