vendor/easycorp/easyadmin-bundle/src/Security/SecurityVoter.php line 19

Open in your IDE?
  1. <?php
  3. namespace EasyCorp\Bundle\EasyAdminBundle\Security;
  5. use EasyCorp\Bundle\EasyAdminBundle\Config\Action;
  6. use EasyCorp\Bundle\EasyAdminBundle\Dto\ActionDto;
  7. use EasyCorp\Bundle\EasyAdminBundle\Dto\CrudDto;
  8. use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
  9. use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
  10. use EasyCorp\Bundle\EasyAdminBundle\Dto\MenuItemDto;
  11. use EasyCorp\Bundle\EasyAdminBundle\Provider\AdminContextProvider;
  12. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  13. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  14. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  16. /**
  17. * @author Javier Eguiluz <javier.eguiluz@gmail.com>
  18. */
  19. final class SecurityVoter extends Voter
  20. {
  21. private $authorizationChecker;
  22. private $adminContextProvider;
  24. public function __construct(AuthorizationCheckerInterface $authorizationChecker, AdminContextProvider $adminContextProvider)
  25. {
  26. $this->authorizationChecker = $authorizationChecker;
  27. $this->adminContextProvider = $adminContextProvider;
  28. }
  30. protected function supports($permissionName, $subject)
  31. {
  32. return Permission::exists($permissionName);
  33. }
  35. protected function voteOnAttribute($permissionName, $subject, TokenInterface $token)
  36. {
  37. if (Permission::EA_VIEW_MENU_ITEM === $permissionName) {
  38. return $this->voteOnViewMenuItemPermission($subject);
  39. }
  41. if (Permission::EA_EXECUTE_ACTION === $permissionName) {
  42. return $this->voteOnExecuteActionPermission($this->adminContextProvider->getContext()->getCrud(), $subject['action'] ?? null, $subject['entity'] ?? null);
  43. }
  45. if (Permission::EA_VIEW_FIELD === $permissionName) {
  46. return $this->voteOnViewPropertyPermission($subject);
  47. }
  49. if (Permission::EA_ACCESS_ENTITY === $permissionName) {
  50. return $this->voteOnViewEntityPermission($subject);
  51. }
  53. if (Permission::EA_EXIT_IMPERSONATION === $permissionName) {
  54. return $this->voteOnExitImpersonationPermission();
  55. }
  57. return true;
  58. }
  60. private function voteOnViewMenuItemPermission(MenuItemDto $menuItemDto): bool
  61. {
  62. // users can see the menu item if they have the permission required by the menu item
  63. return $this->authorizationChecker->isGranted($menuItemDto->getPermission());
  64. }
  66. /**
  67. * @param string|ActionDto $actionNameOrDto
  68. */
  69. private function voteOnExecuteActionPermission(CrudDto $crudDto, $actionNameOrDto, ?EntityDto $entityDto): bool
  70. {
  71. // users can run the Crud action if:
  72. // * they have the required permission to execute the action on the given entity instance
  73. // * the action is not disabled
  75. if (!\is_string($actionNameOrDto) && !($actionNameOrDto instanceof ActionDto)) {
  76. throw new \RuntimeException(sprintf('When checking the "%s" permission with the isGranted() method, the value of the "action" parameter passed inside the voter $subject must be a string with the action name or a "%s" object.', Permission::EA_EXECUTE_ACTION, Asset::class));
  77. }
  78. $actionName = \is_string($actionNameOrDto) ? $actionNameOrDto : $actionNameOrDto->getName();
  80. $actionPermission = $crudDto->getActionsConfig()->getActionPermissions()[$actionName] ?? null;
  81. $disabledActionNames = $crudDto->getActionsConfig()->getDisabledActions();
  83. $subject = null === $entityDto ? null : $entityDto->getInstance();
  85. return $this->authorizationChecker->isGranted($actionPermission, $subject) && !\in_array($actionName, $disabledActionNames, true);
  86. }
  88. private function voteOnViewPropertyPermission(FieldDto $field): bool
  89. {
  90. // users can see the field if they have the permission required by the field
  91. return $this->authorizationChecker->isGranted($field->getPermission());
  92. }
  94. private function voteOnViewEntityPermission(EntityDto $entityDto): bool
  95. {
  96. // users can see the entity if they have the required permission on the specific entity instance
  97. return $this->authorizationChecker->isGranted($entityDto->getPermission(), $entityDto->getInstance());
  98. }
  100. private function voteOnExitImpersonationPermission(): bool
  101. {
  102. // users can exit impersonation if they are currently impersonating another user.
  103. // In Symfony, that means that current user has the special impersonator permission
  104. if (\defined('Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter::IS_IMPERSONATOR')) {
  105. $impersonatorPermission = 'IS_IMPERSONATOR';
  106. } else {
  107. $impersonatorPermission = 'ROLE_PREVIOUS_ADMIN';
  108. }
  110. return $this->authorizationChecker->isGranted($impersonatorPermission);
  111. }
  112. }