diff --git a/app/src/Controller/ClientController.php b/app/src/Controller/ClientController.php index 554300e..71531b6 100755 --- a/app/src/Controller/ClientController.php +++ b/app/src/Controller/ClientController.php @@ -18,6 +18,7 @@ use App\Repository\ClientRepository; use App\Form\CreateClientFormType; use App\Form\CreateClientInsuranceFormType; +use Exception; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; @@ -26,6 +27,7 @@ use Symfony\Component\HttpFoundation\File\UploadedFile; use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Security\Core\User\UserInterface; +use Symfony\Component\Security\Core\Exception\AccessDeniedException; class ClientController extends AbstractController { @@ -89,11 +91,17 @@ public function create(UserInterface $user, Request $request): Response } #[Route('/client/delete/{id}', methods:['DELETE'])] - public function delete($id) + public function delete($id, UserInterface $user) { $client = $this->getDoctrine()->getRepository(Client::class)->find($id); - $entityManager = $this->getDoctrine()->getManager(); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + + $entityManager = $this->getDoctrine()->getManager(); $entityManager->remove($client); $entityManager->flush(); @@ -102,9 +110,16 @@ public function delete($id) } #[Route('/client/edit/{id}')] - public function edit(Request $request, $id): Response + public function edit(Request $request, $id, UserInterface $user): Response { $client = $this->getDoctrine()->getRepository(Client::class)->find($id); + + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + if ($client->getPhoto()) { $photo = new File($this->getParameter('photoDir') . '/' . $client->getPhoto()); $fileName = $photo->getFilename(); @@ -150,10 +165,16 @@ public function edit(Request $request, $id): Response } #[Route('/client/{id}', name: 'insuranceList')] - public function insuranceObjects(ClientRepository $clientRepository, $id) + public function insuranceObjects(ClientRepository $clientRepository, $id, UserInterface $user) { $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $insuranceList = $this->getDoctrine()->getRepository(ClientInsurance::class)->findBy(['clientId' => $id], ['year' => 'desc']); $resInsuranceList = $insuranseObjects = null; @@ -196,16 +217,30 @@ public function insuranceObjects(ClientRepository $clientRepository, $id) } #[Route('/client/{id}/add-insurance', name: 'add-insurance')] - public function addInsurance($id) + public function addInsurance($id, ClientRepository $clientRepository, UserInterface $user) { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + return $this->render('client/add-insurance.html.twig', [ 'clientId' => $id ]); } #[Route('/client/{id}/add-insurance-home', name: 'add-insurance-home')] - public function addInsuranceHome(Request $request, $id) + public function addInsuranceHome(Request $request, $id, ClientRepository $clientRepository, UserInterface $user) { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $clientInsurance = new ClientInsurance(); $clientInsurance->setClientId($id); @@ -229,8 +264,15 @@ public function addInsuranceHome(Request $request, $id) } #[Route('/client/{id}/add-insurance-auto', name: 'add-insurance-auto')] - public function addInsuranceAuto(Request $request, $id) + public function addInsuranceAuto(Request $request, $id, ClientRepository $clientRepository, UserInterface $user) { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $clientInsurance = new ClientInsurance(); $clientInsurance->setClientId($id); @@ -254,8 +296,15 @@ public function addInsuranceAuto(Request $request, $id) } #[Route('/client/{id}/add-insurance-coll', name: 'add-insurance-coll')] - public function addInsuranceColl(Request $request, $id) + public function addInsuranceColl(Request $request, $id, ClientRepository $clientRepository, UserInterface $user) { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $clientInsurance = new ClientInsurance(); $clientInsurance->setClientId($id); @@ -279,8 +328,15 @@ public function addInsuranceColl(Request $request, $id) } #[Route('/client/{id}/add-insurance-umbrella', name: 'add-insurance-umbrella')] - public function addInsuranceUmbrella(Request $request, $id) + public function addInsuranceUmbrella(Request $request, $id, ClientRepository $clientRepository, UserInterface $user) { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $clientInsurance = new ClientInsurance(); $clientInsurance->setClientId($id); @@ -304,8 +360,15 @@ public function addInsuranceUmbrella(Request $request, $id) } #[Route('/client/{id}/add-insurance-other', name: 'add-insurance-other')] - public function addInsuranceOther(Request $request, $id) + public function addInsuranceOther(Request $request, $id, ClientRepository $clientRepository, UserInterface $user) { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $clientInsurance = new ClientInsurance(); $clientInsurance->setClientId($id); @@ -329,9 +392,17 @@ public function addInsuranceOther(Request $request, $id) } #[Route('/client/insurance/delete/{id}', name: 'delete-ins', methods:['DELETE'])] - public function deleteInsurance($id) + public function deleteInsurance($id, ClientRepository $clientRepository, UserInterface $user) { $clientInsurance = $this->getDoctrine()->getRepository(ClientInsurance::class)->find($id); + + $client = $clientRepository->find($clientInsurance->getClientId()); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $entityManager = $this->getDoctrine()->getManager(); $entityManager->remove($clientInsurance); @@ -342,9 +413,17 @@ public function deleteInsurance($id) } #[Route('/client/insurance/edit/{id}', name: 'edit-ins')] - public function editInsurance(UserInterface $user, Request $request, $id): Response + public function editInsurance(UserInterface $user, Request $request, $id, ClientRepository $clientRepository): Response { $insuranse = $this->getDoctrine()->getRepository(ClientInsurance::class)->find($id); + + $client = $clientRepository->find($insuranse->getClientId()); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $type = $insuranse->getInsuranceObjectsTypesId(); $typeName = InsuranceTypes::NAMES[$type]; @@ -372,19 +451,26 @@ public function editInsurance(UserInterface $user, Request $request, $id): Respo $entityManager = $this->getDoctrine()->getManager(); $entityManager->flush(); - return $this->redirectToRoute('insuranceList', ['id' => $user->getId()]); + return $this->redirectToRoute('insuranceList', ['id' => $insuranse->getClientId()]); } return $this->render('client/editInsurance.html.twig', [ 'controller_name' => 'ClientController', 'addInsuranceForm' => $form->createView(), - 'clientId' => $user->getId() + 'clientId' => $insuranse->getClientId() ]); } #[Route('/client/{id}/insurance/{insId}/upload-file', name: 'insurance-upload-file')] - public function uploadIns(Request $request, $id, $insId): Response + public function uploadIns(Request $request, $id, $insId, ClientRepository $clientRepository, UserInterface $user): Response { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $attachment = new InsuranceAttachments(); $form = $this->createForm(InsuranceAttachmentsFormType::class, $attachment); $form->handleRequest($request); @@ -423,11 +509,19 @@ public function uploadIns(Request $request, $id, $insId): Response } #[Route('/client/insurance/delete-attachment/{attachmentId}', name: 'delete-ins-attachment', methods:['DELETE'])] - public function deleteInsAttachment($attachmentId) + public function deleteInsAttachment($attachmentId, ClientRepository $clientRepository, UserInterface $user) { $attachment = $this->getDoctrine()->getRepository(InsuranceAttachments::class)->find($attachmentId); - $entityManager = $this->getDoctrine()->getManager(); + $insurance = $this->getDoctrine()->getRepository(ClientInsurance::class)->find($attachment->getInsuranceId()); + $client = $clientRepository->find($insurance->getClientId()); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + + $entityManager = $this->getDoctrine()->getManager(); $entityManager->remove($attachment); $entityManager->flush(); @@ -436,11 +530,18 @@ public function deleteInsAttachment($attachmentId) } #[Route('/client/delete-attachment/{id}', name: 'delete-attachment', methods:['DELETE'])] - public function deleteAttachment($id) + public function deleteAttachment($id, ClientRepository $clientRepository, UserInterface $user) { $attachment = $this->getDoctrine()->getRepository(Attachments::class)->find($id); - $entityManager = $this->getDoctrine()->getManager(); + $client = $clientRepository->find($attachment->getUserId()); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + + $entityManager = $this->getDoctrine()->getManager(); $entityManager->remove($attachment); $entityManager->flush(); @@ -449,8 +550,15 @@ public function deleteAttachment($id) } #[Route('/client/{id}/upload-file', name: 'upload-file')] - public function upload(Request $request, $id): Response + public function upload(Request $request, $id, ClientRepository $clientRepository, UserInterface $user): Response { + $client = $clientRepository->find($id); + if ($client->getUser()->getId() != $user->getId()) { + if (!in_array('ADMIN', $user->getRoles())) { + throw new AccessDeniedException(); + } + } + $attachment = new Attachments(); $form = $this->createForm(AttachmentsFormType::class, $attachment); $form->handleRequest($request);