src/Security/Voter/UserVoter.php line 21

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\Security\Voter;
  7. use App\Entity\Security\Administrator;
  8. use App\Entity\Security\Customer;
  9. use App\Entity\Security\Developer;
  10. use App\Entity\Security\Manager;
  11. use App\Entity\Security\RoleInterface;
  12. use App\Entity\Security\ShopManager;
  13. use App\Entity\Security\Support;
  14. use App\Entity\Security\User;
  15. use App\Repository\Shop\CustomerShopRepository;
  16. use App\Service\Security\CustomerService;
  17. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  18. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  19. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  21. class UserVoter extends Voter
  22. {
  23.     public const SHOW 'USER_SHOW';
  25.     public function __construct(
  26.         private AuthorizationCheckerInterface $authorizationChecker,
  27.         private CustomerService $customerService,
  28.         private CustomerShopRepository $customerShopRepository,
  29.     ) {
  30.     }
  32.     protected function supports(string $attributemixed $subject): bool
  33.     {
  34.         return self::SHOW === $attribute && $subject instanceof User;
  35.     }
  37.     protected function voteOnAttribute(string $attributemixed $subjectTokenInterface $token): bool
  38.     {
  39.         $loggedUser $token->getUser();
  40.         if (!$loggedUser instanceof User) {
  41.             return false;
  42.         }
  44.         return $loggedUser->getId() === $subject->getId() || $this->canView($loggedUser$subject);
  45.     }
  47.     private function canView(User $loggedUserUser $targetUser): bool
  48.     {
  49.         $targetRole = match (true) {
  50.             $targetUser instanceof Administrator => RoleInterface::ROLE_ADMIN,
  51.             $targetUser instanceof Developer => RoleInterface::ROLE_DEVELOPER,
  52.             $targetUser instanceof Support => RoleInterface::ROLE_SUPPORT,
  53.             $targetUser instanceof Manager => RoleInterface::ROLE_MANAGER,
  54.             $targetUser instanceof ShopManager => RoleInterface::ROLE_SHOP_MANAGER,
  55.             $targetUser instanceof Customer => RoleInterface::ROLE_CLIENT,
  56.             default => null,
  57.         };
  59.         if (!$this->authorizationChecker->isGranted($targetRole)) {
  60.             return false;
  61.         }
  63.         return $this->checkConstraints($loggedUser$targetUser);
  64.     }
  66.     private function checkConstraints(User $loggedUserUser $targetUser): bool
  67.     {
  68.         if ($loggedUser::class === $targetUser::class && !$loggedUser instanceof Administrator) {
  69.             return false;
  70.         }
  72.         return match (true) {
  73.             $loggedUser instanceof Administrator,
  74.             $loggedUser instanceof Developer,
  75.             $loggedUser instanceof Support => true,
  76.             $loggedUser instanceof Manager => match (true) {
  77.                 $targetUser instanceof Customer => $this->customerService->customerHasFranchise($targetUser$loggedUser->getFranchise()),
  78.                 $targetUser instanceof ShopManager => $targetUser->getShop()->getFranchise() === $loggedUser->getFranchise(),
  79.                 $targetUser instanceof Manager => false,
  80.                 default => false,
  81.             },
  82.             $loggedUser instanceof ShopManager => match (true) {
  83.                 $targetUser instanceof Customer => $this->customerShopRepository->exist($loggedUser->getShop()->getId(), $targetUser->getId()),
  84.                 $targetUser instanceof ShopManager => false,
  85.                 default => false,
  86.             },
  87.             default => false,
  88.         };
  89.     }
  90. }