vendor/netgen/layouts-ibexa/lib/Security/Authorization/Voter/RepositoryAccessVoter.php line 22

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Netgen\Layouts\Ibexa\Security\Authorization\Voter;
  7. use Ibexa\Core\MVC\Symfony\Security\Authorization\Attribute;
  8. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  9. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  10. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  13. use function is_string;
  14. use function str_starts_with;
  16. /**
  17. * Votes on Netgen Layouts attributes (ROLE_NGLAYOUTS_*) by matching corresponding access
  18. * rights in Ibexa CMS Repository.
  19. *
  20. * @extends \Symfony\Component\Security\Core\Authorization\Voter\Voter<string, \Netgen\Layouts\API\Values\Value|null>
  21. */
  22. final class RepositoryAccessVoter extends Voter
  23. {
  24. /**
  25. * Identifier of the Ibexa CMS module used for creating Netgen Layouts permissions.
  26. */
  27. private const MODULE = 'nglayouts';
  29. /**
  30. * Map of supported attributes to corresponding functions in the Ibexa CMS module.
  31. */
  32. private const ATTRIBUTE_TO_POLICY_MAP = [
  33. 'ROLE_NGLAYOUTS_ADMIN' => 'admin',
  34. 'ROLE_NGLAYOUTS_EDITOR' => 'editor',
  35. 'ROLE_NGLAYOUTS_API' => 'api',
  36. ];
  38. public function __construct(
  39. private RoleHierarchyInterface $roleHierarchy,
  40. private AccessDecisionManagerInterface $accessDecisionManager,
  41. ) {}
  43. /**
  44. * @param mixed[] $attributes
  45. */
  46. public function vote(TokenInterface $token, mixed $subject, array $attributes): int
  47. {
  48. // abstain vote by default in case none of the attributes are supported
  49. $vote = self::ACCESS_ABSTAIN;
  51. foreach ($attributes as $attribute) {
  52. if (!is_string($attribute) || !$this->supports($attribute, $subject)) {
  53. continue;
  54. }
  56. $reachableAttributes = $this->roleHierarchy->getReachableRoleNames([$attribute]);
  58. // rely on vote resolved by parent implementation
  59. $vote = parent::vote($token, $subject, $reachableAttributes);
  61. // return only if granted
  62. if ($vote === self::ACCESS_GRANTED) {
  63. return self::ACCESS_GRANTED;
  64. }
  65. }
  67. return $vote;
  68. }
  70. protected function supports(string $attribute, mixed $subject): bool
  71. {
  72. return str_starts_with($attribute, 'ROLE_NGLAYOUTS_');
  73. }
  75. protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
  76. {
  77. if (!isset(self::ATTRIBUTE_TO_POLICY_MAP[$attribute])) {
  78. return false;
  79. }
  81. $function = self::ATTRIBUTE_TO_POLICY_MAP[$attribute];
  83. return $this->accessDecisionManager->decide(
  84. $token,
  85. [new Attribute(self::MODULE, $function)],
  86. $subject,
  87. );
  88. }
  89. }