src/App/EventSubscriber/Framework/ControllerEventSubscriber.php line 102

Open in your IDE?
  1. <?php
  3. namespace App\EventSubscriber\Framework;
  5. use App\Controller\DoAdditionalUserChecksControllerInterface;
  6. use App\Entity\DirectLoginAuthKey;
  7. use App\Entity\NextStepInfoForAfterSubscription;
  8. use App\Entity\User;
  9. use App\Service\DirectLoginAuthService;
  10. use App\Service\FeatureFlagService;
  11. use App\Service\FeatureLimitationsService;
  12. use App\Service\FrontendSpaService;
  13. use App\Service\JobseekerProfileService;
  14. use App\Service\Membership\MembershipService;
  15. use App\Service\RouterHelperService;
  16. use App\Service\SessionService;
  17. use Doctrine\ORM\EntityManagerInterface;
  18. use Exception;
  19. use JanusHercules\JoboffererRegistration\Domain\Service\FlowLogicService;
  20. use JanusHercules\JoboffererRegistration\Presentation\Interface\DoFlowCheckControllerInterface;
  21. use Psr\Log\LoggerInterface;
  22. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  23. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  24. use Symfony\Component\HttpFoundation\RedirectResponse;
  25. use Symfony\Component\HttpFoundation\Request;
  26. use Symfony\Component\HttpFoundation\RequestStack;
  27. use Symfony\Component\HttpFoundation\Response;
  28. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  29. use Symfony\Component\HttpKernel\KernelEvents;
  30. use Symfony\Component\Routing\RouterInterface;
  31. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  32. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  33. use Symfony\Component\Validator\Validator\ValidatorInterface;
  34. use Symfony\Contracts\Translation\TranslatorInterface;
  36. class ControllerEventSubscriber implements EventSubscriberInterface
  37. {
  38. protected $routerHelperService;
  39. protected $router;
  40. protected $requestStack;
  41. protected $tokenStorage;
  42. protected $validator;
  43. protected $translator;
  44. protected $entityManager;
  45. protected $membershipService;
  46. protected $featureLimitationsService;
  47. protected $logger;
  48. protected $sessionService;
  49. protected $featureFlagService;
  50. protected $directLoginAuthService;
  51. protected $flowLogicService;
  52. protected $jobseekerProfileService;
  54. private FrontendSpaService $frontendSpaService;
  56. public function __construct(
  57. RouterHelperService $routerHelperService,
  58. RouterInterface $router,
  59. RequestStack $requestStack,
  60. TokenStorageInterface $tokenStorage,
  61. ValidatorInterface $validator,
  62. TranslatorInterface $translator,
  63. EntityManagerInterface $entityManager,
  64. MembershipService $membershipService,
  65. FeatureLimitationsService $featureLimitationsService,
  66. LoggerInterface $logger,
  67. SessionService $sessionService,
  68. FeatureFlagService $featureFlagService,
  69. DirectLoginAuthService $directLoginAuthService,
  70. FrontendSpaService $frontendSpaService,
  71. FlowLogicService $flowLogicService,
  72. JobseekerProfileService $jobseekerProfileService
  73. ) {
  74. $this->routerHelperService = $routerHelperService;
  75. $this->router = $router;
  76. $this->requestStack = $requestStack;
  77. $this->tokenStorage = $tokenStorage;
  78. $this->validator = $validator;
  79. $this->translator = $translator;
  80. $this->entityManager = $entityManager;
  81. $this->membershipService = $membershipService;
  82. $this->featureLimitationsService = $featureLimitationsService;
  83. $this->logger = $logger;
  84. $this->sessionService = $sessionService;
  85. $this->featureFlagService = $featureFlagService;
  86. $this->directLoginAuthService = $directLoginAuthService;
  87. $this->frontendSpaService = $frontendSpaService;
  88. $this->flowLogicService = $flowLogicService;
  89. $this->jobseekerProfileService = $jobseekerProfileService;
  90. }
  92. public static function getSubscribedEvents(): array
  93. {
  94. return [
  95. KernelEvents::CONTROLLER => 'onKernelController'
  96. ];
  97. }
  99. /**
  100. * @throws Exception
  101. */
  102. public function onKernelController(ControllerEvent $event)
  103. {
  104. $controller = $event->getController();
  106. /*
  107. * $controller passed can be either a class or a Closure.
  108. * This is not usual in Symfony but it may happen.
  109. * If it is a class, it comes in array format
  110. */
  111. if (!is_array($controller)) {
  112. return;
  113. }
  115. /** @var AbstractController $theController */
  116. $theController = $controller[0];
  117. /** @var Request $theRequest */
  118. $theRequest = $event->getRequest();
  120. // Special rule. See https://trello.com/c/fXTtOM2c/1071-umsetzung-subdom%C3%A4ne-020-epos-gmbh-auf-recruit-sperren
  121. if (str_starts_with($theRequest->getHttpHost(), '020-epos-gmbh.')) {
  122. $response = new Response(
  123. 'This subdomain does not exist.', Response::HTTP_NOT_FOUND
  124. );
  125. $event->setController(function () use ($response) {
  126. return $response;
  127. });
  129. return;
  130. }
  132. $matchedRoute = [];
  133. $routeCanBeMatched = false;
  134. try { // Matching the route won't work for POST request, so ignore these
  135. $matchedRoute = $this->router->match(strtok($theRequest->getRequestUri(), '?'))['_route'];
  136. $routeCanBeMatched = true;
  137. // $this->logger->debug('ControllerEventSubscriber matched route: ' . $matchedRoute . ' for URI ' . $theRequest->getRequestUri());
  138. } catch (Exception $e) {
  139. $routeCanBeMatched = false;
  140. }
  141. /*
  142. * These are the routes we never want to protect
  143. */
  144. if ($routeCanBeMatched && in_array(
  145. $matchedRoute,
  146. [
  147. 'account.conversations.unread_messages_count.api',
  148. 'activitytracking.update_last_seen',
  149. 'cookiepreferences.accept_all',
  150. 'cookiepreferences.accept_core',
  151. 'frontend_spa.index'
  152. ]
  153. )
  154. ) {
  155. return;
  156. }
  158. $token = $this->tokenStorage->getToken();
  160. /** @var User $user */
  161. $user = null;
  162. if (!is_null($token)) {
  163. $user = $token->getUser();
  164. }
  166. $directLoginAuthKeyId = $theRequest->get(DirectLoginAuthService::KEY_ID_QUERY_PARAMETER_NAME);
  167. if (!is_null($directLoginAuthKeyId)) {
  168. try {
  169. if (!is_null($directLoginAuthKey = $this->entityManager->getRepository(DirectLoginAuthKey::class)->find($directLoginAuthKeyId))) {
  170. $userToLogIn = $user = $this->directLoginAuthService->verifyAndGetDirectLoginAuthUser($directLoginAuthKey);
  171. $sessionToken = new UsernamePasswordToken($userToLogIn, null, 'main', $userToLogIn->getRoles());
  172. $this->tokenStorage->setToken($sessionToken);
  174. // We need to ensure that end users never see URIs which include the directLoginAuthKeyId parameter value;
  175. // they could forward it to another party ("hey, look at the job I've found on Joboo!"), giving that
  176. // party unintended access to their user account.
  177. $response = new RedirectResponse(
  178. $this->routerHelperService->removeQueryStringParamsInRequest($theRequest, [DirectLoginAuthService::KEY_ID_QUERY_PARAMETER_NAME])
  179. );
  180. $event->setController(function () use ($response) {
  181. return $response;
  182. });
  184. return;
  185. }
  186. } catch (Exception $e) {
  187. $this->logger->warning("Tried to do a direct login based on auth key id '{$directLoginAuthKey}', but it failed with an exception: '{$e->getMessage()}'.");
  188. }
  189. }
  191. if (is_object($user) && $user instanceof User) {
  192. if (
  193. $user->hasSystemGeneratedPassword()
  194. && !$user->isLocked()
  195. && $user->hasAtLeastBasePlusProfile()
  196. && $routeCanBeMatched && !in_array(
  197. $matchedRoute,
  198. [
  199. 'account.profiles.editor.jobseeker',
  200. 'account.profiles.editor.jobofferer',
  201. 'account.setownpassword.form',
  202. 'account.recurrent_jobs.new',
  203. 'account.recurrent_jobs.editor',
  204. 'account.recurrent_jobs.editor_plus',
  205. 'account.recurrent_jobs.deactivation',
  206. 'account.wanted_jobs.new',
  207. 'account.wanted_jobs.editor',
  208. 'account.wanted_jobs.deactivation',
  209. 'account.subscription.payment_problem',
  210. 'account.subscription.manage',
  211. 'account.subscription.jobofferer.index',
  212. 'account.subscription.upgrade',
  213. 'account.subscription.jobofferer.choose_and_pay_form',
  214. 'account.subscription.choose_and_pay_error_grabber',
  215. 'account.subscription.success'
  216. ]
  217. )
  218. ) {
  219. $this->requestStack->getSession()->set('showSetOwnPasswordNotice', true);
  220. } else {
  221. $this->requestStack->getSession()->set('showSetOwnPasswordNotice', false);
  222. }
  223. }
  224. if ($theController instanceof DoFlowCheckControllerInterface) {
  225. if (is_object($user) && $user instanceof User) {
  226. if ($user->isLocked()) {
  227. $url = $this->routerHelperService->generate('errors.own_user_locked');
  228. $response = new RedirectResponse($url);
  229. $event->setController(function () use ($response) {
  230. return $response;
  231. });
  233. return;
  234. }
  235. if ($user->isJobofferer() && $user->hasJoboffererProfile()) {
  236. $joboffererProfile = $user->getDefaultJoboffererProfile();
  237. $redirectDataArray = $this->flowLogicService->getRedirectDataArray(
  238. $user,
  239. $joboffererProfile,
  240. $routeCanBeMatched,
  241. $matchedRoute
  242. );
  244. if ($redirectDataArray['url'] !== null) {
  245. if ($redirectDataArray['message'] !== null) {
  246. $this->requestStack->getSession()->getFlashBag()->add(
  247. 'warning',
  248. $this->translator->trans($redirectDataArray['message'])
  249. );
  250. }
  251. $url = $this->routerHelperService->generate($redirectDataArray['url'], $redirectDataArray['urlParameters']);
  252. $response = new RedirectResponse($url);
  253. $event->setController(function () use ($response) {
  254. return $response;
  255. });
  256. }
  258. return;
  259. }
  260. }
  261. }
  263. if ($theController instanceof DoAdditionalUserChecksControllerInterface) {
  264. if (is_object($user) && $user instanceof User) {
  265. if ($user->isLocked()) {
  266. $url = $this->routerHelperService->generate('errors.own_user_locked');
  267. $response = new RedirectResponse($url);
  268. $event->setController(function () use ($response) {
  269. return $response;
  270. });
  272. return;
  273. }
  275. // Crawler Managers that are not also admins must not reach any pages outside the Crawler Manager context
  276. if (!$this->featureLimitationsService->userCanUseWebsiteOutsideOfExternalJobPostingCrawlerManager($user)
  277. && $routeCanBeMatched && !in_array(
  278. $matchedRoute,
  279. [
  280. 'fos_user_security_logout',
  281. 'recurrent_jobs.share',
  282. 'recurrent_jobs.view_or_forward',
  283. 'recurrent_jobs.forward_to_external_job_post',
  284. 'recurrent_jobs.remove_trailing_slash',
  285. 'frontend_spa.index',
  286. 'frontend_spa.index_dev',
  287. 'frontend_spa.backend_css',
  288. 'frontend_spa_api.v1.external-job-posting-crawler-management.get-available-crawling-options',
  289. 'frontend_spa_api.v1.external-job-posting-crawler-management.create-and-submit-content-parser-task',
  290. 'frontend_spa_api.v1.external-job-posting-crawler-management.get-latest-content-parser-task',
  291. 'frontend_spa_api.v1.external-job-posting-crawler-management.get-content-parser-task'
  292. ]
  293. )
  294. ) {
  295. $url = "{$this->frontendSpaService->getSpaUrl(FrontendSpaService::ROUTE_EXTERNAL_JOB_POSTING_CRAWLER_MANAGEMENT_CONTENT_PARSER_TASK_MANAGER)}";
  297. $response = new RedirectResponse($url);
  298. $event->setController(function () use ($response) {
  299. return $response;
  300. });
  302. return;
  303. }
  305. if ($user->isJobseeker() && !$user->hasJobseekerProfile()) {
  306. $profile = $this->jobseekerProfileService->getOrCreateAndGetDefaultProfile($user);
  307. $profile->setMobilenumberPublic(true);
  308. }
  309. if ($user->isJobseeker() && $user->hasJobseekerProfile()) {
  310. // In order to allow the jobseeker to open his subscription page we also need to allow the
  311. // jobofferer subscription route, because that is where the navigation always points at.
  312. if ($routeCanBeMatched && in_array(
  313. $matchedRoute,
  314. [
  315. 'account.subscription.jobofferer.index',
  316. 'account.subscription.jobseeker.index'
  317. ]
  318. )
  319. ) {
  320. return;
  321. }
  322. $jobseekerProfile = $user->getDefaultJobseekerProfile();
  323. if ($jobseekerProfile->needsToBeCompletedToBasic()) {
  324. $url = $this->routerHelperService->generate('account.profiles.editor.jobseeker', ['id' => $jobseekerProfile->getId()]);
  326. $this->requestStack->getSession()->getFlashBag()->add(
  327. 'warning',
  328. $this->translator->trans('profiles.not_available_without_valid_default_profile')
  329. );
  331. $response = new RedirectResponse($url);
  332. $event->setController(function () use ($response) {
  333. return $response;
  334. });
  336. return;
  337. }
  338. }
  340. // Admittingly, this case should be near-impossible, because we send all users trough the profile index
  341. // action where an empty profile is created, but who knows.
  342. if (($user->isJobseeker() && !$user->hasJobseekerProfile())
  343. || ($user->isJobofferer() && !$user->hasJoboffererProfile())
  344. ) {
  345. $url = $this->routerHelperService->generate('account.index');
  347. $this->requestStack->getSession()->getFlashBag()->add(
  348. 'warning',
  349. $this->translator->trans('profiles.not_available_without_valid_default_profile')
  350. );
  352. $response = new RedirectResponse($url);
  353. $event->setController(function () use ($response) {
  354. return $response;
  355. });
  357. return;
  358. }
  360. // The jobofferer is subscribed, but there is a problem with their payment.
  361. // We check this before the general subscription check below, so that
  362. // users see the payment problem page even if their subscription is no longer
  363. // active by now
  364. if (
  365. $user->isJobofferer()
  366. && $this->membershipService->userHasPaymentProblem($user)
  367. && $routeCanBeMatched && !in_array(
  368. $matchedRoute,
  369. [
  370. 'account.recurrent_jobs.index_router',
  371. 'account.recurrent_jobs.index',
  372. 'account.recurrent_jobs.deactivation',
  373. 'account.recurrent_jobs.deactivation.api',
  374. 'account.subscription.payment_problem',
  375. 'account.subscription.manage',
  376. 'contact',
  377. 'homepage',
  378. 'content'
  379. ]
  380. )
  381. ) {
  382. $url = $this->routerHelperService->generate('account.subscription.payment_problem');
  383. $response = new RedirectResponse($url);
  384. $event->setController(function () use ($response) {
  385. return $response;
  386. });
  388. return;
  389. }
  391. // Force non-paying jobofferers or jobofferers not linked to an external partner into subscription if
  392. // they want to use any pages except recurrent job creation or subscription pages or non-business-relevant pages
  393. if (
  394. $user->isJobofferer()
  395. && !$this->featureLimitationsService->userHasAccessToNonfreeJoboffererFeatures($user)
  396. && !$this->membershipService->userHasPaymentProblem($user)
  397. && $routeCanBeMatched && !in_array(
  398. $matchedRoute,
  399. [
  400. 'account.recurrent_jobs.index_router',
  401. 'account.recurrent_jobs.index',
  402. 'account.recurrent_jobs.new_router',
  403. 'account.recurrent_jobs.new',
  404. 'account.recurrent_jobs.editor',
  405. 'account.recurrent_jobs.editor_plus',
  406. 'account.recurrent_jobs.deactivation',
  407. 'account.recurrent_jobs.publish',
  408. 'account.recurrent_jobs.duplication',
  409. 'account.recurrent_jobs.delete.api',
  410. 'account.recurrent_jobs.reactivation',
  411. 'account.recurrent_jobs.reactivation.api',
  412. 'account.recurrent_jobs.deactivation.api',
  413. 'account.recurrent_jobs.deactivation.admin.api',
  414. 'account.recurrent_jobs.self_categorization_for_afa',
  415. 'account.recurrent_jobs.redirect_to_choose_and_pay',
  416. 'account.subscription.jobofferer.index',
  417. 'account.subscription.upgrade',
  418. 'account.subscription.calculate_upgrade_costs.api',
  419. 'account.subscription.jobofferer.choose_and_pay_form',
  420. 'account.subscription.jobofferer.choose_and_pay_form_trial_february_2023',
  421. 'account.subscription.resubscribe',
  422. 'account.subscription.choose_and_pay_error_grabber',
  423. 'account.subscription.unable_to_subscribe',
  424. 'account.subscription.choose_and_pay.initiate_conversion_tracking',
  425. 'account.subscription.choose_and_pay.handle_conversion_tracking',
  426. 'wanted_jobs_search.form',
  427. 'wanted_jobs_search.results',
  428. 'wanted_jobs_search.results.for_specific_recurrent_job',
  429. 'wanted_jobs_search.profile_selection_for_multiple_message.add.api',
  430. 'wanted_jobs_search.profile_selection_for_multiple_message.get.api',
  431. 'wanted_jobs_search.profile_selection_for_multiple_message.delete.api',
  432. 'account.favorites.jobofferer.add_jobseeker.api',
  433. 'account.favorites.jobofferer.remove_jobseeker.api',
  434. 'account.wanted_jobs.new',
  435. 'account.wanted_jobs.new_router',
  436. 'account.wanted_jobs.editor',
  437. 'account.wanted_jobs.index',
  438. 'account.wanted_jobs.index_router',
  439. 'account.wanted_jobs.deactivation',
  440. 'account.wanted_jobs.reactivation',
  441. 'account.wanted_jobs.duplication',
  442. 'account.wanted_jobs.publish',
  443. 'account.wanted_jobs.delete.api',
  444. 'account.conversations.index_router',
  445. 'account.conversations.show_router',
  446. 'account.conversations.new_message_router',
  447. 'account.conversations.return_from_new_review',
  448. 'account.conversations.index_jobofferer',
  449. 'account.conversations.remove_jobofferer.api',
  450. 'account.conversations.jobofferer.remove_message.api',
  451. 'wanted_jobs.share',
  452. 'contact',
  453. 'homepage',
  454. 'content',
  455. 'janus_hercules.membership.presentation.resume_membership.api',
  456. 'janus_hercules.membership.presentation.cancel_membership_questionnaire.api',
  457. 'janus_hercules.membership.presentation.cancel_membership.api'
  458. ]
  459. )
  460. ) {
  461. if ($this->featureFlagService->isFeatureEnabledForUser(FeatureFlagService::FEATURE_REDIRECT_ON_SUBSCRIPTION_SUCCESS, $user)) {
  462. if (in_array(
  463. $matchedRoute,
  464. [
  465. 'account.conversations.show_jobofferer',
  466. 'account.conversations.multiple_jobofferer_form',
  467. 'wanted_jobs.share'
  468. ])
  469. ) {
  470. $targetUrl = $theRequest->get('after_subscription_target_url');
  471. $targetUrlChecksum = $theRequest->get('after_subscription_target_url_checksum');
  472. if (!is_null($targetUrl) && !is_null($targetUrlChecksum)) {
  473. try {
  474. $nextStepInfoForAfterSubscription = new NextStepInfoForAfterSubscription($targetUrl, $targetUrlChecksum, $theRequest->request->all(), null);
  475. $this->sessionService->setNextStepInfoForAfterSubscription($this->requestStack->getSession(), $nextStepInfoForAfterSubscription);
  476. } catch (Exception $e) {
  477. $this->logger->warning('Wanted to define a NextStepInfoForAfterSubscription, but got ' . $e->getMessage());
  478. }
  479. }
  480. }
  481. }
  483. $url = $this->routerHelperService->generate('account.subscription.jobofferer.choose_and_pay_form');
  485. if ($this->membershipService->userHasPausedJoboffererMembership($user)) {
  486. if ($matchedRoute == 'account.subscription.manage') {
  487. return;
  488. }
  489. $url = $this->routerHelperService->generate('account.subscription.jobofferer.index', [
  490. 'showPauseNotice' => '1',
  491. ]);
  492. }
  494. if ($matchedRoute == 'account.recurrent_jobs.reactivation') {
  495. $this->requestStack->getSession()->getFlashBag()->add(
  496. 'warning',
  497. $this->translator->trans('recurrent_jobs.index_page.activation_warning_message')
  498. );
  499. }
  501. $response = new RedirectResponse($url);
  502. $event->setController(function () use ($response) {
  503. return $response;
  504. });
  506. return;
  507. }
  509. // Allow Navigators to only access certain pages
  510. if ($user->isJobofferer()
  511. && !$user->hasAtLeastOneAdminRole()
  512. && $this->featureFlagService->isFeatureEnabledForUser(FeatureFlagService::FEATURE_NAVIGATE_WANTED_JOBS, $user)
  513. && $routeCanBeMatched && !in_array(
  514. $matchedRoute,
  515. [
  516. 'account.subscription.unable_to_subscribe',
  517. 'wanted_jobs.share',
  518. 'recurrent_jobs.share',
  519. 'navigator.recurrent_jobs',
  520. 'contact',
  521. 'homepage',
  522. 'content'
  523. ]
  524. )
  525. ) {
  526. $url = $this->routerHelperService->generate('account.subscription.unable_to_subscribe');
  528. $response = new RedirectResponse($url);
  529. $event->setController(function () use ($response) {
  530. return $response;
  531. });
  533. return;
  534. }
  535. }
  536. }
  537. }
  538. }