src/Security/Voter/CourseOccurrenceVoter.php line 16

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\CourseOccurrence;
  6. use App\Repository\OAuth\ClientRepository;
  7. use App\User\Entity\Client;
  8. use App\User\Entity\User;
  9. use League\Bundle\OAuth2ServerBundle\Security\User\NullUser;
  10. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  11. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  13. /**
  14.  * Security voter to control access to CourseOccurrence entities based on client ownership.
  15.  */
  16. class CourseOccurrenceVoter extends Voter
  17. {
  18.     public const VIEW 'view';
  19.     public const EDIT 'edit';
  20.     public const DELETE 'delete';
  22.     private ClientRepository $clientRepository;
  24.     public function __construct(ClientRepository $clientRepository)
  25.     {
  26.         $this->clientRepository $clientRepository;
  27.     }
  29.     protected function supports(string $attribute$subject): bool
  30.     {
  31.         return in_array($attribute, [self::VIEWself::EDITself::DELETE], true)
  32.             && $subject instanceof CourseOccurrence;
  33.     }
  35.     protected function voteOnAttribute(string $attribute$subjectTokenInterface $token): bool
  36.     {
  37.         $user $token->getUser();
  39.         // Determine the client based on user type
  40.         $userClient null;
  41.         
  42.         if ($user instanceof User) {
  43.             $userClient $user->getClient();
  44.             
  45.             // ROLE_SUPER_USER can access everything
  46.             if (in_array('ROLE_SUPER_USER'$user->getRoles(), true)) {
  47.                 return true;
  48.             }
  49.         } elseif ($user instanceof NullUser) {
  50.             // OAuth2 client credentials flow - get client from token
  51.             $oauthClientId $token->getAttribute('oauth_client_id');
  52.             if ($oauthClientId) {
  53.                 $oauthClient $this->clientRepository->find($oauthClientId);
  54.                 if ($oauthClient) {
  55.                     $userClient $oauthClient->getApplicationClient();
  56.                 }
  57.             }
  58.         } else {
  59.             // Unknown user type
  60.             return false;
  61.         }
  63.         /** @var CourseOccurrence $occurrence */
  64.         $occurrence $subject;
  66.         // Check if we have a valid user client
  67.         if (!$userClient) {
  68.             return false;
  69.         }
  71.         // Get the client of the occurrence (through course)
  72.         $occurrenceClient $occurrence->getClient();
  73.         if (!$occurrenceClient) {
  74.             return false;
  75.         }
  77.         // Check if both belong to the same client
  78.         if ($userClient->getId() !== $occurrenceClient->getId()) {
  79.             return false;
  80.         }
  82.         // For OAuth2 NullUser (API access), if client matches, allow VIEW access
  83.         if ($user instanceof NullUser && $attribute === self::VIEW) {
  84.             return true;
  85.         }
  87.         // For regular User, check roles
  88.         if ($user instanceof User) {
  89.             // User needs at least ROLE_MANAGER or ROLE_ADMIN to access occurrences
  90.             return in_array('ROLE_MANAGER'$user->getRoles(), true
  91.                 || in_array('ROLE_ADMIN'$user->getRoles(), true);
  92.         }
  94.         return false;
  95.     }
  96. }