/** * @param string $attribute * @param UserInterface $requestedUser * @param UserInterface|null $user * @return bool */ protected function isGranted($attribute, $requestedUser, $user = null) { // make sure there is a user object (i.e. that the user is logged in) if (!$user instanceof UserInterface) { return false; } switch ($attribute) { // at least one of these must be true. // 1. the requested user is the current user // 2. the current user has faculty/course director/developer role // and has the same primary school affiliation as the given user // 3. the current user has faculty/course director/developer role // and has READ rights to one of the users affiliated schools. case self::VIEW: return $user->getId() === $requestedUser->getId() || $this->userHasRole($user, ['Course Director', 'Faculty', 'Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools())); break; // at least one of these must be true. // 1. the current user has developer role // and has the same primary school affiliation as the given user // 2. the current user has developer role // and has WRITE rights to one of the users affiliated schools. // at least one of these must be true. // 1. the current user has developer role // and has the same primary school affiliation as the given user // 2. the current user has developer role // and has WRITE rights to one of the users affiliated schools. case self::CREATE: case self::EDIT: case self::DELETE: return $this->userHasRole($user, ['Developer']) && ($requestedUser->getAllSchools()->contains($user->getSchool()) || $this->permissionManager->userHasReadPermissionToSchools($user, $requestedUser->getAllSchools())); break; } return false; }