src/Security/BaseCrudVoter.php line 11

Open in your IDE?
  1. <?php
  3. namespace App\Security;
  5. use AppBundle\Entity\CompanyAssetInterface;
  6. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  7. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use App\Entity\User;
  11. class BaseCrudVoter extends Voter
  12. {
  13.     const ROLE_SUPER 'ROLE_SUPER_ADMIN';
  14.     const ROLE_ALL 'ROLE_DEFAULT_ALL';
  15.     const ROLE_READ 'ROLE_DEFAULT_READ';
  16.     const ROLE_WRITE 'ROLE_DEFAULT_WRITE';
  17.     const ROLE_DELETE 'ROLE_DEFAULT_DELETE';
  19.     const GRANT_READ 'read';
  20.     const GRANT_WRITE 'write';
  21.     const GRANT_DELETE 'delete';
  23.     private $decisionManager;
  25.     public function __construct(AccessDecisionManagerInterface $decisionManager)
  26.     {
  27.         $this->decisionManager $decisionManager;
  28.     }
  30.     protected function supports($attribute$subject)
  31.     {
  32.         // if the attribute isn't one we support, return false
  33.         if (!in_array($attribute, array(self::GRANT_READself::GRANT_WRITEself::GRANT_DELETE))) {
  34.             return false// abstain
  35.         }
  37.         return true// supports
  38.     }
  40.     protected function voteOnAttribute($attribute$subjectTokenInterface $token)
  41.     {
  42.         // ROLE_SUPER_ADMIN can do anything! The power!
  43.         if ($this->decisionManager->decide($token, array(static::ROLE_SUPER))) {
  44.             return true;
  45.         }
  47.         $user $token->getUser();
  49.         if (!$user instanceof User) {
  50.             // the user must be logged in; if not, deny access
  51.             return false;
  52.         }
  54.         switch ($attribute) {
  55.             case self::GRANT_READ:
  56.                 return $this->canRead($subject$user);
  57.             case self::GRANT_WRITE:
  58.                 return $this->canWrite($subject$user);
  59.             case self::GRANT_DELETE:
  60.                 return $this->canDelete($subject$user);
  61.         }
  63.         throw new \LogicException('This code should not be reached!');
  64.     }
  66.     private function canDoAll($subjectUser $user)
  67.     {
  68.         if ($user->hasRole(static::ROLE_ALL)) {
  69.             return true;
  70.         }
  71.         return false;
  72.     }
  74.     private function canRead($subjectUser $user)
  75.     {
  76.         // if they can do all, they can show
  77.         if ($this->canDoAll($subject$user)) {
  78.             return true;
  79.         }
  81.         if ($user->hasRole(static::ROLE_READ)) {
  82.             return true;
  83.         }
  84.         return false;
  85.     }
  87.     private function canWrite($subjectUser $user)
  88.     {
  89.         // if they can do all, they can edit
  90.         if ($this->canDoAll($subject$user)) {
  91.             return true;
  92.         }
  94.         if ($user->hasRole(static::ROLE_WRITE)) {
  95.             return true;
  96.         }
  97.         return false;
  98.     }
  100.     private function canDelete($subjectUser $user)
  101.     {
  102.         // if they can do all, they can delete
  103.         if ($this->canDoAll($subject$user)) {
  104.             return true;
  105.         }
  107.         if ($user->hasRole(static::ROLE_DELETE)) {
  108.             return true;
  109.         }
  110.         return false;
  111.     }
  112. }