<?php
namespace AppBundle\Security\Authorization\Voter;
use AppBundle\Entity\Claim;
use AppBundle\Entity\RecurringClaim;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
class ClaimVoter extends Voter
{
const ATTEST = 'ATTEST';
const CANCEL = 'CANCEL';
const VIEW = 'VIEW';
const EDIT = 'EDIT';
const PROCESS = 'PROCESS';
/**
* @inheritdoc
*/
protected function supports($attribute, $subject): bool
{
if ($subject instanceof Claim || $subject instanceof RecurringClaim) {
return in_array($attribute, array(self::ATTEST, self::CANCEL, self::VIEW, self::EDIT, self::PROCESS), true);
}
return false;
}
/**
* @inheritdoc
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
{
// make sure there is a user object (i.e. that the user is logged in)
$user = $token->getUser();
if (!$user instanceof UserInterface) {
return false;
}
switch($attribute) {
case self::CANCEL: // Supervisors should be rejecting via the processing side, so only participants have permission to cancel
return $user === $subject->getParticipant();
case SELF::ATTEST: // Participants are allowed to attest to the validity of their claims and supervisors can attest on any participant's behalf
case self::VIEW: // Participants can view their own claims or supervisors can load claims for any participant
case self::EDIT: // Participants can edit their own claims or supervisors can edit claims for any participant
return $user === $subject->getParticipant() || in_array('ROLE_SUPERVISOR', $user->getRoles(), true);
case SELF::PROCESS:
// Supervisors can process any claims
return in_array('ROLE_SUPERVISOR', $user->getRoles(), true);
}
return false;
}
}