src/Tuer24/Security/Voter/Tuer24OrderVoter.php line 25

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\Tuer24\Security\Voter;
  7. use App\Entity\Company;
  8. use App\Tuer24\Config\Tuer24Constants;
  9. use Roothirsch\CoreBundle\Behaviors\Attributable\MappedSuperclass\AbstractAttributeValue;
  10. use Roothirsch\ShopBundle\Entity\Order;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  13. use Symfony\Component\Security\Core\User\UserInterface;
  15. /**
  16. * Voter for TÜR24 Order permissions
  17. *
  18. * Handles authorization for:
  19. * - VIEW: Order owner OR assigned distributor
  20. * - ACCEPT: Assigned distributor only (order must be in 'submitted' state)
  21. * - REJECT: Assigned distributor only (order must be in 'submitted' state)
  22. * - CONFIRM: Order owner who IS a distributor (order must be in 'placed' state)
  23. * - SUBMIT: Order owner who is NOT a distributor + distributor assigned (order must be in 'placed' state)
  24. */
  25. class Tuer24OrderVoter extends Voter
  26. {
  27. public const VIEW = 'TUER24_ORDER_VIEW';
  28. public const EDIT = 'TUER24_ORDER_EDIT';
  29. public const ACCEPT = 'TUER24_ORDER_ACCEPT';
  30. public const REJECT = 'TUER24_ORDER_REJECT';
  31. public const CONFIRM = 'TUER24_ORDER_CONFIRM';
  32. public const SUBMIT = 'TUER24_ORDER_SUBMIT';
  34. protected function supports(string $attribute, mixed $subject): bool
  35. {
  36. if (!in_array($attribute, [self::VIEW, self::ACCEPT, self::REJECT, self::CONFIRM, self::SUBMIT, self::EDIT])) {
  37. return false;
  38. }
  39. if (!$subject instanceof Order) {
  40. return false;
  41. }
  42. return $subject->getType() === Tuer24Constants::ORDER_TYPE;
  43. }
  45. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  46. {
  47. $user = $token->getUser();
  49. if (!$user instanceof UserInterface) {
  50. return false;
  51. }
  53. /** @var Order $order */
  54. $order = $subject;
  56. return match ($attribute) {
  57. self::VIEW => $this->canView($order, $user, $token),
  58. self::EDIT => $this->canEdit($order, $user, $token),
  59. self::ACCEPT => $this->canAccept($order, $user, $token),
  60. self::REJECT => $this->canReject($order, $user, $token),
  61. self::CONFIRM => $this->canConfirm($order, $user, $token),
  62. self::SUBMIT => $this->canSubmit($order, $user, $token),
  63. default => false,
  64. };
  65. }
  68. private function canEdit(Order $order, UserInterface $user, TokenInterface $token): bool
  69. {
  70. return $this->isAssignedDistributor($order, $user, $token);
  71. }
  73. /**
  74. * Check if user can view the order
  75. * Allowed: Order owner OR assigned distributor
  76. */
  77. private function canView(Order $order, UserInterface $user, TokenInterface $token): bool
  78. {
  79. // Order owner can always view
  80. if ($this->isOrderOwner($order, $user)) {
  81. return true;
  82. }
  84. // Distributor assigned to this order can view
  85. if ($this->isAssignedDistributor($order, $user, $token)) {
  86. return true;
  87. }
  89. return false;
  90. }
  92. /**
  93. * Check if user can accept the order
  94. * Allowed: Assigned distributor only, order must be in 'submitted' state
  95. */
  96. private function canAccept(Order $order, UserInterface $user, TokenInterface $token): bool
  97. {
  98. // Only submitted orders can be accepted
  99. if ($order->getState() !== 'submitted') {
  100. return false;
  101. }
  103. // Only assigned distributors can accept
  104. return $this->isAssignedDistributor($order, $user, $token);
  105. }
  107. /**
  108. * Check if user can reject the order
  109. * Allowed: Assigned distributor only, order must be in 'submitted' state
  110. */
  111. private function canReject(Order $order, UserInterface $user, TokenInterface $token): bool
  112. {
  113. // Only submitted orders can be rejected
  114. if ($order->getState() !== 'submitted') {
  115. return false;
  116. }
  118. // Only assigned distributors can reject
  119. return $this->isAssignedDistributor($order, $user, $token);
  120. }
  122. private function canConfirm(Order $order, UserInterface $user, TokenInterface $token): bool
  123. {
  124. // Only submitted orders can be rejected
  125. if ($order->getState() !== 'placed') {
  126. return false;
  127. }
  129. if(!$this->isOrderOwner($order, $user)) {
  130. return false;
  131. }
  133. return $this->hasRole($token, Tuer24Constants::ROLE_DISTRIBUTOR);
  134. }
  136. /**
  137. * Check if user can submit the order
  138. * Allowed: Order owner who is NOT a distributor, with a distributor assigned
  139. */
  140. private function canSubmit(Order $order, UserInterface $user, TokenInterface $token): bool
  141. {
  142. // Only placed orders can be submitted
  143. if ($order->getState() !== 'placed') {
  144. return false;
  145. }
  147. // Must have a distributor assigned
  148. if ($this->getDistributorId($order) === null) {
  149. return false;
  150. }
  152. // Must be order owner
  153. if (!$this->isOrderOwner($order, $user)) {
  154. return false;
  155. }
  157. // Only non-distributors submit (distributors use confirm instead)
  158. return !$this->hasRole($token, Tuer24Constants::ROLE_DISTRIBUTOR);
  159. }
  161. /**
  162. * Check if user is the order owner
  163. */
  164. private function isOrderOwner(Order $order, UserInterface $user): bool
  165. {
  166. $orderOwner = $order->getOwner();
  168. if ($orderOwner === null) {
  169. return false;
  170. }
  172. if (!method_exists($user, 'getId') || !method_exists($orderOwner, 'getId')) {
  173. return false;
  174. }
  176. return $user->getId() === $orderOwner->getId();
  177. }
  179. /**
  180. * Check if user is an assigned distributor for this order
  181. */
  182. private function isAssignedDistributor(Order $order, UserInterface $user, TokenInterface $token): bool
  183. {
  184. // Must have distributor role
  185. if (!$this->hasRole($token, Tuer24Constants::ROLE_DISTRIBUTOR)) {
  186. return false;
  187. }
  189. // Must have a company
  190. if (!method_exists($user, 'getCompany')) {
  191. return false;
  192. }
  194. $userCompany = $user->getCompany();
  195. if ($userCompany === null) {
  196. return false;
  197. }
  199. $distributorCompanyId = $this->getDistributorId($order);
  200. if($distributorCompanyId === NULL) {
  201. return false;
  202. }
  204. return (string) $userCompany->getId() === (string) $distributorCompanyId;
  205. }
  207. private function getDistributorId(Order $order): null|int
  208. {
  209. $distributorAttribute = $order->getAttribute('distributor');
  210. if ($distributorAttribute === null) {
  211. return null;
  212. }
  213. /** @var AbstractAttributeValue $attributeValue */
  214. $attributeValue = $order->getAttributeValue($distributorAttribute);
  215. if ($attributeValue === null) {
  216. return null;
  217. }
  218. if($attributeValue->getEntity()) {
  219. return $attributeValue->getEntity()->getId();
  220. }
  221. return $attributeValue->getEntityId();
  222. }
  224. /**
  225. * Check if token has a specific role
  226. */
  227. private function hasRole(TokenInterface $token, string $role): bool
  228. {
  229. foreach ($token->getRoleNames() as $roleName) {
  230. if ($roleName === $role) {
  231. return true;
  232. }
  233. }
  235. return false;
  236. }
  237. }