<?phpnamespace AppBundle\Security\Authorization\Voter;use AppBundle\Entity\Claim;use AppBundle\Entity\RecurringClaim;use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;use Symfony\Component\Security\Core\Authorization\Voter\Voter;use Symfony\Component\Security\Core\User\UserInterface;class ClaimVoter extends Voter{ const ATTEST = 'ATTEST'; const CANCEL = 'CANCEL'; const VIEW = 'VIEW'; const EDIT = 'EDIT'; const PROCESS = 'PROCESS'; /** * @inheritdoc */ protected function supports($attribute, $subject): bool { if ($subject instanceof Claim || $subject instanceof RecurringClaim) { return in_array($attribute, array(self::ATTEST, self::CANCEL, self::VIEW, self::EDIT, self::PROCESS), true); } return false; } /** * @inheritdoc */ protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool { // make sure there is a user object (i.e. that the user is logged in) $user = $token->getUser(); if (!$user instanceof UserInterface) { return false; } switch($attribute) { case self::CANCEL: // Supervisors should be rejecting via the processing side, so only participants have permission to cancel return $user === $subject->getParticipant(); case SELF::ATTEST: // Participants are allowed to attest to the validity of their claims and supervisors can attest on any participant's behalf case self::VIEW: // Participants can view their own claims or supervisors can load claims for any participant case self::EDIT: // Participants can edit their own claims or supervisors can edit claims for any participant return $user === $subject->getParticipant() || in_array('ROLE_SUPERVISOR', $user->getRoles(), true); case SELF::PROCESS: // Supervisors can process any claims return in_array('ROLE_SUPERVISOR', $user->getRoles(), true); } return false; }}