comptoir access : instead of allowing all requests from UserAdmin object, only…

comptoir access : instead of allowing all requests from UserAdmin object, only allow to show password in general user form, which is sufficient to change it ; add tav_env condition

comptoir access : instead of allowing all requests from UserAdmin object, only…
comptoir access : instead of allowing all requests from UserAdmin object, only allow to show password in general user form, which is sufficient to change it ; add tav_env condition
a6401cfe · Yvon · 2b840831 · a6401cfe · a6401cfe
Commit a6401cfe authored Dec 15, 2022 by Yvon
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 8 deletions

UserAdmin.php src/Application/Sonata/UserBundle/Admin/UserAdmin.php +4 -1

VoterSecurityHandler.php src/Security/Handler/VoterSecurityHandler.php +10 -7

No files found.
--- a/src/Application/Sonata/UserBundle/Admin/UserAdmin.php
+++ b/src/Application/Sonata/UserBundle/Admin/UserAdmin.php
@@ -194,7 +194,10 @@ class UserAdmin extends BaseUserAdmin
                    ->add('username')
                    ->add('email')
        ;
-        if ('dev' == $_ENV['APP_ENV'] && $this->isGranted('ROLE_SUPER_ADMIN')) {
+        if (
+            'dev' == $_ENV['APP_ENV'] && ($this->isGranted('ROLE_SUPER_ADMIN')
+                || $this->getSecurityHandler()->grantChangeAdherentPasswordToNonSuperAdmin('ROLE_CHANGE_ADHERENT_PERSONAL_DATA'))
+        ) {
            $formMapper
                ->add('plainPassword', RepeatedType::class, [
                    'type' => PasswordType::class,

--- a/src/Security/Handler/VoterSecurityHandler.php
+++ b/src/Security/Handler/VoterSecurityHandler.php
@@ -2,7 +2,6 @@

 namespace App\Security\Handler;

-use App\Application\Sonata\UserBundle\Admin\UserAdmin;
 use App\Entity\GlobalParameter;
 use App\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
@@ -46,7 +45,7 @@ class VoterSecurityHandler extends RoleSecurityHandler
            return $this->isAnyGranted($this->superAdminRoles)
                || $this->isAnyGranted($attributes, $object)
                || $this->isAnyGranted([$allRole], $object)
-                || $this->allowToChangeAdherentPersonalData($object);
+                || $this->allowToModifyAdherentPersonalData($object);
        } catch (AuthenticationCredentialsNotFoundException $e) {
            return false;
        }
@@ -68,11 +67,15 @@ class VoterSecurityHandler extends RoleSecurityHandler
        return false;
    }

-    private function allowToChangeAdherentPersonalData($object): bool
+    private function allowToModifyAdherentPersonalData($object): bool
    {
-        //var_dump(get_class($object));
-        $res = (($object instanceof User && $object->getAdherent()) || ($object instanceof UserAdmin)) && $this->authorizationChecker->isGranted('ROLE_CHANGE_ADHERENT_PERSONAL_DATA');
-        //var_dump($res);
-        return $res;
+        return $_ENV['TAV_ENV']
+            && $object instanceof User && $object->getAdherent()
+            && $this->authorizationChecker->isGranted('ROLE_CHANGE_ADHERENT_PERSONAL_DATA');
+    }
+
+    public function grantChangeAdherentPasswordToNonSuperAdmin($str): bool
+    {
+        return $_ENV['TAV_ENV'] && ($str === 'ROLE_CHANGE_ADHERENT_PERSONAL_DATA');
    }
 }