diff --git a/src/Entity/ClientTicket.php b/src/Entity/ClientTicket.php index ac7d5db..e4daf47 100644 --- a/src/Entity/ClientTicket.php +++ b/src/Entity/ClientTicket.php @@ -36,7 +36,7 @@ use Symfony\Component\Serializer\Attribute\Groups; processor: ClientTicketNumberProcessor::class, ), new Patch( - security: "is_granted('ROLE_ADMIN')", + security: "is_granted('ROLE_ADMIN') or (is_granted('ROLE_CLIENT') and object.getSubmittedBy() == user)", processor: ClientTicketStatusProcessor::class, ), new Delete(security: "is_granted('ROLE_ADMIN')"), diff --git a/src/State/ClientTicketStatusProcessor.php b/src/State/ClientTicketStatusProcessor.php index 2b229f1..747f295 100644 --- a/src/State/ClientTicketStatusProcessor.php +++ b/src/State/ClientTicketStatusProcessor.php @@ -10,6 +10,7 @@ use App\Entity\ClientTicket; use App\Service\NotificationService; use DateTimeImmutable; use Doctrine\ORM\EntityManagerInterface; +use Symfony\Bundle\SecurityBundle\Security; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; /** @@ -25,6 +26,7 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface public function __construct( private EntityManagerInterface $entityManager, private NotificationService $notificationService, + private Security $security, ) {} public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket @@ -32,6 +34,13 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface assert($data instanceof ClientTicket); $originalData = $context['previous_data'] ?? null; + + // ROLE_CLIENT: can only edit content fields, not status + if (!$this->security->isGranted('ROLE_ADMIN') && $originalData instanceof ClientTicket) { + $data->setStatus($originalData->getStatus()); + $data->setStatusComment($originalData->getStatusComment()); + } + if ($originalData instanceof ClientTicket) { $oldStatus = $originalData->getStatus(); $newStatus = $data->getStatus();