Part-DB-server/src/Security/Voter/AttachmentVoter.php

<?php
/**
 * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
 *
 * Copyright (C) 2019 - 2022 Jan Böhmer (https://github.com/jbtronics)
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published
 * by the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

declare(strict_types=1);

namespace App\Security\Voter;

use App\Entity\Attachments\Attachment;
use App\Entity\Attachments\AttachmentTypeAttachment;
use App\Entity\Attachments\CategoryAttachment;
use App\Entity\Attachments\CurrencyAttachment;
use App\Entity\Attachments\FootprintAttachment;
use App\Entity\Attachments\GroupAttachment;
use App\Entity\Attachments\ManufacturerAttachment;
use App\Entity\Attachments\MeasurementUnitAttachment;
use App\Entity\Attachments\PartAttachment;
use App\Entity\Attachments\ProjectAttachment;
use App\Entity\Attachments\StorelocationAttachment;
use App\Entity\Attachments\SupplierAttachment;
use App\Entity\Attachments\UserAttachment;
use App\Entity\UserSystem\User;
use App\Services\UserSystem\PermissionManager;
use Doctrine\ORM\EntityManagerInterface;
use RuntimeException;
use Symfony\Component\Security\Core\Security;

use function in_array;

class AttachmentVoter extends ExtendedVoter
{
    public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, protected \Symfony\Bundle\SecurityBundle\Security $security)
    {
        parent::__construct($resolver, $entityManager);
    }

    /**
     * Similar to voteOnAttribute, but checking for the anonymous user is already done.
     * The current user (or the anonymous user) is passed by $user.
     *
     * @param  string  $attribute
     */
    protected function voteOnUser(string $attribute, $subject, User $user): bool
    {
        //return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;

        //This voter only works for attachments
        if (!is_a($subject, Attachment::class, true)) {
            return false;
        }

        if ($attribute === 'show_private') {
            return $this->resolver->inherit($user, 'attachments', 'show_private') ?? false;
        }


        if (is_object($subject)) {
            //If the attachment has no element (which should not happen), we deny access, as we can not determine if the user is allowed to access the associated element
            $target_element = $subject->getElement();
            if ($target_element instanceof \App\Entity\Attachments\AttachmentContainingDBElement) {
                return $this->security->isGranted($this->mapOperation($attribute), $target_element);
            }
        }

        if (is_string($subject)) {
            //If we do not have a concrete element (or we just got a string as value), we delegate to the different categories
            if (is_a($subject, AttachmentTypeAttachment::class, true)) {
                $param = 'attachment_types';
            } elseif (is_a($subject, CategoryAttachment::class, true)) {
                $param = 'categories';
            } elseif (is_a($subject, CurrencyAttachment::class, true)) {
                $param = 'currencies';
            } elseif (is_a($subject, ProjectAttachment::class, true)) {
                $param = 'projects';
            } elseif (is_a($subject, FootprintAttachment::class, true)) {
                $param = 'footprints';
            } elseif (is_a($subject, GroupAttachment::class, true)) {
                $param = 'groups';
            } elseif (is_a($subject, ManufacturerAttachment::class, true)) {
                $param = 'manufacturers';
            } elseif (is_a($subject, MeasurementUnitAttachment::class, true)) {
                $param = 'measurement_units';
            } elseif (is_a($subject, PartAttachment::class, true)) {
                $param = 'parts';
            } elseif (is_a($subject, StorelocationAttachment::class, true)) {
                $param = 'storelocations';
            } elseif (is_a($subject, SupplierAttachment::class, true)) {
                $param = 'suppliers';
            } elseif (is_a($subject, UserAttachment::class, true)) {
                $param = 'users';
            } elseif ($subject === Attachment::class) {
                //If the subject was deleted, we can not determine the type properly, so we just use the parts permission
                $param = 'parts';
            }
            else {
                throw new RuntimeException('Encountered unknown Parameter type: ' . (is_object($subject) ? $subject::class : $subject));
            }

            return $this->resolver->inherit($user, $param, $this->mapOperation($attribute)) ?? false;
        }

        return false;
    }

    private function mapOperation(string $attribute): string
    {
        return match ($attribute) {
            'read', 'view' => 'read',
            'edit', 'create', 'delete' => 'edit',
            'show_history' => 'show_history',
            default => throw new \RuntimeException('Encountered unknown attribute "'.$attribute.'" in AttachmentVoter!'),
        };
    }

    /**
     * Determines if the attribute and subject are supported by this voter.
     *
     * @param  string  $attribute An attribute
     * @param mixed  $subject   The subject to secure, e.g. an object the user wants to access or any other PHP type
     *
     * @return bool True if the attribute and subject are supported, false otherwise
     */
    protected function supports(string $attribute, $subject): bool
    {
        if (is_a($subject, Attachment::class, true)) {
            //These are the allowed attributes
            return in_array($attribute, ['read', 'view', 'edit', 'delete', 'create', 'show_private', 'show_history'], true);
        }

        //Allow class name as subject
        return false;
    }
}
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`<?php`
Changed license to AGPL3+ 2020-02-22 18:14:36 +01:00			`/**`
			`* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).`
			`*`
Removed old GPLv2 copyright header 2022-11-29 22:28:53 +01:00			`* Copyright (C) 2019 - 2022 Jan Böhmer (https://github.com/jbtronics)`
Changed license to AGPL3+ 2020-02-22 18:14:36 +01:00			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as published`
			`* by the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
			`*/`
Applied code style rules to src/ 2020-01-05 15:46:58 +01:00
			`declare(strict_types=1);`

Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`namespace App\Security\Voter;`

Added entities and properties for some future features. 2019-08-12 15:47:57 +02:00			`use App\Entity\Attachments\Attachment;`
Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`use App\Entity\Attachments\AttachmentTypeAttachment;`
			`use App\Entity\Attachments\CategoryAttachment;`
			`use App\Entity\Attachments\CurrencyAttachment;`
			`use App\Entity\Attachments\FootprintAttachment;`
			`use App\Entity\Attachments\GroupAttachment;`
			`use App\Entity\Attachments\ManufacturerAttachment;`
			`use App\Entity\Attachments\MeasurementUnitAttachment;`
			`use App\Entity\Attachments\PartAttachment;`
			`use App\Entity\Attachments\ProjectAttachment;`
			`use App\Entity\Attachments\StorelocationAttachment;`
			`use App\Entity\Attachments\SupplierAttachment;`
			`use App\Entity\Attachments\UserAttachment;`
Added entities and properties for some future features. 2019-08-12 15:47:57 +02:00			`use App\Entity\UserSystem\User;`
Renamed PermissionResolver service to PermissionService 2022-11-14 20:15:06 +01:00			`use App\Services\UserSystem\PermissionManager;`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`use Doctrine\ORM\EntityManagerInterface;`
Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`use RuntimeException;`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`use Symfony\Component\Security\Core\Security;`

Applied symplify rules to codebase. 2020-01-05 22:49:00 +01:00			`use function in_array;`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00
			`class AttachmentVoter extends ExtendedVoter`
			`{`
Applied rector with PHP8.1 migration rules 2023-06-11 14:15:46 +02:00			`public function __construct(PermissionManager $resolver, EntityManagerInterface $entityManager, protected \Symfony\Bundle\SecurityBundle\Security $security)`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`{`
			`parent::__construct($resolver, $entityManager);`
			`}`

Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`/**`
			`* Similar to voteOnAttribute, but checking for the anonymous user is already done.`
			`* The current user (or the anonymous user) is passed by $user.`
			`*`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`* @param string $attribute`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`*/`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`protected function voteOnUser(string $attribute, $subject, User $user): bool`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`{`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`//return $this->resolver->inherit($user, 'attachments', $attribute) ?? false;`

Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`//This voter only works for attachments`
			`if (!is_a($subject, Attachment::class, true)) {`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`return false;`
			`}`

Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`if ($attribute === 'show_private') {`
			`return $this->resolver->inherit($user, 'attachments', 'show_private') ?? false;`
			`}`


			`if (is_object($subject)) {`
			`//If the attachment has no element (which should not happen), we deny access, as we can not determine if the user is allowed to access the associated element`
			`$target_element = $subject->getElement();`
Applied rector with PHP8.1 migration rules 2023-06-11 14:15:46 +02:00			`if ($target_element instanceof \App\Entity\Attachments\AttachmentContainingDBElement) {`
Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`return $this->security->isGranted($this->mapOperation($attribute), $target_element);`
			`}`
			`}`

			`if (is_string($subject)) {`
			`//If we do not have a concrete element (or we just got a string as value), we delegate to the different categories`
			`if (is_a($subject, AttachmentTypeAttachment::class, true)) {`
			`$param = 'attachment_types';`
			`} elseif (is_a($subject, CategoryAttachment::class, true)) {`
			`$param = 'categories';`
			`} elseif (is_a($subject, CurrencyAttachment::class, true)) {`
			`$param = 'currencies';`
			`} elseif (is_a($subject, ProjectAttachment::class, true)) {`
			`$param = 'projects';`
			`} elseif (is_a($subject, FootprintAttachment::class, true)) {`
			`$param = 'footprints';`
			`} elseif (is_a($subject, GroupAttachment::class, true)) {`
			`$param = 'groups';`
			`} elseif (is_a($subject, ManufacturerAttachment::class, true)) {`
			`$param = 'manufacturers';`
			`} elseif (is_a($subject, MeasurementUnitAttachment::class, true)) {`
			`$param = 'measurement_units';`
			`} elseif (is_a($subject, PartAttachment::class, true)) {`
			`$param = 'parts';`
			`} elseif (is_a($subject, StorelocationAttachment::class, true)) {`
			`$param = 'storelocations';`
			`} elseif (is_a($subject, SupplierAttachment::class, true)) {`
			`$param = 'suppliers';`
			`} elseif (is_a($subject, UserAttachment::class, true)) {`
			`$param = 'users';`
			`} elseif ($subject === Attachment::class) {`
			`//If the subject was deleted, we can not determine the type properly, so we just use the parts permission`
			`$param = 'parts';`
			`}`
			`else {`
Applied rector with PHP8.1 migration rules 2023-06-11 14:15:46 +02:00			`throw new RuntimeException('Encountered unknown Parameter type: ' . (is_object($subject) ? $subject::class : $subject));`
Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`}`

			`return $this->resolver->inherit($user, $param, $this->mapOperation($attribute)) ?? false;`
			`}`
Fixed static analysis issue 2023-05-27 19:29:00 +02:00
			`return false;`
Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`}`

			`private function mapOperation(string $attribute): string`
			`{`
Applied rector with PHP8.1 migration rules 2023-06-11 14:15:46 +02:00			`return match ($attribute) {`
			`'read', 'view' => 'read',`
			`'edit', 'create', 'delete' => 'edit',`
			`'show_history' => 'show_history',`
			`default => throw new \RuntimeException('Encountered unknown attribute "'.$attribute.'" in AttachmentVoter!'),`
			`};`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`}`

			`/**`
			`* Determines if the attribute and subject are supported by this voter.`
			`*`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`* @param string $attribute An attribute`
Added an PHP CS fixer config file and applied it to files. We now use the same the same style as the symfony project, and it allows us to simply fix the style by executing php_cs_fixer fix in the project root. 2019-11-09 00:47:20 +01:00			`* @param mixed $subject The subject to secure, e.g. an object the user wants to access or any other PHP type`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`*`
			`* @return bool True if the attribute and subject are supported, false otherwise`
			`*/`
Fixed some deprecations. 2022-08-14 19:09:07 +02:00			`protected function supports(string $attribute, $subject): bool`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`{`
Check permissions for time travel and element undo. 2020-03-07 20:49:52 +01:00			`if (is_a($subject, Attachment::class, true)) {`
Made the access to an attachment depending on the access rights of the associated elemenst 2022-11-02 23:27:44 +01:00			`//These are the allowed attributes`
Implemented proper voters for attachments and parameters, so we can decide access for log details 2023-05-27 19:17:27 +02:00			`return in_array($attribute, ['read', 'view', 'edit', 'delete', 'create', 'show_private', 'show_history'], true);`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`}`

Check permissions for time travel and element undo. 2020-03-07 20:49:52 +01:00			`//Allow class name as subject`
Allow to download and view attachments via part info page. 2019-08-10 18:06:28 +02:00			`return false;`
			`}`
Added an PHP CS fixer config file and applied it to files. We now use the same the same style as the symfony project, and it allows us to simply fix the style by executing php_cs_fixer fix in the project root. 2019-11-09 00:47:20 +01:00			`}`