<?php
namespace League\Tactician\Bundle\Security\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
/**
* Voter for security checks on handling commands.
*
* @author Ron Rademaker
*/
class HandleCommandVoter extends Voter
{
/**
* The decision manager.
*
* @var AccessDecisionManagerInterface
*/
private $decisionManager;
/**
* Command - Require role mapping
*
* @var array
*/
private $commandRoleMapping = [];
/**
* Create a new HandleCommandVoter.
*
* @param AccessDecisionManagerInterface $decisionManager
* @param array $commandRoleMapping
*/
public function __construct(AccessDecisionManagerInterface $decisionManager, array $commandRoleMapping = [])
{
$this->decisionManager = $decisionManager;
$this->commandRoleMapping = $commandRoleMapping;
}
/**
* The voter supports checking handle commands
*
* @param string $attribute
* @param object $subject
*
* @return bool
*/
protected function supports($attribute, $subject): bool
{
return $attribute === 'handle' && is_object($subject);
}
/**
* Checks if the currently logged on user may handle $subject.
*
* @param string $attribute
* @param mixed $subject
* @param TokenInterface $token
*
* @return bool
*/
protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
{
$allowedRoles = $this->getAllowedRoles(get_class($subject));
if (count($allowedRoles) > 0) {
return $this->decisionManager->decide($token, $allowedRoles);
}
// default conclusion is access denied
return false;
}
/**
* Gets the roles allowed to handle a command of $type
*
* @param string $type
*
* @return array
*/
private function getAllowedRoles(string $type)
{
if (array_key_exists($type, $this->commandRoleMapping)) {
return $this->commandRoleMapping[$type];
}
return [];
}
}