ApiAuthorizer.php

<?php


namespace Source\Authorization;

use ReflectionClass;
use Source\Gateways\Users\UsersRepository;
use Source\Gateways\Groups\GroupsRepository;
use Source\Exceptions\AuthorizationException;
use Source\Exceptions\EntityNotFoundException;
use Source\Gateways\GroupUser\GroupUserRepository;

class ApiAuthorizer implements Authorizer
{
    /**
     * @var \Source\Gateways\GroupUser\GroupUserRepository
     */
    protected GroupUserRepository $groupUserRepository;

    /**
     * @var \Source\Gateways\Groups\GroupsRepository
     */
    protected GroupsRepository $groups;

    /**
     * @var \Source\Gateways\Users\UsersRepository
     */
    protected UsersRepository $users;

    /**
     * @var string|null
     */
    protected ?string $currentUserId;

    /**
     * @var string[]
     */
    protected array $userGroups;

    public function __construct(
        ?string $currentUserId,
        UsersRepository $users,
        GroupsRepository $groups,
        GroupUserRepository $groupUserRepository
    ) {
        $this->users = $users;
        $this->groups = $groups;
        $this->currentUserId = $currentUserId;
        $this->groupUserRepository = $groupUserRepository;
    }

    /**
     * @param string|null $id
     */
    public function setCurrentUserId(?string $id): void
    {
        if ($this->currentUserId !== $id) {
            $this->userGroups = [];
            $this->currentUserId = $id;
        }
    }

    /**
     * @inheritDoc
     */
    public function getPermissions(): array
    {
        $reflection = new ReflectionClass(Permissions::class);

        return array_values(array_filter($reflection->getConstants(), function (string $permission) {
            return $this->allows($permission);
        }));
    }

    /**
     * @inheritDoc
     */
    public function protectAll(array $permissions): void
    {
        if (!$this->allowsAll($permissions)) {
            throw new AuthorizationException();
        }
    }

    /**
     * @inheritDoc
     */
    public function allowsAll(array $permissions): bool
    {
        $groups = $this->getGroupsForCurrentUser();

        if (in_array(Permissions::ADMIN, $groups, true)) {
            return true;
        }

        foreach ($permissions as $permission) {
            if (!in_array($permission, $groups, true)) {
                return false;
            }
        }

        return true;
    }

    /**
     * @return string[]
     * @throws \Source\Exceptions\EntityNotFoundException
     */
    protected function getGroupsForCurrentUser(): array
    {
        if (!$this->currentUserId) {
            return [];
        }

        return $this->getGroupsForUser($this->currentUserId);
    }

    /**
     * @param string $userId
     * @return string[]
     * @throws \Source\Exceptions\EntityNotFoundException
     */
    protected function getGroupsForUser(string $userId): array
    {
        if (!$this->userGroups) {
            $this->userGroups = static::groupNames($this->groupUserRepository->getGroupsForUser($userId));
        }

        return $this->userGroups;
    }

    /**
     * @param \Source\Entities\Group[] $groups
     * @return string[]
     */
    protected static function groupNames(array $groups): array
    {
        $groupNames = [];

        foreach ($groups as $group) {
            $groupNames[] = $group->getTitle();
        }

        return $groupNames;
    }

    /**
     * @inheritDoc
     */
    public function protectOne(array $permissions): void
    {
        if (!$this->allowsOne($permissions)) {
            throw new AuthorizationException();
        }
    }

    /**
     * @inheritDoc
     */
    public function allowsOne(array $permissions): bool
    {
        $groups = $this->getGroupsForCurrentUser();

        if (in_array(Permissions::ADMIN, $groups, true)) {
            return true;
        }

        foreach ($groups as $group) {
            if (in_array($group, $permissions, true)) {
                return true;
            }
        }

        return false;
    }

    /**
     * @inheritDoc
     */
    public function protect(string $permission): void
    {
        $this->protectAll([$permission]);
    }

    /**
     * @inheritDoc
     */
    public function allows(string $permission): bool
    {
        return $this->allowsAll([$permission]);
    }

    /**
     * @inheritDoc
     */
    public function protectAdminRights(string $userId, ?string $groupId = null): void
    {
        $user = $this->users->get($userId);

        if (!$user) {
            throw new EntityNotFoundException('User not found.');
        }

        $groups = $this->getGroupsForUser($userId);

        // Only admins have access to other admins
        if (in_array(Permissions::ADMIN, $groups, true)) {
            $this->protect(Permissions::ADMIN);
        }

        if ($groupId) {
            $group = $this->groups->get($groupId);
            if (!$group) {
                throw new EntityNotFoundException('Group not found.');
            }
            // Only admins can create or remove other admins
            if ($group->hasTitleOf(Permissions::ADMIN)) {
                $this->protect(Permissions::ADMIN);
            }
        }

        if ($user->hasFirstNameOf('admin')) {
            throw new AuthorizationException('You cannot modify the admin user.');
        }
    }
}