vendor/easycorp/easyadmin-bundle/src/Security/SecurityVoter.php line 18

Open in your IDE?
  1. <?php
  3. namespace EasyCorp\Bundle\EasyAdminBundle\Security;
  5. use EasyCorp\Bundle\EasyAdminBundle\Dto\ActionDto;
  6. use EasyCorp\Bundle\EasyAdminBundle\Dto\CrudDto;
  7. use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
  8. use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
  9. use EasyCorp\Bundle\EasyAdminBundle\Dto\MenuItemDto;
  10. use EasyCorp\Bundle\EasyAdminBundle\Provider\AdminContextProvider;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  15. /*
  16. * @author Javier Eguiluz <javier.eguiluz@gmail.com>
  17. */
  18. final class SecurityVoter extends Voter
  19. {
  20. private AuthorizationCheckerInterface $authorizationChecker;
  21. private AdminContextProvider $adminContextProvider;
  23. public function __construct(AuthorizationCheckerInterface $authorizationChecker, AdminContextProvider $adminContextProvider)
  24. {
  25. $this->authorizationChecker = $authorizationChecker;
  26. $this->adminContextProvider = $adminContextProvider;
  27. }
  29. protected function supports(string $permissionName, mixed $subject): bool
  30. {
  31. return Permission::exists($permissionName);
  32. }
  34. protected function voteOnAttribute($permissionName, $subject, TokenInterface $token): bool
  35. {
  36. if (Permission::EA_VIEW_MENU_ITEM === $permissionName) {
  37. return $this->voteOnViewMenuItemPermission($subject);
  38. }
  40. if (Permission::EA_EXECUTE_ACTION === $permissionName) {
  41. return $this->voteOnExecuteActionPermission($this->adminContextProvider->getContext()->getCrud(), $subject['action'] ?? null, $subject['entity'] ?? null);
  42. }
  44. if (Permission::EA_VIEW_FIELD === $permissionName) {
  45. return $this->voteOnViewPropertyPermission($subject);
  46. }
  48. if (Permission::EA_ACCESS_ENTITY === $permissionName) {
  49. return $this->voteOnViewEntityPermission($subject);
  50. }
  52. if (Permission::EA_EXIT_IMPERSONATION === $permissionName) {
  53. return $this->voteOnExitImpersonationPermission();
  54. }
  56. return true;
  57. }
  59. private function voteOnViewMenuItemPermission(MenuItemDto $menuItemDto): bool
  60. {
  61. // users can see the menu item if they have the permission required by the menu item
  62. return $this->authorizationChecker->isGranted($menuItemDto->getPermission(), $menuItemDto);
  63. }
  65. private function voteOnExecuteActionPermission(CrudDto $crudDto, ActionDto|string $actionNameOrDto, ?EntityDto $entityDto): bool
  66. {
  67. // users can run the Crud action if:
  68. // * they have the required permission to execute the action on the given entity instance
  69. // * the action is not disabled
  71. $actionName = \is_string($actionNameOrDto) ? $actionNameOrDto : $actionNameOrDto->getName();
  73. $actionPermission = $crudDto->getActionsConfig()->getActionPermissions()[$actionName] ?? null;
  74. $disabledActionNames = $crudDto->getActionsConfig()->getDisabledActions();
  76. $subject = null === $entityDto ? null : $entityDto->getInstance();
  78. return $this->authorizationChecker->isGranted($actionPermission, $subject) && !\in_array($actionName, $disabledActionNames, true);
  79. }
  81. private function voteOnViewPropertyPermission(FieldDto $field): bool
  82. {
  83. // users can see the field if they have the permission required by the field
  84. return $this->authorizationChecker->isGranted($field->getPermission(), $field);
  85. }
  87. private function voteOnViewEntityPermission(EntityDto $entityDto): bool
  88. {
  89. // users can see the entity if they have the required permission on the specific entity instance
  90. return $this->authorizationChecker->isGranted($entityDto->getPermission(), $entityDto->getInstance());
  91. }
  93. private function voteOnExitImpersonationPermission(): bool
  94. {
  95. // users can exit impersonation if they are currently impersonating another user.
  96. // In Symfony, that means that current user has the special impersonator permission
  97. if (\defined('Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter::IS_IMPERSONATOR')) {
  98. $impersonatorPermission = 'IS_IMPERSONATOR';
  99. } else {
  100. $impersonatorPermission = 'ROLE_PREVIOUS_ADMIN';
  101. }
  103. return $this->authorizationChecker->isGranted($impersonatorPermission);
  104. }
  105. }