<?php
namespace AppBundle\Security\Authorization\Voter;
use AppBundle\Entity\Participant;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
class ParticipantVoter extends Voter
{
const SUBMIT_CLAIM = 'SUBMIT_CLAIM';
const VIEW = 'VIEW';
const VIEW_CLAIM = 'VIEW_CLAIM';
/**
* @inheritdoc
*/
protected function supports($attribute, $subject): bool
{
if ($subject instanceof Participant) {
return in_array($attribute, array(self::SUBMIT_CLAIM, self::VIEW, self::VIEW_CLAIM), true);
}
return false;
}
/**
* @inheritdoc
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
{
// make sure there is a user object (i.e. that the user is logged in)
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch($attribute) {
case self::SUBMIT_CLAIM:
// Participants can submit claims for themselves or supervisors can submit claims for any participant
return $user === $subject || in_array('ROLE_SUPERVISOR', $user->getRoles(), true);
case self::VIEW:
// Participants can view themselves; employers can view their participants; supervisors can view anyone
// TODO: address assistant accounts
return $user === $subject || $user === $subject->getEmployer() || in_array('ROLE_SUPERVISOR', $user->getRoles(), true);
case self::VIEW_CLAIM:
// Participants can view their own claims or supervisors can load claims for any participant
return $user === $subject || in_array('ROLE_SUPERVISOR', $user->getRoles(), true);
}
return false;
}
}