vendor/easycorp/easyadmin-bundle/src/Security/SecurityVoter.php line 19

Open in your IDE?
  1. <?php
  3. namespace EasyCorp\Bundle\EasyAdminBundle\Security;
  5. use EasyCorp\Bundle\EasyAdminBundle\Contracts\Provider\AdminContextProviderInterface;
  6. use EasyCorp\Bundle\EasyAdminBundle\Dto\ActionDto;
  7. use EasyCorp\Bundle\EasyAdminBundle\Dto\CrudDto;
  8. use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
  9. use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
  10. use EasyCorp\Bundle\EasyAdminBundle\Dto\MenuItemDto;
  11. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  12. use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\Vote;
  14. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  16. /**
  17. * @author Javier Eguiluz <javier.eguiluz@gmail.com>
  18. */
  19. final class SecurityVoter extends Voter
  20. {
  21. public function __construct(
  22. private readonly AuthorizationCheckerInterface $authorizationChecker,
  23. private readonly AdminContextProviderInterface $adminContextProvider,
  24. ) {
  25. }
  27. protected function supports(string $permissionName, mixed $subject): bool
  28. {
  29. return $this->supportsAttribute($permissionName);
  30. }
  32. public function supportsAttribute(string $permissionName): bool
  33. {
  34. return Permission::exists($permissionName);
  35. }
  37. protected function voteOnAttribute(string $permissionName, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
  38. {
  39. if (Permission::EA_VIEW_MENU_ITEM === $permissionName) {
  40. return $this->voteOnViewMenuItemPermission($subject);
  41. }
  43. if (Permission::EA_EXECUTE_ACTION === $permissionName) {
  44. return $this->voteOnExecuteActionPermission($this->adminContextProvider->getContext()->getCrud(), $subject['action'] ?? null, $subject['entity'] ?? null, $subject['entityFqcn'] ?? null);
  45. }
  47. if (Permission::EA_VIEW_FIELD === $permissionName) {
  48. return $this->voteOnViewPropertyPermission($subject);
  49. }
  51. if (Permission::EA_ACCESS_ENTITY === $permissionName) {
  52. return $this->voteOnViewEntityPermission($subject);
  53. }
  55. if (Permission::EA_EXIT_IMPERSONATION === $permissionName) {
  56. return $this->voteOnExitImpersonationPermission();
  57. }
  59. return true;
  60. }
  62. private function voteOnViewMenuItemPermission(MenuItemDto $menuItemDto): bool
  63. {
  64. // users can see the menu item if they have the permission required by the menu item
  65. return $this->authorizationChecker->isGranted($menuItemDto->getPermission(), $menuItemDto);
  66. }
  68. private function voteOnExecuteActionPermission(CrudDto $crudDto, ActionDto|string $actionNameOrDto, ?EntityDto $entityDto, ?string $entityFqcn): bool
  69. {
  70. // users can run the Crud action if:
  71. // * they have the required permission to execute the action on the given entity instance
  72. // * the action is not disabled
  74. $actionName = \is_string($actionNameOrDto) ? $actionNameOrDto : $actionNameOrDto->getName();
  76. $actionPermission = $crudDto->getActionsConfig()->getActionPermissions()[$actionName] ?? null;
  77. $disabledActionNames = $crudDto->getActionsConfig()->getDisabledActions();
  79. $subject = $entityDto?->getInstance() ?? $entityFqcn;
  81. return !\in_array($actionName, $disabledActionNames, true) && $this->authorizationChecker->isGranted($actionPermission, $subject);
  82. }
  84. private function voteOnViewPropertyPermission(FieldDto $field): bool
  85. {
  86. // users can see the field if they have the permission required by the field
  87. return $this->authorizationChecker->isGranted($field->getPermission(), $field);
  88. }
  90. private function voteOnViewEntityPermission(EntityDto $entityDto): bool
  91. {
  92. // users can see the entity if they have the required permission on the specific entity instance
  93. return $this->authorizationChecker->isGranted($entityDto->getPermission(), $entityDto->getInstance());
  94. }
  96. private function voteOnExitImpersonationPermission(): bool
  97. {
  98. // users can exit impersonation if they are currently impersonating another user.
  99. // In Symfony, that means that current user has the special impersonator permission
  100. if (\defined('Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter::IS_IMPERSONATOR')) {
  101. $impersonatorPermission = 'IS_IMPERSONATOR';
  102. } else {
  103. $impersonatorPermission = 'ROLE_PREVIOUS_ADMIN';
  104. }
  106. return $this->authorizationChecker->isGranted($impersonatorPermission);
  107. }
  108. }