Internal: Move code to ResourceAclHelper

Author: AngelFQC

src/CoreBundle/Helpers/ResourceAclHelper.php

@@ -0,0 +1,101 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\Helpers;
+
+use Chamilo\CoreBundle\Entity\ResourceLink;
+use Chamilo\CoreBundle\Security\Authorization\Voter\ResourceNodeVoter;
+use Laminas\Permissions\Acl\Acl;
+use Laminas\Permissions\Acl\Resource\GenericResource;
+use Laminas\Permissions\Acl\Role\GenericRole;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Acl\Permission\MaskBuilder;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+readonly class ResourceAclHelper
+{
+    public function __construct(
+        private Security $security,
+    ) { }
+
+    public function isAllowed(
+        string $attribute,
+        ResourceLink $resourceLink,
+        iterable $rights,
+        bool $allowAnonsToView,
+    ): bool {
+        // Creating roles
+        $anon = new GenericRole('IS_AUTHENTICATED_ANONYMOUSLY');
+        $userRole = new GenericRole('ROLE_USER');
+        $student = new GenericRole('ROLE_STUDENT');
+        $teacher = new GenericRole('ROLE_TEACHER');
+        $studentBoss = new GenericRole('ROLE_STUDENT_BOSS');
+
+        $currentStudent = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_STUDENT);
+        $currentTeacher = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_TEACHER);
+
+        $currentStudentGroup = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_GROUP_STUDENT);
+        $currentTeacherGroup = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_GROUP_TEACHER);
+
+        $currentStudentSession = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_STUDENT);
+        $currentTeacherSession = new GenericRole(ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_TEACHER);
+
+        // Setting Simple ACL.
+        $acl = (new Acl())
+            ->addRole($anon)
+            ->addRole($userRole)
+            ->addRole($student)
+            ->addRole($teacher)
+            ->addRole($studentBoss)
+
+            ->addRole($currentStudent)
+            ->addRole($currentTeacher, ResourceNodeVoter::ROLE_CURRENT_COURSE_STUDENT)
+
+            ->addRole($currentStudentSession)
+            ->addRole($currentTeacherSession, ResourceNodeVoter::ROLE_CURRENT_COURSE_SESSION_STUDENT)
+
+            ->addRole($currentStudentGroup)
+            ->addRole($currentTeacherGroup, ResourceNodeVoter::ROLE_CURRENT_COURSE_GROUP_STUDENT)
+        ;
+
+        // Add a security resource.
+        $acl->addResource(new GenericResource((string) $resourceLink->getId()));
+
+        // Check all the right this link has.
+        // Set rights from the ResourceRight.
+        foreach ($rights as $right) {
+            $acl->allow($right->getRole(), null, (string) $right->getMask());
+        }
+
+        // Anons can see.
+        if ($allowAnonsToView) {
+            $acl->allow($anon, null, (string) ResourceNodeVoter::getReaderMask());
+        }
+
+        // Asked mask
+        $mask = new MaskBuilder();
+        $mask->add($attribute);
+
+        $askedMask = (string) $mask->get();
+
+        if ($this->security->getToken() instanceof NullToken) {
+            return (bool) $acl->isAllowed('IS_AUTHENTICATED_ANONYMOUSLY', $resourceLink->getId(), $askedMask);
+        }
+
+        $user = $this->security->getUser();
+
+        $roles = $user instanceof UserInterface ? $user->getRoles() : [];
+
+        foreach ($roles as $role) {
+            if ($acl->isAllowed($role, $resourceLink->getId(), $askedMask)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

src/CoreBundle/Security/Authorization/Voter/ResourceNodeVoter.php

@@ -11,6 +11,7 @@
 use Chamilo\CoreBundle\Entity\ResourceNode;
 use Chamilo\CoreBundle\Entity\ResourceRight;
 use Chamilo\CoreBundle\Entity\Session;
+use Chamilo\CoreBundle\Helpers\ResourceAclHelper;
 use Chamilo\CoreBundle\Settings\SettingsManager;
 use Chamilo\CourseBundle\Entity\CDocument;
 use Chamilo\CourseBundle\Entity\CGroup;
@@ -51,7 +52,8 @@ public function __construct(
         private Security $security,
         private RequestStack $requestStack,
         private SettingsManager $settingsManager,
-        private EntityManagerInterface $entityManager
+        private EntityManagerInterface $entityManager,
+        private readonly ResourceAclHelper $resourceAclHelper,
     ) {}
 
     public static function getReaderMask(): int
@@ -445,75 +447,7 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
             $rights[] = $resourceRight;
         }
 
-        // Asked mask
-        $mask = new MaskBuilder();
-        $mask->add($attribute);
-
-        $askedMask = (string) $mask->get();
-
-        // Creating roles
-        // @todo move this in a service
-        $anon = new GenericRole('IS_AUTHENTICATED_ANONYMOUSLY');
-        $userRole = new GenericRole('ROLE_USER');
-        $student = new GenericRole('ROLE_STUDENT');
-        $teacher = new GenericRole('ROLE_TEACHER');
-        $studentBoss = new GenericRole('ROLE_STUDENT_BOSS');
-
-        $currentStudent = new GenericRole(self::ROLE_CURRENT_COURSE_STUDENT);
-        $currentTeacher = new GenericRole(self::ROLE_CURRENT_COURSE_TEACHER);
-
-        $currentStudentGroup = new GenericRole(self::ROLE_CURRENT_COURSE_GROUP_STUDENT);
-        $currentTeacherGroup = new GenericRole(self::ROLE_CURRENT_COURSE_GROUP_TEACHER);
-
-        $currentStudentSession = new GenericRole(self::ROLE_CURRENT_COURSE_SESSION_STUDENT);
-        $currentTeacherSession = new GenericRole(self::ROLE_CURRENT_COURSE_SESSION_TEACHER);
-
-        // Setting Simple ACL.
-        $acl = (new Acl())
-            ->addRole($anon)
-            ->addRole($userRole)
-            ->addRole($student)
-            ->addRole($teacher)
-            ->addRole($studentBoss)
-
-            ->addRole($currentStudent)
-            ->addRole($currentTeacher, self::ROLE_CURRENT_COURSE_STUDENT)
-
-            ->addRole($currentStudentSession)
-            ->addRole($currentTeacherSession, self::ROLE_CURRENT_COURSE_SESSION_STUDENT)
-
-            ->addRole($currentStudentGroup)
-            ->addRole($currentTeacherGroup, self::ROLE_CURRENT_COURSE_GROUP_STUDENT)
-        ;
-
-        // Add a security resource.
-        $linkId = (string) $link->getId();
-        $acl->addResource(new GenericResource($linkId));
-
-        // Check all the right this link has.
-        // Set rights from the ResourceRight.
-        foreach ($rights as $right) {
-            $acl->allow($right->getRole(), null, (string) $right->getMask());
-        }
-
-        // Anons can see.
-        if ($allowAnonsToView) {
-            $acl->allow($anon, null, (string) self::getReaderMask());
-        }
-
-        if ($token instanceof NullToken) {
-            return $acl->isAllowed('IS_AUTHENTICATED_ANONYMOUSLY', $linkId, $askedMask);
-        }
-
-        $roles = $user instanceof UserInterface ? $user->getRoles() : [];
-
-        foreach ($roles as $role) {
-            if ($acl->isAllowed($role, $linkId, $askedMask)) {
-                return true;
-            }
-        }
-
-        return false;
+        return $this->resourceAclHelper->isAllowed($attribute, $link, $rights, $allowAnonsToView);
     }
 
     private function isBlogResource(ResourceNode $node): bool