vendor/sonata-project/user-bundle/src/Security/Authorization/Voter/UserAclVoter.php line 20

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. /*
  6. * This file is part of the Sonata Project package.
  7. *
  8. * (c) Thomas Rabaix <thomas.rabaix@sonata-project.org>
  9. *
  10. * For the full copyright and license information, please view the LICENSE
  11. * file that was distributed with this source code.
  12. */
  14. namespace Sonata\UserBundle\Security\Authorization\Voter;
  16. use Sonata\UserBundle\Model\UserInterface;
  17. use Symfony\Component\Security\Acl\Voter\AclVoter;
  18. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  20. final class UserAclVoter extends AclVoter
  21. {
  22. public function supportsClass($class): bool
  23. {
  24. // support the Object-Scope ACL
  25. return is_subclass_of($class, UserInterface::class);
  26. }
  28. /**
  29. * @param mixed $attribute
  30. */
  31. public function supportsAttribute($attribute): bool
  32. {
  33. return 'EDIT' === $attribute || 'DELETE' === $attribute;
  34. }
  36. /**
  37. * @param mixed $subject
  38. * @param mixed[] $attributes
  39. */
  40. public function vote(TokenInterface $token, $subject, array $attributes): int
  41. {
  42. if (!\is_object($subject) || !$this->supportsClass(\get_class($subject))) {
  43. return self::ACCESS_ABSTAIN;
  44. }
  46. foreach ($attributes as $attribute) {
  47. $tokenUser = $token->getUser();
  49. if ($this->supportsAttribute($attribute) && $subject instanceof UserInterface && $tokenUser instanceof UserInterface) {
  50. if ($subject->isSuperAdmin() && !$tokenUser->isSuperAdmin()) {
  51. // deny a non super admin user to edit or delete a super admin user
  52. return self::ACCESS_DENIED;
  53. }
  54. }
  55. }
  57. // leave the permission voting to the AclVoter that is using the default permission map
  58. return self::ACCESS_ABSTAIN;
  59. }
  60. }