src/EventSubscriber/TimeEntryEventSubscriber.php line 30

Open in your IDE?
  1. <?php declare(strict_types=1);
  3. namespace App\EventSubscriber;
  5. use ApiPlatform\Core\Api\IriConverterInterface;
  6. use ApiPlatform\Core\EventListener\EventPriorities;
  7. use App\Entity\TimeControl\TimeEntry;
  8. use App\Entity\User;
  9. use App\Repository\UserRepository;
  10. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  11. use Symfony\Component\HttpFoundation\Request;
  12. use Symfony\Component\HttpKernel\Event\ViewEvent;
  13. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  14. use Symfony\Component\HttpKernel\KernelEvents;
  15. use Symfony\Component\Security\Core\Security;
  17. class TimeEntryEventSubscriber implements EventSubscriberInterface
  18. {
  19.     public function __construct(private Security $security, private IriConverterInterface $iriConverter, private UserRepository $repository)
  20.     {
  21.     }
  23.     public static function getSubscribedEvents(): array
  24.     {
  25.         return [
  26.             KernelEvents::VIEW => ['checkRoles'EventPriorities::PRE_WRITE],
  27.         ];
  28.     }
  30.     public function checkRoles(ViewEvent $event): void
  31.     {
  32.         $originTimeEntry $event->getControllerResult();
  34.         if (!$originTimeEntry instanceof TimeEntry) {
  35.             return;
  36.         }
  38.         if ($event->getRequest()->getMethod() === Request::METHOD_DELETE) {
  39.             $this->checkRolesOnDelete($originTimeEntry);
  40.         }
  42.         if (\in_array($event->getRequest()->getMethod(), [Request::METHOD_POSTRequest::METHOD_PUT], true)) {
  43.             $this->checkRoleOnChange($event$originTimeEntry);
  44.         }
  45.     }
  47.     protected function checkRolesOnDelete(TimeEntry $originTimeEntry): void
  48.     {
  49.         $user $this->security->getUser();
  50.         if (!$user instanceof User) {
  51.             return;
  52.         }
  54.         if (!$this->security->isGranted('ROLE_MANAGER') && $originTimeEntry->getUser() !== $user) {
  55.             throw new AccessDeniedHttpException('You cannot delete another user\'s entry');
  56.         }
  58.         if ($this->security->isGranted('ROLE_MANAGER') && !$this->security->isGranted('ROLE_ADMIN')) {
  59.             $manager $user->getManager();
  60.             $originProject $originTimeEntry->getProject();
  62.             if ($originTimeEntry->getUser() !== $user) {
  63.                 if ($originProject) {
  64.                     if (!$originProject->getManagers()->contains($manager)) {
  65.                         throw new AccessDeniedHttpException('You cannot delete an entry not in your project');
  66.                     }
  67.                 } else {
  68.                     throw new AccessDeniedHttpException('You cannot delete the entry for this user outside the project');
  69.                 }
  70.             }
  71.         }
  72.     }
  74.     protected function checkRoleOnChange(ViewEvent $eventTimeEntry $originTimeEntry): void
  75.     {
  76.         $content $event->getRequest()->getContent();
  77.         if (!\is_string($content)) {
  78.             throw new \RuntimeException('Request content must be a string');
  79.         }
  81.         try {
  82.             $requestData \json_decode($contenttrue512JSON_THROW_ON_ERROR);
  83.         } catch (\JsonException $e) {
  84.             throw new \RuntimeException($e->getMessage());
  85.         }
  87.         $user $this->security->getUser();
  88.         if (!$user instanceof User) {
  89.             throw new \RuntimeException('Cannot get user from security service');
  90.         }
  92.         $targetUser $this->loadUser($requestData['user'] ?? null);
  93.         if ($targetUser === null) {
  94.             return;
  95.         }
  97.         if ($this->security->isGranted('ROLE_USER') && !$this->security->isGranted('ROLE_MANAGER')) {
  98.             if ($targetUser !== $user) {
  99.                 throw new AccessDeniedHttpException('You cannot change your entry to another user\'s entry');
  100.             }
  101.             if ($originTimeEntry->getUser() !== $user) {
  102.                 throw new AccessDeniedHttpException('You cannot change another user\'s entry');
  103.             }
  104.         }
  106.         if ($this->security->isGranted('ROLE_MANAGER') && !$this->security->isGranted('ROLE_ADMIN')) {
  107.             $manager $user->getManager();
  108.             $originProject $originTimeEntry->getProject();
  110.             if ($originTimeEntry->getUser() !== $user) {
  111.                 if ($originProject) {
  112.                     if (!$originProject->getManagers()->contains($manager)) {
  113.                         throw new AccessDeniedHttpException('You cannot change an entry not in your project');
  114.                     }
  115.                 } else {
  116.                     throw new AccessDeniedHttpException('You cannot change the entry for this user outside the project');
  117.                 }
  118.             }
  119.         }
  120.     }
  122.     private function loadUser(?string $iri): ?User
  123.     {
  124.         if ($iri === null) {
  125.             return null;
  126.         }
  128.         $slug \pathinfo($iriPATHINFO_FILENAME);
  130.         return $this->repository->findOneBy(['slug' => $slug]);
  131.     }
  132. }