restrict new rights given to comptoir to change adherent data only

2b840831 · Yvon · 61eeace7 · 2b840831 · 2b840831 · 2b840831
Commit 2b840831 authored Dec 14, 2022 by Yvon
Showing with 14 additions and 3 deletions

fixtures-tav.yaml fixtures/tav/fixtures-tav.yaml +1 -1

Version20221211160940.php src/Migrations/Version20221211160940.php +1 -1

VoterSecurityHandler.php src/Security/Handler/VoterSecurityHandler.php +12 -1

No files found.
--- a/fixtures/tav/fixtures-tav.yaml
+++ b/fixtures/tav/fixtures-tav.yaml
@@ -132,7 +132,7 @@ App\Entity\Usergroup:
            'ROLE_ADMIN_PRESTATAIRE_COTISATIONS_EDIT',
            'ROLE_ADMIN_PRESTATAIRE_COTISATIONS_LIST',
            'ROLE_ADMIN_PRESTATAIRE_COTISATIONS_CREATE',
-            'ROLE_SONATA_USER_ADMIN_USER_ALL']]
+            'ROLE_CHANGE_ADHERENT_PERSONAL_DATA']]
    usergroup_contact:
        __construct: ['Contact', [
            'ROLE_CONTACT',

--- a/src/Migrations/Version20221211160940.php
+++ b/src/Migrations/Version20221211160940.php
@@ -21,7 +21,7 @@ final class Version20221211160940 extends AbstractMigration
    {
        // this up() migration is auto-generated, please modify it to your needs
        //$this->addSql('UPDATE usergroup SET roles = \'a:13:{i:0;s:13:\"ROLE_COMPTOIR\";i:1;s:30:\"ROLE_ADMIN_ADHERENT_GERER_EDIT\";i:2;s:30:\"ROLE_ADMIN_ADHERENT_GERER_LIST\";i:3;s:32:\"ROLE_ADMIN_ADHERENT_GERER_CREATE\";i:4;s:30:\"ROLE_ADMIN_ADHERENT_GERER_VIEW\";i:5;s:35:\"ROLE_ADMIN_ADHERENT_COTISATIONS_ALL\";i:6;s:30:\"ROLE_ADMIN_COMPTOIR_GERER_EDIT\";i:7;s:30:\"ROLE_ADMIN_COMPTOIR_GERER_VIEW\";i:8;s:31:\"ROLE_ADMIN_TRANSFERT_GERER_LIST\";i:9;s:33:\"ROLE_ADMIN_TRANSFERT_GERER_CREATE\";i:10;s:31:\"ROLE_ADMIN_TRANSFERT_GERER_VIEW\";i:11;s:43:\"ROLE_ADMIN_OPERATION_PRESTATAIRE_GERER_LIST\";i:12;s:40:\"ROLE_ADMIN_OPERATION_ADHERENT_GERER_LIST\";}\' WHERE name = "Comptoir"');
-        $this->addSql('UPDATE usergroup SET roles = \'a:19:{i:0;s:13:\"ROLE_COMPTOIR\";i:1;s:30:\"ROLE_ADMIN_ADHERENT_GERER_EDIT\";i:2;s:30:\"ROLE_ADMIN_ADHERENT_GERER_LIST\";i:3;s:32:\"ROLE_ADMIN_ADHERENT_GERER_CREATE\";i:4;s:30:\"ROLE_ADMIN_ADHERENT_GERER_VIEW\";i:5;s:35:\"ROLE_ADMIN_ADHERENT_COTISATIONS_ALL\";i:6;s:30:\"ROLE_ADMIN_COMPTOIR_GERER_EDIT\";i:7;s:30:\"ROLE_ADMIN_COMPTOIR_GERER_VIEW\";i:8;s:31:\"ROLE_ADMIN_TRANSFERT_GERER_LIST\";i:9;s:33:\"ROLE_ADMIN_TRANSFERT_GERER_CREATE\";i:10;s:31:\"ROLE_ADMIN_TRANSFERT_GERER_VIEW\";i:11;s:33:\"ROLE_ADMIN_PRESTATAIRE_GERER_VIEW\";i:12;s:39:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_VIEW\";i:13;s:33:\"ROLE_ADMIN_PRESTATAIRE_GERER_LIST\";i:14;s:33:\"ROLE_ADMIN_PRESTATAIRE_GERER_EDIT\";i:15;s:39:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_EDIT\";i:16;s:39:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_LIST\";i:17;s:41:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_CREATE\";i:18;s:31:\"ROLE_SONATA_USER_ADMIN_USER_ALL\";}\' WHERE name = "Comptoir"');
+        $this->addSql('UPDATE usergroup SET roles = \'a:19:{i:0;s:13:\"ROLE_COMPTOIR\";i:1;s:30:\"ROLE_ADMIN_ADHERENT_GERER_EDIT\";i:2;s:30:\"ROLE_ADMIN_ADHERENT_GERER_LIST\";i:3;s:32:\"ROLE_ADMIN_ADHERENT_GERER_CREATE\";i:4;s:30:\"ROLE_ADMIN_ADHERENT_GERER_VIEW\";i:5;s:35:\"ROLE_ADMIN_ADHERENT_COTISATIONS_ALL\";i:6;s:30:\"ROLE_ADMIN_COMPTOIR_GERER_EDIT\";i:7;s:30:\"ROLE_ADMIN_COMPTOIR_GERER_VIEW\";i:8;s:31:\"ROLE_ADMIN_TRANSFERT_GERER_LIST\";i:9;s:33:\"ROLE_ADMIN_TRANSFERT_GERER_CREATE\";i:10;s:31:\"ROLE_ADMIN_TRANSFERT_GERER_VIEW\";i:11;s:33:\"ROLE_ADMIN_PRESTATAIRE_GERER_VIEW\";i:12;s:39:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_VIEW\";i:13;s:33:\"ROLE_ADMIN_PRESTATAIRE_GERER_LIST\";i:14;s:33:\"ROLE_ADMIN_PRESTATAIRE_GERER_EDIT\";i:15;s:39:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_EDIT\";i:16;s:39:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_LIST\";i:17;s:41:\"ROLE_ADMIN_PRESTATAIRE_COTISATIONS_CREATE\";i:18;s:34:\"ROLE_CHANGE_ADHERENT_PERSONAL_DATA\";}\' WHERE name = "Comptoir"');
    }
    public function down(Schema $schema) : void

--- a/src/Security/Handler/VoterSecurityHandler.php
+++ b/src/Security/Handler/VoterSecurityHandler.php
@@ -2,7 +2,9 @@
 namespace App\Security\Handler;
+use App\Application\Sonata\UserBundle\Admin\UserAdmin;
 use App\Entity\GlobalParameter;
+use App\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
 use Sonata\AdminBundle\Admin\AdminInterface;
 use Sonata\AdminBundle\Security\Handler\RoleSecurityHandler;
@@ -43,7 +45,8 @@ class VoterSecurityHandler extends RoleSecurityHandler
        try {
            return $this->isAnyGranted($this->superAdminRoles)
                || $this->isAnyGranted($attributes, $object)
-                || $this->isAnyGranted([$allRole], $object);
+                || $this->isAnyGranted([$allRole], $object)
+                || $this->allowToChangeAdherentPersonalData($object);
        } catch (AuthenticationCredentialsNotFoundException $e) {
            return false;
        }
@@ -64,4 +67,12 @@ class VoterSecurityHandler extends RoleSecurityHandler
        return false;
    }
+    private function allowToChangeAdherentPersonalData($object): bool
+    {
+        //var_dump(get_class($object));
+        $res = (($object instanceof User && $object->getAdherent()) || ($object instanceof UserAdmin)) && $this->authorizationChecker->isGranted('ROLE_CHANGE_ADHERENT_PERSONAL_DATA');
+        //var_dump($res);
+        return $res;
+    }
 }