feat : allow client to edit own tickets and protect status fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -36,7 +36,7 @@ use Symfony\Component\Serializer\Attribute\Groups;
|
|||||||
processor: ClientTicketNumberProcessor::class,
|
processor: ClientTicketNumberProcessor::class,
|
||||||
),
|
),
|
||||||
new Patch(
|
new Patch(
|
||||||
security: "is_granted('ROLE_ADMIN')",
|
security: "is_granted('ROLE_ADMIN') or (is_granted('ROLE_CLIENT') and object.getSubmittedBy() == user)",
|
||||||
processor: ClientTicketStatusProcessor::class,
|
processor: ClientTicketStatusProcessor::class,
|
||||||
),
|
),
|
||||||
new Delete(security: "is_granted('ROLE_ADMIN')"),
|
new Delete(security: "is_granted('ROLE_ADMIN')"),
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ use App\Entity\ClientTicket;
|
|||||||
use App\Service\NotificationService;
|
use App\Service\NotificationService;
|
||||||
use DateTimeImmutable;
|
use DateTimeImmutable;
|
||||||
use Doctrine\ORM\EntityManagerInterface;
|
use Doctrine\ORM\EntityManagerInterface;
|
||||||
|
use Symfony\Bundle\SecurityBundle\Security;
|
||||||
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -25,6 +26,7 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
|
|||||||
public function __construct(
|
public function __construct(
|
||||||
private EntityManagerInterface $entityManager,
|
private EntityManagerInterface $entityManager,
|
||||||
private NotificationService $notificationService,
|
private NotificationService $notificationService,
|
||||||
|
private Security $security,
|
||||||
) {}
|
) {}
|
||||||
|
|
||||||
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
|
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): ClientTicket
|
||||||
@@ -32,6 +34,13 @@ final readonly class ClientTicketStatusProcessor implements ProcessorInterface
|
|||||||
assert($data instanceof ClientTicket);
|
assert($data instanceof ClientTicket);
|
||||||
|
|
||||||
$originalData = $context['previous_data'] ?? null;
|
$originalData = $context['previous_data'] ?? null;
|
||||||
|
|
||||||
|
// ROLE_CLIENT: can only edit content fields, not status
|
||||||
|
if (!$this->security->isGranted('ROLE_ADMIN') && $originalData instanceof ClientTicket) {
|
||||||
|
$data->setStatus($originalData->getStatus());
|
||||||
|
$data->setStatusComment($originalData->getStatusComment());
|
||||||
|
}
|
||||||
|
|
||||||
if ($originalData instanceof ClientTicket) {
|
if ($originalData instanceof ClientTicket) {
|
||||||
$oldStatus = $originalData->getStatus();
|
$oldStatus = $originalData->getStatus();
|
||||||
$newStatus = $data->getStatus();
|
$newStatus = $data->getStatus();
|
||||||
|
|||||||
Reference in New Issue
Block a user