<?php
namespace Menke\UserBundle\Security\Voter;
use Menke\UserBundle\Entity\User;
use Menke\UserBundle\Entity\Client;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
/**
* Security voter to grant backend access by client.
*
* @package Menke\UserBundle\Security\Voter
*/
class ClientVoter extends Voter
{
/**
* @var AccessDecisionManagerInterface
*/
protected $decisionManager;
/**
* ClientVoter constructor.
* @param AccessDecisionManagerInterface $decisionManager
*/
public function __construct(AccessDecisionManagerInterface $decisionManager)
{
$this->decisionManager = $decisionManager;
}
/**
* @return bool
*/
protected function supports($attribute, $subject)
{
return $attribute === 'ROLE_SUPER_USER';
}
/**
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
{
$user = $token->getUser();
if (!$user instanceof User) {
return false;
}
if (!$subject instanceof Client) {
return false;
}
if ($this->decisionManager->decide($token, array('ROLE_SUPER_USER'))) {
return true;
}
if ($subject instanceof User && !$subject->getClient() instanceof Client) {
return false;
}
if ($subject instanceof User && $user->getClient() && $user->getClient()->getId() === $subject->getClient()->getId() && $this->decisionManager->decide($token, array('ROLE_BACKEND'))) {
return true;
}
return false;
}
}