[Improvement] Add voter for voting on having one permission from a set of permissions (#1538)

mcop1 · web-flow · commit 41c144585830 · 2025-11-24T08:51:58.000+01:00
* Added voter for voting on having one permission in a set of permissions

* Apply php-cs-fixer changes
diff --git a/config/security.yaml b/config/security.yaml
@@ -13,6 +13,10 @@ services:
     tags:
       - { name: security.voter }
 
+  Pimcore\Bundle\StudioBackendBundle\Security\Voter\HasOneOfUserPermissionVoter:
+    tags:
+      - { name: security.voter }
+
   Pimcore\Bundle\StudioBackendBundle\Security\Voter\PublicAuthorizationVoter:
     arguments: [ '@request_stack' ]
     tags:
diff --git a/src/Bundle/CustomReport/Controller/Config/GetController.php b/src/Bundle/CustomReport/Controller/Config/GetController.php
@@ -25,11 +25,11 @@
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attribute\Response\DefaultResponses;
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attribute\Response\SuccessResponse;
 use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags;
+use Pimcore\Bundle\StudioBackendBundle\Security\PermissionsToCheck;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constant\CustomReportPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\HttpResponseCodes;
-use Symfony\Component\ExpressionLanguage\Expression;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\Attribute\Route;
-use Symfony\Component\Security\Http\Attribute\IsGranted;
 use Symfony\Component\Serializer\SerializerInterface;
 
 /**
@@ -51,11 +51,6 @@ public function __construct(
      * @throws Exception
      */
     #[Route(self::ROUTE, name: 'pimcore_studio_api_custom_reports_report', methods: ['GET'])]
-    #[IsGranted(
-        new Expression(
-            'is_granted("reports") or is_granted("reports_permissions")'
-        )
-    )]
     #[Get(
         path: self::PREFIX . self::ROUTE,
         operationId: 'custom_reports_report',
@@ -76,6 +71,14 @@ public function __construct(
     ])]
     public function getByName(string $name): JsonResponse
     {
+        $this->denyAccessUnlessGranted(
+            'HasOneOf',
+            new PermissionsToCheck([
+                CustomReportPermissions::REPORTS_CONFIG->value,
+                CustomReportPermissions::REPORTS->value,
+            ])
+        );
+
         return $this->jsonResponse(
             $this->customReportService->getCustomReportDetails($name)
         );
diff --git a/src/Security/PermissionsToCheck.php b/src/Security/PermissionsToCheck.php
@@ -0,0 +1,32 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * This source file is available under the terms of the
+ * Pimcore Open Core License (POCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (https://www.pimcore.com)
+ *  @license    Pimcore Open Core License (POCL)
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\Security;
+
+use InvalidArgumentException;
+
+final readonly class PermissionsToCheck
+{
+    public function __construct(
+        private array $permissionsToCheck
+    ) {
+        if (empty($this->permissionsToCheck)) {
+            throw new InvalidArgumentException('Permissions to check must not be empty');
+        }
+    }
+
+    public function getPermissionsToCheck(): array
+    {
+        return $this->permissionsToCheck;
+    }
+}
diff --git a/src/Security/Voter/HasOneOfUserPermissionVoter.php b/src/Security/Voter/HasOneOfUserPermissionVoter.php
@@ -0,0 +1,60 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * This source file is available under the terms of the
+ * Pimcore Open Core License (POCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (https://www.pimcore.com)
+ *  @license    Pimcore Open Core License (POCL)
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\Security\Voter;
+
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
+use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * @internal
+ */
+final class HasOneOfUserPermissionVoter extends Voter
+{
+    private const string SUPPORTED_ATTRIBUTE = 'HasOneOf';
+
+    public function __construct(
+        private readonly SecurityServiceInterface $securityService
+
+    ) {
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return $attribute === self::SUPPORTED_ATTRIBUTE;
+    }
+
+    /**
+     * @throws ForbiddenException
+     */
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
+    {
+        foreach ($subject->getPermissionsToCheck() as $permissionToCheck) {
+            if ($this->securityService->getCurrentUser()->isAllowed($permissionToCheck)) {
+                return true;
+            }
+        }
+
+        throw new ForbiddenException(
+            'Access denied. User does not have one of the following permissions: '
+            . implode(
+                ', ', $subject->getPermissionsToCheck()
+            )
+        );
+    }
+}
