src/Aqarmap/Bundle/UserBundle/EventListener/SwitchUserSubscriber.php line 56

Open in your IDE?
  1. <?php
  3. namespace Aqarmap\Bundle\UserBundle\EventListener;
  5. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  6. use Symfony\Component\HttpFoundation\RedirectResponse;
  7. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  8. use Symfony\Component\Routing\RouterInterface;
  9. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  10. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  11. use Symfony\Component\Security\Core\Security;
  12. use Symfony\Component\Security\Core\User\UserInterface;
  13. use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
  14. use Symfony\Component\Security\Http\Event\SwitchUserEvent;
  15. use Symfony\Component\Security\Http\SecurityEvents;
  16. use Symfony\Contracts\Translation\TranslatorInterface;
  18. class SwitchUserSubscriber implements EventSubscriberInterface
  19. {
  20.     /**
  21.      * @var RouterInterface
  22.      */
  23.     private $router;
  25.     /**
  26.      * @var SessionInterface
  27.      */
  28.     private $session;
  30.     /**
  31.      * @var RoleHierarchyInterface
  32.      */
  33.     private $roleHierarchy;
  35.     /** @var TranslatorInterface */
  36.     private $translator;
  38.     /** @var Security */
  39.     private $security;
  41.     public function __construct(
  42.         RouterInterface $router,
  43.         SessionInterface $session,
  44.         TokenStorageInterface $tokenStorage,
  45.         RoleHierarchyInterface $roleHierarchy,
  46.         TranslatorInterface $translator,
  47.         Security $security
  48.     ) {
  49.         $this->router $router;
  50.         $this->session $session;
  51.         $this->roleHierarchy $roleHierarchy;
  52.         $this->translator $translator;
  53.         $this->security $security;
  54.     }
  56.     public function onSwitchUser(SwitchUserEvent $event): void
  57.     {
  58.         $token $this->security->getToken();
  60.         $impersonatedUser $event->getTargetUser();
  62.         if ($token instanceof SwitchUserToken) {
  63.             $impersonatorUser $token->getUser();
  64.         }
  66.         if (isset($impersonatorUser)) {
  67.             $this->backToAdmin($impersonatedUser$event);
  68.         } else {
  69.             $this->allowUserToSwitch($impersonatedUser$event$token);
  70.         }
  71.     }
  73.     public static function getSubscribedEvents()
  74.     {
  75.         return [
  76.             SecurityEvents::SWITCH_USER => 'onSwitchUser',
  77.         ];
  78.     }
  80.     /**
  81.      * @return RedirectResponse|void
  82.      */
  83.     private function allowUserToSwitch(UserInterface $impersonatedUser$event$token)
  84.     {
  85.         if ($this->hasRoleSuperAdmin($impersonatedUser) || $this->hasRoleAdmin($impersonatedUser)) {
  86.             $this->session->getFlashBag()->add(
  87.                 'danger',
  88.                 $this->translator->trans('switch_user.error_message')
  89.             );
  91.             $response = new RedirectResponse(
  92.                 $this->router->generate('aqarmap_admin_user')
  93.             );
  95.             // Set the token to the impersonator User's token to stop the switching
  96.             $event->setToken($token);
  98.             return $response->send();
  99.         }
  100.     }
  102.     /**
  103.      * @return void
  104.      */
  105.     private function backToAdmin(UserInterface $impersonatorUserSwitchUserEvent $event)
  106.     {
  107.         if ($this->hasRoleSwitchAccount($impersonatorUser)) {
  108.             $this->session->getFlashBag()->add(
  109.                 'success',
  110.                 $this->translator->trans('switch_user.back_to_admin')
  111.             );
  113.             $response = new RedirectResponse(
  114.                 $this->router->generate('aqarmap_admin_user')
  115.             );
  117.             // Set the token to the impresonatorUser's token to stop the switching
  118.             $event->setToken($event->getToken());
  120.             return $response->send();
  121.         }
  122.     }
  124.     /**
  125.      * Check if the user has ROLE_SUPER_ADMIN in its role hierarchy.
  126.      */
  127.     private function hasRoleSuperAdmin(UserInterface $user): bool
  128.     {
  129.         return $this->isGranted($user'ROLE_SUPER_ADMIN');
  130.     }
  132.     /**
  133.      * Check if the user has ROLE_ADMIN in its role hierarchy.
  134.      */
  135.     private function hasRoleAdmin(UserInterface $user): bool
  136.     {
  137.         return $this->isGranted($user'ROLE_ADMIN');
  138.     }
  140.     /**
  141.      * Check if the user has ROLE_SWITCH_ACCOUNT in its role hierarchy.
  142.      */
  143.     private function hasRoleSwitchAccount(UserInterface $user): bool
  144.     {
  145.         return $this->isGranted($user'ROLE_SWITCH_ACCOUNT');
  146.     }
  148.     private function isGranted(UserInterface $userstring $role): bool
  149.     {
  150.         $hasRole false;
  152.         $reachableRoles $this->roleHierarchy->getReachableRoleNames($user->getRoles());
  154.         $reachableRoles array_unique($reachableRoles);
  156.         foreach ($reachableRoles as $reachableRole) {
  157.             if ($reachableRole === $role) {
  158.                 $hasRole true;
  159.             }
  160.         }
  162.         return $hasRole;
  163.     }
  164. }