feat : wip

src/Security/Voter/WorkHourVoter.php

@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security\Voter;
+
+use App\Entity\User;
+use App\Entity\WorkHour;
+use App\Security\EmployeeScopeService;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+class WorkHourVoter extends Voter
+{
+    public const string VIEW = 'WORK_HOUR_VIEW';
+    public const string EDIT = 'WORK_HOUR_EDIT';
+
+    public function __construct(
+        private readonly Security $security,
+        private readonly EmployeeScopeService $employeeScopeService,
+    ) {}
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return in_array($attribute, [self::VIEW, self::EDIT], true) && $subject instanceof WorkHour;
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
+    {
+        // On ne traite que des utilisateurs applicatifs authentifiés.
+        $user = $this->security->getUser();
+        if (!$user instanceof User) {
+            return false;
+        }
+
+        if (!$subject instanceof WorkHour) {
+            return false;
+        }
+
+        $employee = $subject->getEmployee();
+        if (null === $employee) {
+            return false;
+        }
+
+        // Délégation de la règle au service de scope unique (évite la duplication).
+        return $this->employeeScopeService->canAccessEmployee($user, $employee);
+    }
+}