src/Security/Voters/ClientVoter.php line 17

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voters;
  5. use App\Domain\Exception\Restrict\RestrictException;
  6. use App\Services\Accounts\ChildAccountService;
  7. use App\Services\Clients\ClientSystemState\ClientSystemStateService;
  8. use App\Entity\Client;
  9. use App\Entity\CompanyPerson;
  10. use App\Entity\OA2User;
  11. use App\Repository\ClientAccountRepository;
  12. use App\Repository\ClientRepository;
  13. use App\Repository\CompanyPersonRepository;
  14. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  15. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  17. class ClientVoter extends Voter
  18. {
  19.     public const MODE_READ 'read';
  20.     public const MODE_UPDATE 'update';
  21.     public const MODE_DELETE 'delete';
  22.     public const CAN_OPEN_ACCOUNTS 'can_open_accounts';
  23.     public const CAN_GRANT_PERMISSIONS 'can_grant_permissions';
  24.     public const CAN_ADD_COMPANY_PERSONS 'can_add_company_persons';
  25.     public const CAN_CHANGE_COMPANY_ACCOUNT_LIMITS 'can_change_company_account_limits';
  26.     public const CAN_MAKE_CLUSTERS 'can_make_clusters';
  27.     public const IN_COMPANY 'in_company';
  28.     public const CAN_VIEW_SHAREHOLDERS 'can_view_shareholders';
  29.     public const CAN_ADD_SHAREHOLDERS 'can_add_shareholders';
  30.     public const CAN_UPDATE_COMPANY 'can_update_company';
  31.     public const CAN_CREATE_COMPANY 'can_create_company';
  33.     /**
  34.      * @var ClientRepository
  35.      */
  36.     private $clientRepository;
  38.     /**
  39.      * @var ClientAccountRepository
  40.      */
  41.     private $clientAccountRepository;
  43.     /**
  44.      * @var CompanyPersonRepository
  45.      */
  46.     private $companyPersonRepository;
  47.     /**
  48.      * @var ClientSystemStateService
  49.      */
  50.     private $systemStateService;
  52.     private $childAccountService;
  54.     public function __construct(
  55.         ClientRepository $clientRepository,
  56.         CompanyPersonRepository $companyPersonRepository,
  57.         ClientAccountRepository $clientAccountRepository,
  58.         ChildAccountService $childAccountService,
  59.         ClientSystemStateService $systemStateService
  60.     ) {
  61.         $this->clientRepository $clientRepository;
  62.         $this->companyPersonRepository $companyPersonRepository;
  63.         $this->clientAccountRepository $clientAccountRepository;
  64.         $this->childAccountService $childAccountService;
  65.         $this->systemStateService $systemStateService;
  66.     }
  68.     protected function supports($attribute$subject)
  69.     {
  70.         if (!in_array($attribute$this->getSupportedPermissions())) {
  71.             return false;
  72.         }
  74.         // only vote on Post objects inside this voter
  75.         return !(!$subject instanceof Client)
  77.          ;
  78.     }
  80.     protected function voteOnAttribute($attribute$subjectTokenInterface $token)
  81.     {
  82.         if (!in_array($attribute$this->getSupportedPermissions())) {
  83.             return false;
  84.         }
  85.         /** @var Client $ownerClient */
  86.         $ownerClient $subject;
  88.         /** @var Client $currentClient */
  89.         $currentClient $this->getCurrentClient($token);
  91.         if (!$currentClient) {
  92.             return false;
  93.         }
  95.         // Its a workaround for shareholders functionality
  96.         // Specially for that endpoints we need check company relation without checking company write permissions
  97.         if ($attribute == self::CAN_VIEW_SHAREHOLDERS) {
  98.             return $this->inCompany($currentClient$ownerClient);
  99.         }
  100.         if ($attribute == self::CAN_ADD_SHAREHOLDERS) {
  101.             if (!$this->allowUseSystem($currentClient)) {
  102.                 return false;
  103.             }
  105.             return $this->inCompany($currentClient$ownerClient);
  106.         }
  107.         if ($attribute === self::CAN_UPDATE_COMPANY) {
  108.             return $this->canGrantPermissions($currentClient$ownerClient);
  109.         }
  110.         if ($attribute !== self::MODE_READ) {
  111.             if (!$this->allowUseSystem($currentClient) || !$this->allowUseSystem($ownerClient)) {
  112.                 return false;
  113.             }
  114.         }
  116.         if ($ownerClient->getId() === $currentClient->getId()) {
  117.             return true;
  118.         }
  119.         if ($this->isChild($ownerClient$currentClient)) {
  120.             return true;
  121.         }
  122.         if ($attribute === self::IN_COMPANY) {
  123.             return $this->inCompany($currentClient$ownerClient);
  124.         }
  125.         if ($attribute === self::CAN_OPEN_ACCOUNTS) {
  126.             return $this->canOpenAccounts($currentClient$ownerClient);
  127.         }
  128.         if ($attribute === self::CAN_ADD_COMPANY_PERSONS) {
  129.             return $this->canAddCompanyPersons($currentClient$ownerClient);
  130.         }
  131.         if ($attribute === self::CAN_GRANT_PERMISSIONS) {
  132.             return $this->canGrantPermissions($currentClient$ownerClient);
  133.         }
  134.         if ($attribute === self::CAN_CHANGE_COMPANY_ACCOUNT_LIMITS) {
  135.             return $this->canChangeCompanyAccountLimits($currentClient$ownerClient);
  136.         }
  137.         if ($attribute === self::CAN_MAKE_CLUSTERS) {
  138.             return $this->canMakeClusters($currentClient$ownerClient);
  139.         }
  141.         // TODO: check owner rules!
  142.         $relationAccount $this->clientAccountRepository->findOneByOwnerClient($currentClient$ownerClient);
  143.         if ($relationAccount) {
  144.             return true;
  145.         }
  146.         $relationCompany $this->companyPersonRepository->findOneByOwnerClient($currentClient$ownerClient);
  148.         return (bool) ($relationCompany)
  150.          ;
  151.     }
  153.     private function isChild(Client $ownerClientClient $currentClient): bool
  154.     {
  155.         if (!$ownerClient->isPerson()) {
  156.             return false;
  157.         }
  158.         $parent $this->childAccountService->getValidParentClient($ownerClient->getPerson());
  160.         return (bool) ($parent && $parent->getId() === $currentClient->getId())
  162.          ;
  163.     }
  165.     private function canGrantPermissions(Client $currentClientClient $ownerClient): bool
  166.     {
  167.         /** @var CompanyPerson $relationCompany */
  168.         $relationCompany $this->companyPersonRepository->findOneByOwnerClient($currentClient$ownerClient);
  170.         return $relationCompany $relationCompany->getCanGrantPermissions() : false;
  171.     }
  173.     private function inCompany(Client $currentClientClient $companyClient)
  174.     {
  175.         /** @var CompanyPerson $relationCompany */
  176.         $relationCompany $this->companyPersonRepository->findOneByOwnerClient($currentClient$companyClient);
  178.         return (bool) $relationCompany;
  179.     }
  181.     private function canAddCompanyPersons(Client $currentClientClient $ownerClient): bool
  182.     {
  183.         /** @var CompanyPerson $relationCompany */
  184.         $relationCompany $this->companyPersonRepository->findOneByOwnerClient($currentClient$ownerClient);
  186.         return $relationCompany $relationCompany->getCanAddCompanyPersons() : false;
  187.     }
  189.     private function canOpenAccounts(Client $currentClientClient $ownerClient): bool
  190.     {
  191.         /** @var CompanyPerson $relationCompany */
  192.         $relationCompany $this->companyPersonRepository->findOneByOwnerClient($currentClient$ownerClient);
  194.         return $relationCompany $relationCompany->getCanOpenAccounts() : false;
  195.     }
  197.     private function canChangeCompanyAccountLimits(Client $currentClientClient $ownerClient): bool
  198.     {
  199.         /** @var CompanyPerson $relationCompany */
  200.         $relationCompany $this->companyPersonRepository->findOneByOwnerClient($currentClient$ownerClient);
  202.         return $relationCompany $relationCompany->getCanChangeCompanyAccountLimits() : false;
  203.     }
  205.     private function canMakeClusters(Client $currentClientClient $ownerClient): bool
  206.     {
  207.         /** @var CompanyPerson $relationCompany */
  208.         $relationCompany $this->companyPersonRepository->findOneByOwnerClient($currentClient$ownerClient);
  210.         return $relationCompany $relationCompany->getCanMakeClusters() : false;
  211.     }
  213.     private function allowUseSystem(Client $client)
  214.     {
  215.         try {
  216.             $this->systemStateService->allowUseSystem($client);
  218.             return true;
  219.         } catch (RestrictException $exception) {
  220.             return false;
  221.         }
  222.     }
  224.     private function getSupportedPermissions(): array
  225.     {
  226.         return [
  227.             self::MODE_READ,
  228.             self::MODE_UPDATE,
  229.             self::MODE_DELETE,
  230.             self::CAN_OPEN_ACCOUNTS,
  231.             self::CAN_GRANT_PERMISSIONS,
  232.             self::CAN_ADD_COMPANY_PERSONS,
  233.             self::CAN_CHANGE_COMPANY_ACCOUNT_LIMITS,
  234.             self::IN_COMPANY,
  235.             self::CAN_MAKE_CLUSTERS,
  236.             self::CAN_VIEW_SHAREHOLDERS,
  237.             self::CAN_ADD_SHAREHOLDERS,
  238.             self::CAN_UPDATE_COMPANY,
  239.             self::CAN_CREATE_COMPANY,
  240.         ];
  241.     }
  243.     private function getCurrentClient(TokenInterface $token): ?Client
  244.     {
  245.         /** @var OA2User $oa2User */
  246.         $oa2User $token->getUser();
  247.         if (!$oa2User instanceof OA2User || $oa2User->isBankUser()) {
  248.             return null// Client user only
  249.         }
  251.         return $this->clientRepository->findOneByOa2User($oa2User);
  252.     }
  253. }