vendor/sonata-project/user-bundle/src/Security/Authorization/Voter/UserAclVoter.php line 20

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. /*
  6. * This file is part of the Sonata Project package.
  7. *
  8. * (c) Thomas Rabaix <thomas.rabaix@sonata-project.org>
  9. *
  10. * For the full copyright and license information, please view the LICENSE
  11. * file that was distributed with this source code.
  12. */
  14. namespace Sonata\UserBundle\Security\Authorization\Voter;
  16. use Sonata\UserBundle\Model\UserInterface;
  17. use Symfony\Component\Security\Acl\Voter\AclVoter;
  18. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  20. final class UserAclVoter extends AclVoter
  21. {
  22. public function supportsClass($class): bool
  23. {
  24. // support the Object-Scope ACL
  25. return is_subclass_of($class, UserInterface::class);
  26. }
  28. /**
  29. * @param mixed $attribute
  30. */
  31. public function supportsAttribute($attribute): bool
  32. {
  33. return 'EDIT' === $attribute || 'DELETE' === $attribute;
  34. }
  36. /**
  37. * @param mixed[] $attributes
  38. *
  39. * @return self::ACCESS_ABSTAIN|self::ACCESS_DENIED
  40. */
  41. public function vote(TokenInterface $token, mixed $subject, array $attributes): int
  42. {
  43. if (!\is_object($subject) || !$this->supportsClass($subject::class)) {
  44. return self::ACCESS_ABSTAIN;
  45. }
  47. foreach ($attributes as $attribute) {
  48. $tokenUser = $token->getUser();
  50. if ($this->supportsAttribute($attribute) && $subject instanceof UserInterface && $tokenUser instanceof UserInterface) {
  51. if ($subject->isSuperAdmin() && !$tokenUser->isSuperAdmin()) {
  52. // deny a non super admin user to edit or delete a super admin user
  53. return self::ACCESS_DENIED;
  54. }
  55. }
  56. }
  58. // leave the permission voting to the AclVoter that is using the default permission map
  59. return self::ACCESS_ABSTAIN;
  60. }
  61. }