From 398b7a84fb612ff5411c983fcc8c82663bc865c9 Mon Sep 17 00:00:00 2001
From: roadiz-ci <ambroise+ci@roadiz.io>
Date: Thu, 13 Jun 2024 14:23:24 +0000
Subject: [PATCH] Merge tag v2.3.9 into develop

---
 .../Voter/NodeTypeFieldVoter.php              | 62 +++++++++++++++++++
 .../Authorization/Voter/NodeVoter.php         |  6 +-
 2 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 src/Security/Authorization/Voter/NodeTypeFieldVoter.php

diff --git a/src/Security/Authorization/Voter/NodeTypeFieldVoter.php b/src/Security/Authorization/Voter/NodeTypeFieldVoter.php
new file mode 100644
index 00000000..eb55732c
--- /dev/null
+++ b/src/Security/Authorization/Voter/NodeTypeFieldVoter.php
@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace RZ\Roadiz\CoreBundle\Security\Authorization\Voter;
+
+use RZ\Roadiz\CoreBundle\Entity\NodeTypeField;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final class NodeTypeFieldVoter extends Voter
+{
+    public const VIEW = 'VIEW';
+
+    public function __construct(
+        private readonly Security $security
+    ) {
+    }
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        if (!\in_array($attribute, [self::VIEW])) {
+            return false;
+        }
+        return $subject instanceof NodeTypeField;
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        $user = $token->getUser();
+
+        if (!$user instanceof UserInterface) {
+            // the user must be logged in; if not, deny access
+            return false;
+        }
+
+        return match ($attribute) {
+            self::VIEW => $this->canView($subject, $user),
+            default => throw new \LogicException('This code should not be reached!')
+        };
+    }
+
+    private function canView(NodeTypeField $field, UserInterface $user): bool
+    {
+        if ($field->isNodes() && !$this->security->isGranted(NodeVoter::SEARCH)) {
+            return false;
+        }
+        if ($field->isDocuments() && !$this->security->isGranted('ROLE_ACCESS_DOCUMENTS')) {
+            return false;
+        }
+        if ($field->isUser() && !$this->security->isGranted('ROLE_ACCESS_USERS')) {
+            return false;
+        }
+        if ($field->isCustomForms() && !$this->security->isGranted('ROLE_ACCESS_CUSTOMFORMS')) {
+            return false;
+        }
+
+        return true;
+    }
+}
diff --git a/src/Security/Authorization/Voter/NodeVoter.php b/src/Security/Authorization/Voter/NodeVoter.php
index ca17f851..54187b57 100644
--- a/src/Security/Authorization/Voter/NodeVoter.php
+++ b/src/Security/Authorization/Voter/NodeVoter.php
@@ -161,10 +161,12 @@ private function canReadAtRoot(UserInterface $user): bool
         return null === $chroot && $this->security->isGranted('ROLE_ACCESS_NODES');
     }
 
+    /*
+     * All node users can search even if they are chroot-ed
+     */
     private function canSearch(UserInterface $user): bool
     {
-        $chroot = $this->chrootResolver->getChroot($user);
-        return null === $chroot && $this->security->isGranted('ROLE_ACCESS_NODES');
+        return $this->security->isGranted('ROLE_ACCESS_NODES');
     }
 
     private function canEmptyTrash(UserInterface $user): bool