vendor/netgen/layouts-core/lib/Security/Authorization/Voter/PolicyToRoleMapVoter.php line 19

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Netgen\Layouts\Security\Authorization\Voter;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. use function is_string;
  12. use function str_starts_with;
  14. /**
  15. * Votes on Netgen Layouts permissions (nglayouts:*) by mapping the permissions to built-in roles (ROLE_NGLAYOUTS_*).
  16. *
  17. * @extends \Symfony\Component\Security\Core\Authorization\Voter\Voter<string, mixed>
  18. */
  19. final class PolicyToRoleMapVoter extends Voter
  20. {
  21. /**
  22. * Map of supported permissions to their respective roles.
  23. */
  24. private const POLICY_TO_ROLE_MAP = [
  25. 'nglayouts:block:add' => self::ROLE_EDITOR,
  26. 'nglayouts:block:edit' => self::ROLE_EDITOR,
  27. 'nglayouts:block:delete' => self::ROLE_EDITOR,
  28. 'nglayouts:block:reorder' => self::ROLE_EDITOR,
  29. 'nglayouts:layout:add' => self::ROLE_ADMIN,
  30. 'nglayouts:layout:edit' => self::ROLE_EDITOR,
  31. 'nglayouts:layout:delete' => self::ROLE_ADMIN,
  32. 'nglayouts:layout:clear_cache' => self::ROLE_ADMIN,
  33. 'nglayouts:mapping:edit' => self::ROLE_ADMIN,
  34. 'nglayouts:mapping:edit_group' => self::ROLE_ADMIN,
  35. 'nglayouts:mapping:activate' => self::ROLE_ADMIN,
  36. 'nglayouts:mapping:activate_group' => self::ROLE_ADMIN,
  37. 'nglayouts:mapping:delete' => self::ROLE_ADMIN,
  38. 'nglayouts:mapping:reorder' => self::ROLE_ADMIN,
  39. 'nglayouts:collection:edit' => self::ROLE_EDITOR,
  40. 'nglayouts:collection:items' => self::ROLE_EDITOR,
  41. 'nglayouts:ui:access' => self::ROLE_ADMIN,
  42. 'nglayouts:api:read' => self::ROLE_API,
  43. ];
  45. /**
  46. * The identifier of the admin role. Users having this role
  47. * have full and unrestricted access to the entire system.
  48. */
  49. private const ROLE_ADMIN = 'ROLE_NGLAYOUTS_ADMIN';
  51. /**
  52. * The identifier of the editor role. Users having this role
  53. * have full access only to the layout editing interface.
  54. */
  55. private const ROLE_EDITOR = 'ROLE_NGLAYOUTS_EDITOR';
  57. /**
  58. * The identifier of the API role. Users having this role
  59. * have access to read only data of the API endpoints.
  60. */
  61. private const ROLE_API = 'ROLE_NGLAYOUTS_API';
  63. private AccessDecisionManagerInterface $accessDecisionManager;
  65. public function __construct(AccessDecisionManagerInterface $accessDecisionManager)
  66. {
  67. $this->accessDecisionManager = $accessDecisionManager;
  68. }
  70. /**
  71. * @param mixed $attribute
  72. * @param mixed $subject
  73. */
  74. protected function supports($attribute, $subject): bool
  75. {
  76. return is_string($attribute) && str_starts_with($attribute, 'nglayouts:');
  77. }
  79. /**
  80. * @param string $attribute
  81. * @param mixed $subject
  82. */
  83. protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
  84. {
  85. if (!isset(self::POLICY_TO_ROLE_MAP[$attribute])) {
  86. return false;
  87. }
  89. return $this->accessDecisionManager->decide(
  90. $token,
  91. [self::POLICY_TO_ROLE_MAP[$attribute]],
  92. $subject,
  93. );
  94. }
  95. }