<?php
namespace Platform\SecurityBundle\Security\Voter;
use Platform\SecurityBundle\Entity\Identity\Account;
use Platform\SecurityBundle\Model\PlatformSubject;
use Platform\SecurityBundle\Security\PlatformVoter;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
final class InternalUserVoter extends PlatformVoter
{
/**
* {@inheritDoc}
*/
protected function supports(
Account $account,
string $attribute,
?PlatformSubject $subject = null
): bool
{
// for this to be an internal vote, the permission should be prefixed a certain way
if ( ! $this->sentry->isInternalPermission($attribute)) {
return false;
}
return true;
}
/**
* {@inheritdoc}
*/
protected function poll(
Account $account,
string $permission,
?PlatformSubject $subject = null
): int
{
// go ahead and double check that we are an internal user
// since we have verified that we are checking an internal permission, we should deny access if the account is not internal itself
// this is done to help prevent the superuser voter from allowing access
if ( ! $account->isInternal()) {
return VoterInterface::ACCESS_DENIED;
}
// just see if the permission being checked is in our account's internal set
return in_array($permission, $account->getInternalPermissions(), true)
? VoterInterface::ACCESS_GRANTED
: VoterInterface::ACCESS_ABSTAIN;
}
/**
* {@inheritdoc}
*/
protected function try(
Account $account,
string $permission
): int
{
return $this->poll($account, $permission);
}
}