<?php
/**
* Copyright (C) SUEZ Smart Solutions - All Rights Reserved
* On’Connect Gateway Management, 2018
* Unauthorized copying of this file, via any medium is strictly prohibited
* Proprietary and confidential
* For the full copyright and license information, please report to the LICENSE CONTRACT.
*/
namespace TSMS\AdminBundle\Security\Authorization\Voter;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use TSMS\CoreBundle\Entity\User;
class UserVoter implements VoterInterface
{
const DELETE = 'DELETE_USER';
/**
* @var ContainerInterface
*/
private $container;
/**
* @var AuthorizationCheckerInterface
*/
private $authorizationChecker;
/**
* @param ContainerInterface $container
*/
public function __construct(ContainerInterface $container)
{
$this->container = $container;
}
/**
* @param string $attribute
*
* @return bool
*/
public function supportsAttribute($attribute)
{
return in_array($attribute, [self::DELETE]);
}
/**
* @param string $class
*
* @return bool
*/
public function supportsClass($class)
{
$supportedClass = 'TSMS\CoreBundle\Entity\User';
return $supportedClass === $class || is_subclass_of($class, $supportedClass);
}
/**
* @param TokenInterface $token
* @param User $user
* @param array $attributes
*/
public function vote(TokenInterface $token, $user, array $attributes)
{
if (
!is_object($user) ||
(null !== $user && !$this->supportsClass(get_class($user)))
) {
return VoterInterface::ACCESS_ABSTAIN;
}
if (1 !== count($attributes)) {
throw new \InvalidArgumentException(
'Only one attribute is allowed for DELETE'
);
}
$attribute = $attributes[0];
if (!$this->supportsAttribute($attribute)) {
return VoterInterface::ACCESS_ABSTAIN;
}
$this->authorizationChecker = $this->container->get('security.authorization_checker');
$currentUser = $token->getUser();
switch ($attribute) {
case self::DELETE:
//Cannot delete himself.
if ($currentUser->getId() == $user->getId() || null == $user->getId()) {
return VoterInterface::ACCESS_DENIED;
}
//If not a user admin collectivity/ER/TSMS can not delete user.
if (!$this->authorizationChecker->isGranted('ROLE_ADMIN_COLLECTIVITY')) {
return VoterInterface::ACCESS_DENIED;
}
//if current user is admin collectivity, he can just delete external user.
if (User::ADMIN_COLLECTIVITY_LEVEL == $currentUser->getAdminLevel()) {
if (User::INTERNAL_USER_LEVEL == $user->getAdminLevel()) {
return VoterInterface::ACCESS_DENIED;
}
}
//If current user is admin collectivity/TSMS, can not delete admin TSMS.
if (in_array($currentUser->getAdminLevel(), [User::ADMIN_PERIMETER_LEVEL, User::ADMIN_COLLECTIVITY_LEVEL])) {
if (User::ADMIN_TSMS_LEVEL == $user->getAdminLevel()) {
return VoterInterface::ACCESS_DENIED;
}
}
return VoterInterface::ACCESS_GRANTED;
break;
}
return VoterInterface::ACCESS_DENIED;
}
}