src/Security/Content/BlogCommentVoter.php line 11

Open in your IDE?
  1. <?php
  3. namespace App\Security\Content;
  5. use App\Entity\Content\BlogComment;
  6. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  7. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Symfony\Component\Security\Core\User\UserInterface;
  11. class BlogCommentVoter extends Voter
  12. {
  13. const VIEW = 'BLOG_COMMENT_VIEW';
  14. const VIEW_ANY = 'BLOG_COMMENT_VIEW_ANY';
  15. const APPROVE = 'BLOG_COMMENT_APPROVE';
  16. const DENY = 'BLOG_COMMENT_DENY';
  17. const DELETE = 'BLOG_COMMENT_DELETE';
  19. /**
  20. * UserVoter constructor.
  21. */
  22. public function __construct(private readonly AccessDecisionManagerInterface $decisionManager)
  23. {
  24. }
  26. /**
  27. * @param string $attribute
  28. * @param mixed $subject
  29. */
  30. protected function supports($attribute, $subject): bool
  31. {
  32. // if the attribute isn't one we support, return false
  33. if (!in_array($attribute, [
  34. self::VIEW,
  35. self::VIEW_ANY,
  36. self::APPROVE,
  37. self::DENY,
  38. self::DELETE,
  39. ], true)) {
  40. return false;
  41. }
  42. // only vote on Property objects inside this voter
  43. return !($subject && !$subject instanceof BlogComment);
  44. }
  46. /**
  47. * @param string $attribute
  48. * @param mixed $subject
  49. *
  50. */
  51. protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
  52. {
  53. if ($this->decisionManager->decide($token, ['ROLE_SUPER_ADMIN'])) {
  54. return true;
  55. }
  57. $user = $token->getUser();
  59. if (!$user instanceof UserInterface) {
  60. // the user must be logged in; if not, deny access
  61. return false;
  62. }
  63. return match ($attribute) {
  64. self::VIEW_ANY => $this->canViewAny($user),
  65. self::VIEW => $this->canView($user),
  66. self::APPROVE => $this->canApprove($user),
  67. self::DENY => $this->canDeny($user),
  68. self::DELETE => $this->canDelete($user),
  69. default => throw new \LogicException('This code should not be reached!'),
  70. };
  71. }
  73. /**
  74. * Check if logged in User can view Property
  75. */
  76. private function canView(UserInterface $user): bool
  77. {
  78. if ($this->canApprove($user)) {
  79. return true;
  80. }
  82. if ($this->canDeny($user)) {
  83. return true;
  84. }
  86. return $user->hasRole('ROLE_ADMIN');
  87. }
  89. /**
  90. * Check if logged in User can view Property
  91. *
  92. *
  93. */
  94. private function canViewAny(UserInterface $user): bool
  95. {
  96. if ($user->hasRight(self::VIEW_ANY)) {
  97. return true;
  98. }
  100. return $user->hasRole('ROLE_ADMIN');
  101. }
  103. /**
  104. * Check if logged in User can create Property
  105. *
  106. *
  107. */
  108. private function canApprove(UserInterface $user): bool
  109. {
  110. if ($user->hasRight(self::APPROVE)) {
  111. return true;
  112. }
  114. return $user->hasRole('ROLE_ADMIN');
  115. }
  117. /**
  118. * Check if logged in User can edit Property
  119. */
  120. private function canDeny(UserInterface $user): bool
  121. {
  122. if ($user->hasRight(self::DENY)) {
  123. return true;
  124. }
  126. return $user->hasRole('ROLE_ADMIN');
  127. }
  129. /**
  130. * Check if logged in User can delete Property
  131. */
  132. private function canDelete(UserInterface $user): bool
  133. {
  134. if ($user->hasRight(self::DELETE)) {
  135. return true;
  136. }
  138. return $user->hasRole('ROLE_ADMIN');
  139. }
  140. }