<?php
declare(strict_types=1);
/*
* This file is part of the Sonata Project package.
*
* (c) Thomas Rabaix <thomas.rabaix@sonata-project.org>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Sonata\UserBundle\Security\Authorization\Voter;
use FOS\UserBundle\Model\UserInterface;
use Symfony\Component\Security\Acl\Voter\AclVoter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
class UserAclVoter extends AclVoter
{
/**
* {@inheritdoc}
*/
public function supportsClass($class)
{
// support the Object-Scope ACL
return is_subclass_of($class, 'FOS\UserBundle\Model\UserInterface');
}
/**
* {@inheritdoc}
*/
public function supportsAttribute($attribute)
{
return 'EDIT' === $attribute || 'DELETE' === $attribute;
}
/**
* {@inheritdoc}
*/
public function vote(TokenInterface $token, $subject, array $attributes)
{
if (!\is_object($subject) || !$this->supportsClass(\get_class($subject))) {
return self::ACCESS_ABSTAIN;
}
foreach ($attributes as $attribute) {
if ($this->supportsAttribute($attribute) && $subject instanceof UserInterface && $token->getUser() instanceof UserInterface) {
if ($subject->isSuperAdmin() && !$token->getUser()->isSuperAdmin()) {
// deny a non super admin user to edit or delete a super admin user
return self::ACCESS_DENIED;
}
}
}
// leave the permission voting to the AclVoter that is using the default permission map
return self::ACCESS_ABSTAIN;
}
}