Implements RoleHierarchyUtil.

Resources/config/services.yml

@@ -9,7 +9,7 @@ services:
 
     glavweb_security.access_voter:
         class:  Glavweb\SecurityBundle\Security\Authorization\Voter\AccessVoter
-        arguments: ["@doctrine", "@glavweb_security.access_handler"]
+        arguments: ["@doctrine", "@glavweb_security.access_handler", "@glavweb_security.role_hierarchy_util"]
         public: false
         tags:
            - { name: security.voter }
@@ -33,3 +33,7 @@ services:
     glavweb_security.admin_security_handler_role:
         class: Glavweb\SecurityBundle\Admin\SecurityHandlerRole
         arguments: ["@security.authorization_checker", "@glavweb_security.access_handler", [ROLE_SUPER_ADMIN]]
+
+    glavweb_security.role_hierarchy_util:
+        class:  Glavweb\SecurityBundle\Util\RoleHierarchyUtil
+        arguments: ["%security.role_hierarchy.roles%"]

Security/Authorization/Voter/AccessVoter.php

@@ -16,6 +16,7 @@
 use Doctrine\ORM\EntityManager;
 use Glavweb\SecurityBundle\Mapping\Annotation\Access;
 use Glavweb\SecurityBundle\Security\AccessHandler;
+use Glavweb\SecurityBundle\Util\RoleHierarchyUtil;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -43,16 +44,23 @@ class AccessVoter implements VoterInterface
      */
     protected $accessAnnotation;
 
+    /**
+     * @var RoleHierarchyUtil
+     */
+    private $roleHierarchyUtil;
+
     /**
      * AccessVoter constructor.
-     * @param Registry $doctrine
-     * @param AccessHandler $accessHandler
-     * @internal param Reader $annotationReader
+     *
+     * @param Registry          $doctrine
+     * @param AccessHandler     $accessHandler
+     * @param RoleHierarchyUtil $roleHierarchyUtil
      */
-    public function __construct(Registry $doctrine, AccessHandler $accessHandler)
+    public function __construct(Registry $doctrine, AccessHandler $accessHandler, RoleHierarchyUtil $roleHierarchyUtil)
     {
-        $this->doctrine      = $doctrine;
-        $this->accessHandler = $accessHandler;
+        $this->doctrine          = $doctrine;
+        $this->accessHandler     = $accessHandler;
+        $this->roleHierarchyUtil = $roleHierarchyUtil;
     }
 
     /**
@@ -108,7 +116,7 @@ public function vote(TokenInterface $token, $object, array $attributes)
         if (!$user instanceof UserInterface || !method_exists($user, 'getId')) {
             return VoterInterface::ACCESS_ABSTAIN;
         }
-        $userRoles = $user->getRoles();
+        $userRoles = $this->roleHierarchyUtil->getUserRoles($user);
 
         $alias = 't';
         foreach ($attributes as $attribute) {

Util/RoleHierarchyUtil.php

@@ -0,0 +1,86 @@
+<?php
+
+/*
+ * This file is part of the Glavweb SecurityBundle package.
+ *
+ * (c) GLAVWEB <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Glavweb\SecurityBundle\Util;
+
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * Class RoleHierarchyUtil
+ * 
+ * @author Andrey Nilov <[email protected]>
+ * @package Glavweb\SecurityBundle
+ */
+class RoleHierarchyUtil
+{
+    /**
+     * @var array
+     */
+    private $roleHierarchy;
+
+    /**
+     * RoleHierarchyUtil constructor.
+     *
+     * @param array $roleHierarchy
+     */
+    public function __construct(array $roleHierarchy)
+    {
+        $this->roleHierarchy = $roleHierarchy;
+    }
+
+    /**
+     * @param UserInterface $user
+     * @return mixed
+     */
+    public function getUserRoles(UserInterface $user)
+    {
+        $userRoles = $user->getRoles();
+
+        $roles = [];
+        foreach ($userRoles as $role) {
+            $roles[] = $role;
+
+            if (isset($this->roleHierarchy[$role])) {
+                $roles = array_unique(array_merge(
+                    $roles,
+                    $this->getRoleByHierarchy($role)
+                ));
+            }
+        }
+
+        return $roles;
+    }
+
+    /**
+     * @param string $targetRole
+     * @return array
+     */
+    public function getRoleByHierarchy($targetRole)
+    {
+        $roles = [];
+
+        if (isset($this->roleHierarchy[$targetRole])) {
+            foreach ($this->roleHierarchy[$targetRole] as $role) {
+                $roles[] = $role;
+
+                if (isset($this->roleHierarchy[$role])) {
+                    $roles = array_unique(array_merge(
+                        $roles,
+                        $this->getRoleByHierarchy($role)
+                    ));
+                }
+            }
+        }
+
+        return $roles;
+    }
+
+}