src/Security/Voter/TeamVoter.php line 12

Open in your IDE?
  1. <?php
  3. namespace App\Security\Voter;
  5. use App\Entity\Team;
  6. use App\Entity\User;
  7. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  8. use Symfony\Component\Security\Core\Authorization\Voter\Voter;
  9. use Symfony\Component\Security\Core\Security;
  10. use Symfony\Component\Security\Core\User\UserInterface;
  12. class TeamVoter extends Voter
  13. {
  14.     public const VIEW 'VIEW';
  15.     public const EDIT 'EDIT';
  16.     public const DELETE 'DELETE';
  17.     public const MANAGE_MEMBERS 'MANAGE_MEMBERS';
  18.     public const MANAGE_SETTINGS 'MANAGE_SETTINGS';
  20.     private $security;
  22.     public function __construct(Security $security)
  23.     {
  24.         $this->security $security;
  25.     }
  27.     protected function supports(string $attributemixed $subject): bool
  28.     {
  29.         // if the attribute isn't one we support, return false
  30.         if (!in_array($attribute, [
  31.             self::VIEW,
  32.             self::EDIT,
  33.             self::DELETE,
  34.             self::MANAGE_MEMBERS,
  35.             self::MANAGE_SETTINGS
  36.         ])) {
  37.             return false;
  38.         }
  40.         // only vote on `Team` objects
  41.         if (!$subject instanceof Team) {
  42.             return false;
  43.         }
  45.         return true;
  46.     }
  48.     protected function voteOnAttribute(string $attributemixed $subjectTokenInterface $token): bool
  49.     {
  50.         $user $token->getUser();
  51.         // if the user is anonymous, do not grant access
  52.         if (!$user instanceof UserInterface) {
  53.             return false;
  54.         }
  56.         // Admins and company managers can do anything
  57.         if ($this->security->isGranted('ROLE_ADMIN') || $this->security->isGranted('ROLE_COMPANY_MANAGER')) {
  58.             return true;
  59.         }
  61.         /** @var Team $team */
  62.         $team $subject;
  63.         
  64.         /** @var User $user */
  65.         $user $token->getUser();
  66.         
  67.         // Find the user's relationship with this team
  68.         $userTeam null;
  69.         foreach ($team->getUserTeams() as $ut) {
  70.             if ($ut->getUser() === $user) {
  71.                 $userTeam $ut;
  72.                 break;
  73.             }
  74.         }
  75.         
  76.         // If user is not a member of the team, they can only view
  77.         if ($userTeam === null) {
  78.             return $attribute === self::VIEW;
  79.         }
  80.         
  81.         // Check permissions based on role and requested action
  82.         switch ($attribute) {
  83.             case self::VIEW:
  84.                 // All team members can view
  85.                 return true;
  86.                 
  87.             case self::EDIT:
  88.                 // Team captains, coaches, and managers can edit
  89.                 return $userTeam->isTeamLeader();
  90.                 
  91.             case self::MANAGE_MEMBERS:
  92.                 // Only coaches and managers can manage members
  93.                 return $userTeam->canManageMembers();
  94.                 
  95.             case self::MANAGE_SETTINGS:
  96.                 // Only managers can manage team settings
  97.                 return $userTeam->canManageTeam();
  98.                 
  99.             case self::DELETE:
  100.                 // Only managers can delete teams
  101.                 return $userTeam->canManageTeam();
  102.         }
  103.         
  104.         return false;
  105.     }
  106. }