<?php
/*
* This file is part of Sulu.
*
* (c) Sulu GmbH
*
* This source file is subject to the MIT license that is bundled
* with this source code in the file LICENSE.
*/
namespace Sulu\Component\Security\Authorization;
use Sulu\Bundle\SecurityBundle\Entity\User;
use Sulu\Component\Security\Authorization\AccessControl\AccessControlManagerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
/**
* Checks the Sulu security.
*/
class SecurityContextVoter implements VoterInterface
{
/**
* The permissions available, defined by config.
*
* @var array
*/
private $permissions;
/**
* @var AccessControlManagerInterface
*/
private $accessControlManager;
public function __construct(AccessControlManagerInterface $accessControlManager, $permissions)
{
$this->accessControlManager = $accessControlManager;
$this->permissions = $permissions;
}
public function supportsAttribute($attribute)
{
return \in_array($attribute, \array_keys($this->permissions));
}
public function supportsClass($class)
{
return SecurityCondition::class === $class || \is_subclass_of($class, SecurityCondition::class);
}
public function vote(TokenInterface $token, $object, array $attributes)
{
/** @var User $user */
$user = $token->getUser();
if (!\is_object($object) ||
!$this->supportsClass(\get_class($object))
) {
return VoterInterface::ACCESS_ABSTAIN;
}
$userPermissions = $this->accessControlManager->getUserPermissions($object, $user);
if (0 === \count($userPermissions)) {
return VoterInterface::ACCESS_DENIED;
}
// only if all attributes are granted the access is granted
foreach ($attributes as $attribute) {
if (isset($userPermissions[$attribute]) && !$userPermissions[$attribute]) {
return VoterInterface::ACCESS_DENIED;
}
}
return VoterInterface::ACCESS_GRANTED;
}
}