From 26d47094cab7c9d78168ea29874aeda5dab01eec Mon Sep 17 00:00:00 2001
From: Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
Date: Fri, 26 Apr 2024 13:32:29 +0200
Subject: [PATCH] [Admin] exit from impersonnification when access to admin
 pages

---
 config/packages/security.yaml        |  2 ++
 src/Security/AccessDeniedHandler.php | 46 ++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 src/Security/AccessDeniedHandler.php

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 73aed52b321..8078cc2c979 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -581,6 +581,7 @@ security:
             pattern: ^/admin
             provider: admins_db
             switch_user: true
+            access_denied_handler: App\Security\AccessDeniedHandler
             form_login:
                 login_path: app_admin_login
                 check_path: app_admin_login_check
@@ -627,6 +628,7 @@ security:
                     - App\Security\LoginFormGuardAuthenticator
                     - lexik_jwt_authentication.jwt_token_authenticator
             entry_point: App\Security\LoginFormGuardAuthenticator
+            access_denied_handler: App\Security\AccessDeniedHandler
             login_link:
                 check_route: app_user_connect_with_magic_link
                 check_post_only: true
diff --git a/src/Security/AccessDeniedHandler.php b/src/Security/AccessDeniedHandler.php
new file mode 100644
index 00000000000..e0f00ef038e
--- /dev/null
+++ b/src/Security/AccessDeniedHandler.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace App\Security;
+
+use App\Entity\Administrator;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Exception\MissingMandatoryParametersException;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
+
+class AccessDeniedHandler implements AccessDeniedHandlerInterface
+{
+    public function __construct(
+        private readonly Security $security,
+        private readonly UrlGeneratorInterface $urlGenerator,
+    ) {
+    }
+
+    public function handle(Request $request, AccessDeniedException $accessDeniedException): ?Response
+    {
+        if ($request->isXmlHttpRequest() || \in_array('application/json', $request->getAcceptableContentTypes())) {
+            return null;
+        }
+
+        $user = $this->security->getUser();
+
+        if ($user instanceof Administrator && !str_starts_with($request->getPathInfo(), '/admin/')) {
+            return new RedirectResponse($this->urlGenerator->generate('admin_app_adherent_list'));
+        }
+
+        if ($this->security->isGranted('ROLE_PREVIOUS_ADMIN')) {
+            try {
+                return new RedirectResponse(
+                    $this->urlGenerator->generate($request->attributes->get('_route'), ['_switch_user' => '_exit'])
+                );
+            } catch (MissingMandatoryParametersException $exception) {
+            }
+        }
+
+        return null;
+    }
+}