src/Security/ImpersonateUserVoter.php line 15

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\Security;
  7. use App\Entity\System\Customer;
  8. use App\Entity\System\Employee;
  9. use App\Entity\System\Role;
  10. use App\Service\SecurityService;
  11. use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
  12. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  13. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  15. class ImpersonateUserVoter extends Voter
  16. {
  17.     private ParameterBagInterface $parameterBag;
  18.     private SecurityService $securityService;
  20.     public function __construct(
  21.         ParameterBagInterface $parameterBag,
  22.         SecurityService $securityService
  23.     ) {
  24.         $this->parameterBag $parameterBag;
  25.         $this->securityService $securityService;
  26.     }
  28.     public const CAN_SWITCH_USER 'CAN_SWITCH_USER';
  30.     protected function supports($attribute$subject): bool
  31.     {
  32.         return $attribute === self::CAN_SWITCH_USER && $subject instanceof Customer;
  33.     }
  35.     protected function voteOnAttribute($attribute$subjectTokenInterface $token): bool
  36.     {
  37.         $user $token->getUser();
  39.         if (!$user instanceof Employee || !$subject instanceof Customer) {
  40.             return false;
  41.         }
  43.         if ($this->loggedUserIsAdmin($user)) {
  44.             return true;
  45.         }
  47.         if ($this->requestedUserIsEmployee($subject->getEmail())) {
  48.             return $user->getEmail() === $subject->getEmail();
  49.         }
  51.         $userRolesIndex = \array_flip($user->getRoles());
  53.         return $this->loggedUserHasAnyImpersonatorRole($userRolesIndex);
  54.     }
  56.     protected function requestedUserIsEmployee(string $email): bool
  57.     {
  58.         return str_contains($email$this->parameterBag->get('microsoft_tenant_email_postfix'));
  59.     }
  61.     protected function loggedUserIsAdmin(Employee $user): bool
  62.     {
  63.         return $this->securityService->isGranted(Role::ROLE_EMPLOYEE_DEVELOPER);
  64.     }
  66.     /**
  67.      * @param array<string, array-key> $userRolesIndex
  68.      */
  69.     public function loggedUserHasAnyImpersonatorRole(array $userRolesIndex): bool
  70.     {
  71.         return \array_key_exists(Role::ROLE_EMPLOYEE_SUPER_ADMIN$userRolesIndex)
  72.             || \array_key_exists(Role::ROLE_EMPLOYEE_TECH_SUPPORT$userRolesIndex)
  73.             || \array_key_exists(Role::ROLE_EMPLOYEE_SALES_ADMIN$userRolesIndex)
  74.             || \array_key_exists('ROLE_FINANCE'$userRolesIndex);
  75.     }
  76. }