src/Voter/GuestbookVoter.php line 16

Open in your IDE?
  1. <?php
  2. /*
  3.  * Author: Dominik Piekarski <code@dompie.de>
  4.  * Created at: 2021/08/26 15:50
  5.  */
  6. declare(strict_types=1);
  8. namespace App\Voter;
  10. use App\Security\ApiUser;
  11. use Symfony\Component\HttpFoundation\RequestStack;
  12. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  14. use Symfony\Component\Security\Core\Security;
  16. class GuestbookVoter extends Voter
  17. {
  18.     public const PERMISSION_MANAGE_ENTRY 'guestbookManageEntry';
  19.     public const PERMISSION_VIEW_PUBLIC 'guestbookViewEntry';
  20.     public const PERMISSION_COMMENT 'guestbookCommentEntry';
  22.     protected Security $security;
  24.     /**
  25.      * @var RequestStack
  26.      */
  27.     protected RequestStack $requestStack;
  29.     /**
  30.      * @param Security $security
  31.      * @param RequestStack $requestStack
  32.      */
  33.     public function __construct(Security $securityRequestStack $requestStack)
  34.     {
  35.         $this->security $security;
  36.         $this->requestStack $requestStack;
  37.     }
  39.     protected function supports(string $attribute$subject)
  40.     {
  41.         $supportedAction in_array($attribute, [
  42.             self::PERMISSION_MANAGE_ENTRY,
  43.             self::PERMISSION_VIEW_PUBLIC,
  44.             self::PERMISSION_COMMENT
  45.         ], true);
  46.         $supportedSubject is_array($subject) && isset($subject['id']) && isset($subject['recipient'])
  47.             && isset($subject['is_spam']) && isset($subject['is_hidden']);
  49.         return $supportedSubject && $supportedAction;
  50.     }
  52.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token)
  53.     {
  54.         /** @var ApiUser $user */
  55.         $user $this->security->getUser();
  56.         // admins may do anything, but may NOT comment
  57.         if ($attribute !== self::PERMISSION_COMMENT && $this->security->isGranted('ROLE_ADMIN'$user)) {
  58.             return true;
  59.         }
  61.         $isKnownUser $user instanceof ApiUser && $user->getMemberId() > 0;
  62.         if ($isKnownUser && $subject['recipient']['username'] === $user->getUsername()) {
  63.             // owner may do anything
  64.             return true;
  65.         }
  67.         switch ($attribute) {
  68.             case self::PERMISSION_COMMENT:
  69.             case self::PERMISSION_MANAGE_ENTRY:
  70.                 // operators may comment and delete, but only via the operator app / section
  71.                 return $this->security->isGranted('ROLE_OPERATOR'$user) &&
  72.                     $this->requestStack->getMainRequest()->get('_route') === 'app_messenger_operator_guestbook';
  73.             case self::PERMISSION_VIEW_PUBLIC:
  74.                 return $subject['is_hidden'] === false && $subject['is_spam'] === false;
  75.         }
  77.         return false;
  78.     }
  79. }