fix access to visite editing #3100

MTES-MCT · Sep 27, 2024 · a94d907 · a94d907
1 parent 45e0b53
commit a94d907
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 23 deletions.
diff --git a/src/Controller/Back/SignalementVisitesController.php b/src/Controller/Back/SignalementVisitesController.php
@@ -142,7 +142,7 @@ public function cancelVisiteFromSignalement(
 
             return $this->redirectToRoute('back_index');
         }
-        $this->denyAccessUnlessGranted('SIGN_ADD_VISITE', $signalement);
+        $this->denyAccessUnlessGranted('SIGN_EDIT_VISITE', $intervention);
 
         if ($intervention->hasScheduledDatePassed()) {
             $this->addFlash('error', 'Cette visite est déja passée et ne peut pas être annulée, merci de la noter comme non-effectuée.');
@@ -196,7 +196,7 @@ public function rescheduleVisiteFromSignalement(
 
             return $this->redirectToRoute('back_index');
         }
-        $this->denyAccessUnlessGranted('SIGN_ADD_VISITE', $signalement);
+        $this->denyAccessUnlessGranted('SIGN_EDIT_VISITE', $intervention);
 
         $errorRedirect = $this->getSecurityRedirect(
             $signalement,
@@ -264,7 +264,7 @@ public function confirmVisiteFromSignalement(
 
             return $this->redirectToRoute('back_index');
         }
-        $this->denyAccessUnlessGranted('SIGN_ADD_VISITE', $signalement);
+        $this->denyAccessUnlessGranted('SIGN_EDIT_VISITE', $intervention);
 
         $errorRedirect = $this->getSecurityRedirect(
             $signalement,
@@ -317,7 +317,7 @@ public function editVisiteFromSignalement(
 
             return $this->redirectToRoute('back_index');
         }
-        $this->denyAccessUnlessGranted('SIGN_ADD_VISITE', $signalement);
+        $this->denyAccessUnlessGranted('SIGN_EDIT_VISITE', $intervention);
 
         $errorRedirect = $this->getSecurityRedirect(
             $signalement,
@@ -358,7 +358,7 @@ public function deleteRapportVisiteFromSignalement(
         EntityManagerInterface $entityManager,
         UploadHandlerService $uploadHandlerService,
     ): Response {
-        $this->denyAccessUnlessGranted('SIGN_ADD_VISITE', $intervention->getSignalement());
+        $this->denyAccessUnlessGranted('SIGN_EDIT_VISITE', $intervention);
         if (!$this->isCsrfTokenValid('delete_rapport', $request->get('_token')) || $intervention->getSignalement()->getId() !== $signalement->getId() || $intervention->getFiles()->isEmpty()) {
             return $this->redirectToRoute('back_signalement_view', ['uuid' => $signalement->getUuid()]);
         }

diff --git a/src/Security/Voter/SignalementVoter.php b/src/Security/Voter/SignalementVoter.php
@@ -5,6 +5,7 @@
 use App\Entity\Affectation;
 use App\Entity\Enum\Qualification;
 use App\Entity\Enum\QualificationStatus;
+use App\Entity\Intervention;
 use App\Entity\Signalement;
 use App\Entity\User;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -20,6 +21,7 @@ class SignalementVoter extends Voter
     public const EDIT = 'SIGN_EDIT';
     public const VIEW = 'SIGN_VIEW';
     public const ADD_VISITE = 'SIGN_ADD_VISITE';
+    public const EDIT_VISITE = 'SIGN_EDIT_VISITE';
     public const USAGER_EDIT = 'SIGN_USAGER_EDIT';
     public const EDIT_NDE = 'SIGN_EDIT_NDE';
 
@@ -29,8 +31,9 @@ public function __construct(private Security $security)
 
     protected function supports(string $attribute, $subject): bool
     {
-        return \in_array($attribute, [self::EDIT, self::VIEW, self::DELETE, self::VALIDATE, self::CLOSE, self::ADD_VISITE, self::USAGER_EDIT, self::EDIT_NDE])
-            && ($subject instanceof Signalement);
+        return (\in_array($attribute, [self::EDIT, self::VIEW, self::DELETE, self::VALIDATE, self::CLOSE, self::ADD_VISITE, self::USAGER_EDIT, self::EDIT_NDE])
+            && ($subject instanceof Signalement))
+            || (\in_array($attribute, [self::EDIT_VISITE]) && ($subject instanceof Intervention));
     }
 
     protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool
@@ -49,6 +52,10 @@ protected function voteOnAttribute(string $attribute, $subject, TokenInterface $
             return $this->canAddVisite($subject, $user);
         }
 
+        if (self::EDIT_VISITE == $attribute) {
+            return $this->canEditVisite($subject, $user);
+        }
+
         if (self::EDIT_NDE == $attribute) {
             return $this->canEditNDE($subject, $user);
         }
@@ -150,6 +157,19 @@ public function canAddVisite(Signalement $signalement, User $user): bool
         return $user->isSuperAdmin() || $isUserInAffectedPartnerWithQualificationVisite || $isUserTerritoryAdminOfSignalementTerritory;
     }
 
+    public function canEditVisite(Intervention $intervention, User $user): bool
+    {
+        $signalement = $intervention->getSignalement();
+        if (Signalement::STATUS_ACTIVE !== $signalement->getStatut()) {
+            return false;
+        }
+
+        $isUserInPartnerAffectedToVisite = $user->getPartner() === $intervention->getPartner();
+        $isUserTerritoryAdminOfSignalementTerritory = $user->isTerritoryAdmin() && $user->getTerritory() === $signalement->getTerritory();
+
+        return $user->isSuperAdmin() || $isUserInPartnerAffectedToVisite || $isUserTerritoryAdminOfSignalementTerritory;
+    }
+
     private function canEditNDE(Signalement $signalement, User $user): bool
     {
         $signalementQualificationNDE = $signalement->getSignalementQualifications()->filter(function ($qualification) {

diff --git a/templates/back/signalement/view/visites/visites-buttons.html.twig b/templates/back/signalement/view/visites/visites-buttons.html.twig
@@ -1,8 +1,8 @@
 
 {% if signalement.interventions is not empty %}
     <div class="signalement-visites-buttons fr-text--right fr-btns-group fr-btns-group--sm fr-btns-group--inline fr-btns-group--right fr-btns-group--icon-left">
-        {% if intervention.status is same as constant('App\\Entity\\Intervention::STATUS_PLANNED') %}    
-            {% if is_granted('SIGN_ADD_VISITE', intervention.signalement) %}
+        {% if intervention.status is same as constant('App\\Entity\\Intervention::STATUS_PLANNED') %}
+            {% if is_granted('SIGN_EDIT_VISITE', intervention) %}
                 {% if workflow_can(intervention, 'cancel') %}
                     <button class="fr-btn fr-btn--danger fr-fi-close-line" aria-controls="cancel-visite-modal-{{intervention.id}}" data-fr-opened="false">
                         Annuler la visite
@@ -19,20 +19,20 @@
             {% endif %}
         {% elseif intervention.status is same as constant('App\\Entity\\Intervention::STATUS_DONE') %}
             {% if signalement.interventions is empty or intervention.files is empty or intervention.getRapportDeVisite is empty %}
-                {% if is_granted('SIGN_ADD_VISITE', intervention.signalement) %}
-                    <button 
+                {% if is_granted('SIGN_EDIT_VISITE', intervention) %}
+                    <button
                         class="fr-btn fr-btn--secondary fr-fi-file-fill"
-                        aria-controls="edit-visite-modal-{{intervention.id}}"  
+                        aria-controls="edit-visite-modal-{{intervention.id}}"
                         data-fr-opened="false"
                         >
                         Ajouter un rapport de visite
                     </button>
                 {% endif %}
             {% else %}
-                {% if is_granted('SIGN_ADD_VISITE', intervention.signalement) %}
-                    <button 
-                        class="fr-btn fr-btn--secondary fr-fi-edit-line" 
-                        aria-controls="edit-visite-modal-{{intervention.id}}" 
+                {% if is_granted('SIGN_EDIT_VISITE', intervention) %}
+                    <button
+                        class="fr-btn fr-btn--secondary fr-fi-edit-line"
+                        aria-controls="edit-visite-modal-{{intervention.id}}"
                         data-fr-opened="false">
                         Editer le rapport
                     </button>
@@ -45,10 +45,10 @@
                     <span aria-hidden="true" class="fr-fi-file-line fr-icon--sm"></span> Voir le rapport de visite
                 </a>
             {% endif %}
-            {% if is_granted('SIGN_ADD_VISITE', intervention.signalement)%}
-                <button 
-                    class="fr-btn fr-btn--secondary fr-icon-camera-fill open-modal-upload-files-btn" 
-                    data-fr-opened="false" 
+            {% if is_granted('SIGN_EDIT_VISITE', intervention) %}
+                <button
+                    class="fr-btn fr-btn--secondary fr-icon-camera-fill open-modal-upload-files-btn"
+                    data-fr-opened="false"
                     aria-controls="visites-upload-files-{{intervention.id}}"
                     data-file-type="photo"
                     data-document-type="PHOTO_VISITE"

diff --git a/templates/back/signalement/view/visites/visites-list.html.twig b/templates/back/signalement/view/visites/visites-list.html.twig
@@ -30,9 +30,6 @@
 </div>
 
 {% if signalement.interventions is empty %}
-    {% if is_granted('SIGN_ADD_VISITE', signalement) %}
-        {% include 'back/signalement/view/visites/visites-buttons.html.twig' %}
-    {% endif %}
     {% include 'back/signalement/view/visites/visite-item.html.twig' %}
 {% else %}
     {% for intervention in signalement.interventions | filter(intervention => intervention.type != enum('App\\Entity\\Enum\\InterventionType').ARRETE_PREFECTORAL) %}