lib/netgen/layouts-core/lib/Security/Authorization/Voter/PolicyToRoleMapVoter.php line 19

  1. <?php
  3. declare(strict_types=1);
  5. namespace Netgen\Layouts\Security\Authorization\Voter;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. use function is_string;
  12. use function str_starts_with;
  14. /**
  15.  * Votes on Netgen Layouts permissions (nglayouts:*) by mapping the permissions to built-in roles (ROLE_NGLAYOUTS_*).
  16.  *
  17.  * @extends \Symfony\Component\Security\Core\Authorization\Voter\Voter<string, mixed>
  18.  */
  19. final class PolicyToRoleMapVoter extends Voter
  20. {
  21.     /**
  22.      * Map of supported permissions to their respective roles.
  23.      */
  24.     private const POLICY_TO_ROLE_MAP = [
  25.         'nglayouts:block:add' => self::ROLE_EDITOR,
  26.         'nglayouts:block:edit' => self::ROLE_EDITOR,
  27.         'nglayouts:block:delete' => self::ROLE_EDITOR,
  28.         'nglayouts:block:reorder' => self::ROLE_EDITOR,
  29.         'nglayouts:layout:add' => self::ROLE_ADMIN,
  30.         'nglayouts:layout:edit' => self::ROLE_EDITOR,
  31.         'nglayouts:layout:delete' => self::ROLE_ADMIN,
  32.         'nglayouts:layout:clear_cache' => self::ROLE_ADMIN,
  33.         'nglayouts:mapping:edit' => self::ROLE_ADMIN,
  34.         'nglayouts:mapping:edit_group' => self::ROLE_ADMIN,
  35.         'nglayouts:mapping:activate' => self::ROLE_ADMIN,
  36.         'nglayouts:mapping:activate_group' => self::ROLE_ADMIN,
  37.         'nglayouts:mapping:delete' => self::ROLE_ADMIN,
  38.         'nglayouts:mapping:reorder' => self::ROLE_ADMIN,
  39.         'nglayouts:collection:edit' => self::ROLE_EDITOR,
  40.         'nglayouts:collection:items' => self::ROLE_EDITOR,
  41.         'nglayouts:ui:access' => self::ROLE_ADMIN,
  42.         'nglayouts:api:read' => self::ROLE_API,
  43.     ];
  45.     /**
  46.      * The identifier of the admin role. Users having this role
  47.      * have full and unrestricted access to the entire system.
  48.      */
  49.     private const ROLE_ADMIN 'ROLE_NGLAYOUTS_ADMIN';
  51.     /**
  52.      * The identifier of the editor role. Users having this role
  53.      * have full access only to the layout editing interface.
  54.      */
  55.     private const ROLE_EDITOR 'ROLE_NGLAYOUTS_EDITOR';
  57.     /**
  58.      * The identifier of the API role. Users having this role
  59.      * have access to read only data of the API endpoints.
  60.      */
  61.     private const ROLE_API 'ROLE_NGLAYOUTS_API';
  63.     private AccessDecisionManagerInterface $accessDecisionManager;
  65.     public function __construct(AccessDecisionManagerInterface $accessDecisionManager)
  66.     {
  67.         $this->accessDecisionManager $accessDecisionManager;
  68.     }
  70.     /**
  71.      * @param mixed $attribute
  72.      * @param mixed $subject
  73.      */
  74.     protected function supports($attribute$subject): bool
  75.     {
  76.         return is_string($attribute) && str_starts_with($attribute'nglayouts:');
  77.     }
  79.     /**
  80.      * @param string $attribute
  81.      * @param mixed $subject
  82.      */
  83.     protected function voteOnAttribute($attribute$subjectTokenInterface $token): bool
  84.     {
  85.         if (!isset(self::POLICY_TO_ROLE_MAP[$attribute])) {
  86.             return false;
  87.         }
  89.         return $this->accessDecisionManager->decide(
  90.             $token,
  91.             [self::POLICY_TO_ROLE_MAP[$attribute]],
  92.             $subject,
  93.         );
  94.     }
  95. }