Merge tag v2.3.9 into develop

roadiz · Jun 13, 2024 · 398b7a8 · 398b7a8
1 parent 2d8503c
commit 398b7a8
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 2 deletions.
diff --git a/src/Security/Authorization/Voter/NodeTypeFieldVoter.php b/src/Security/Authorization/Voter/NodeTypeFieldVoter.php
@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace RZ\Roadiz\CoreBundle\Security\Authorization\Voter;
+
+use RZ\Roadiz\CoreBundle\Entity\NodeTypeField;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final class NodeTypeFieldVoter extends Voter
+{
+    public const VIEW = 'VIEW';
+
+    public function __construct(
+        private readonly Security $security
+    ) {
+    }
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        if (!\in_array($attribute, [self::VIEW])) {
+            return false;
+        }
+        return $subject instanceof NodeTypeField;
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        $user = $token->getUser();
+
+        if (!$user instanceof UserInterface) {
+            // the user must be logged in; if not, deny access
+            return false;
+        }
+
+        return match ($attribute) {
+            self::VIEW => $this->canView($subject, $user),
+            default => throw new \LogicException('This code should not be reached!')
+        };
+    }
+
+    private function canView(NodeTypeField $field, UserInterface $user): bool
+    {
+        if ($field->isNodes() && !$this->security->isGranted(NodeVoter::SEARCH)) {
+            return false;
+        }
+        if ($field->isDocuments() && !$this->security->isGranted('ROLE_ACCESS_DOCUMENTS')) {
+            return false;
+        }
+        if ($field->isUser() && !$this->security->isGranted('ROLE_ACCESS_USERS')) {
+            return false;
+        }
+        if ($field->isCustomForms() && !$this->security->isGranted('ROLE_ACCESS_CUSTOMFORMS')) {
+            return false;
+        }
+
+        return true;
+    }
+}
diff --git a/src/Security/Authorization/Voter/NodeVoter.php b/src/Security/Authorization/Voter/NodeVoter.php
@@ -161,10 +161,12 @@ private function canReadAtRoot(UserInterface $user): bool
         return null === $chroot && $this->security->isGranted('ROLE_ACCESS_NODES');
     }
 
+    /*
+     * All node users can search even if they are chroot-ed
+     */
     private function canSearch(UserInterface $user): bool
     {
-        $chroot = $this->chrootResolver->getChroot($user);
-        return null === $chroot && $this->security->isGranted('ROLE_ACCESS_NODES');
+        return $this->security->isGranted('ROLE_ACCESS_NODES');
     }
 
     private function canEmptyTrash(UserInterface $user): bool