vendor/netgen/layouts-core/lib/Security/Authorization/Voter/PolicyToRoleMapVoter.php line 17

  1. <?php
  3. declare(strict_types=1);
  5. namespace Netgen\Layouts\Security\Authorization\Voter;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  9. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  11. use function is_string;
  12. use function str_starts_with;
  14. /**
  15.  * Votes on Netgen Layouts permissions (nglayouts:*) by mapping the permissions to built-in roles (ROLE_NGLAYOUTS_*).
  16.  */
  17. final class PolicyToRoleMapVoter extends Voter
  18. {
  19.     /**
  20.      * Map of supported permissions to their respective roles.
  21.      */
  22.     private const POLICY_TO_ROLE_MAP = [
  23.         'nglayouts:block:add' => self::ROLE_EDITOR,
  24.         'nglayouts:block:edit' => self::ROLE_EDITOR,
  25.         'nglayouts:block:delete' => self::ROLE_EDITOR,
  26.         'nglayouts:block:reorder' => self::ROLE_EDITOR,
  27.         'nglayouts:layout:add' => self::ROLE_ADMIN,
  28.         'nglayouts:layout:edit' => self::ROLE_EDITOR,
  29.         'nglayouts:layout:delete' => self::ROLE_ADMIN,
  30.         'nglayouts:layout:clear_cache' => self::ROLE_ADMIN,
  31.         'nglayouts:mapping:edit' => self::ROLE_ADMIN,
  32.         'nglayouts:mapping:edit_group' => self::ROLE_ADMIN,
  33.         'nglayouts:mapping:activate' => self::ROLE_ADMIN,
  34.         'nglayouts:mapping:activate_group' => self::ROLE_ADMIN,
  35.         'nglayouts:mapping:delete' => self::ROLE_ADMIN,
  36.         'nglayouts:mapping:reorder' => self::ROLE_ADMIN,
  37.         'nglayouts:collection:edit' => self::ROLE_EDITOR,
  38.         'nglayouts:collection:items' => self::ROLE_EDITOR,
  39.         'nglayouts:ui:access' => self::ROLE_ADMIN,
  40.         'nglayouts:api:read' => self::ROLE_API,
  41.     ];
  43.     /**
  44.      * The identifier of the admin role. Users having this role
  45.      * have full and unrestricted access to the entire system.
  46.      */
  47.     private const ROLE_ADMIN 'ROLE_NGLAYOUTS_ADMIN';
  49.     /**
  50.      * The identifier of the editor role. Users having this role
  51.      * have full access only to the layout editing interface.
  52.      */
  53.     private const ROLE_EDITOR 'ROLE_NGLAYOUTS_EDITOR';
  55.     /**
  56.      * The identifier of the API role. Users having this role
  57.      * have access to read only data of the API endpoints.
  58.      */
  59.     private const ROLE_API 'ROLE_NGLAYOUTS_API';
  61.     private AccessDecisionManagerInterface $accessDecisionManager;
  63.     public function __construct(AccessDecisionManagerInterface $accessDecisionManager)
  64.     {
  65.         $this->accessDecisionManager $accessDecisionManager;
  66.     }
  68.     /**
  69.      * @param mixed $attribute
  70.      * @param mixed $subject
  71.      */
  72.     protected function supports($attribute$subject): bool
  73.     {
  74.         return is_string($attribute) && str_starts_with($attribute'nglayouts:');
  75.     }
  77.     /**
  78.      * @param string $attribute
  79.      * @param mixed $subject
  80.      */
  81.     protected function voteOnAttribute($attribute$subjectTokenInterface $token): bool
  82.     {
  83.         if (!isset(self::POLICY_TO_ROLE_MAP[$attribute])) {
  84.             return false;
  85.         }
  87.         return $this->accessDecisionManager->decide(
  88.             $token,
  89.             [self::POLICY_TO_ROLE_MAP[$attribute]],
  90.             $subject,
  91.         );
  92.     }
  93. }