From 3a43416377b800081ec71d42fbd84a323c6ab89b Mon Sep 17 00:00:00 2001
From: roadiz-ci <ambroise+ci@roadiz.io>
Date: Thu, 13 Jun 2024 14:23:42 +0000
Subject: [PATCH] Merge branch hotfix/v2.3.9

---
 config/services.yaml                          |  2 +-
 .../Voter/NodeTypeFieldVoter.php              | 62 +++++++++++++++++++
 .../Authorization/Voter/NodeVoter.php         |  6 +-
 3 files changed, 67 insertions(+), 3 deletions(-)
 create mode 100644 src/Security/Authorization/Voter/NodeTypeFieldVoter.php

diff --git a/config/services.yaml b/config/services.yaml
index 49fce77b..2a784a1b 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -1,6 +1,6 @@
 ---
 parameters:
-    roadiz_core.cms_version: '2.3.8'
+    roadiz_core.cms_version: '2.3.9'
     roadiz_core.cms_version_prefix: 'main'
     env(APP_NAMESPACE): "roadiz"
     env(APP_VERSION): "0.1.0"
diff --git a/src/Security/Authorization/Voter/NodeTypeFieldVoter.php b/src/Security/Authorization/Voter/NodeTypeFieldVoter.php
new file mode 100644
index 00000000..eb55732c
--- /dev/null
+++ b/src/Security/Authorization/Voter/NodeTypeFieldVoter.php
@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace RZ\Roadiz\CoreBundle\Security\Authorization\Voter;
+
+use RZ\Roadiz\CoreBundle\Entity\NodeTypeField;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final class NodeTypeFieldVoter extends Voter
+{
+    public const VIEW = 'VIEW';
+
+    public function __construct(
+        private readonly Security $security
+    ) {
+    }
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        if (!\in_array($attribute, [self::VIEW])) {
+            return false;
+        }
+        return $subject instanceof NodeTypeField;
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        $user = $token->getUser();
+
+        if (!$user instanceof UserInterface) {
+            // the user must be logged in; if not, deny access
+            return false;
+        }
+
+        return match ($attribute) {
+            self::VIEW => $this->canView($subject, $user),
+            default => throw new \LogicException('This code should not be reached!')
+        };
+    }
+
+    private function canView(NodeTypeField $field, UserInterface $user): bool
+    {
+        if ($field->isNodes() && !$this->security->isGranted(NodeVoter::SEARCH)) {
+            return false;
+        }
+        if ($field->isDocuments() && !$this->security->isGranted('ROLE_ACCESS_DOCUMENTS')) {
+            return false;
+        }
+        if ($field->isUser() && !$this->security->isGranted('ROLE_ACCESS_USERS')) {
+            return false;
+        }
+        if ($field->isCustomForms() && !$this->security->isGranted('ROLE_ACCESS_CUSTOMFORMS')) {
+            return false;
+        }
+
+        return true;
+    }
+}
diff --git a/src/Security/Authorization/Voter/NodeVoter.php b/src/Security/Authorization/Voter/NodeVoter.php
index 7ddffd07..ef535c36 100644
--- a/src/Security/Authorization/Voter/NodeVoter.php
+++ b/src/Security/Authorization/Voter/NodeVoter.php
@@ -160,10 +160,12 @@ private function canReadAtRoot(UserInterface $user): bool
         return null === $chroot && $this->security->isGranted('ROLE_ACCESS_NODES');
     }
 
+    /*
+     * All node users can search even if they are chroot-ed
+     */
     private function canSearch(UserInterface $user): bool
     {
-        $chroot = $this->chrootResolver->getChroot($user);
-        return null === $chroot && $this->security->isGranted('ROLE_ACCESS_NODES');
+        return $this->security->isGranted('ROLE_ACCESS_NODES');
     }
 
     private function canEmptyTrash(UserInterface $user): bool