<?phpnamespace App\ApiPlatform\Voter;use App\Entity\User;use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;use Symfony\Component\Security\Core\Authorization\Voter\Voter;use Symfony\Component\Security\Core\Security;class UserVoter extends Voter{ public const EDIT = 'EDIT'; public const VIEW = 'VIEW'; public const DELETE = 'DELETE'; public function __construct(private readonly Security $security) { } protected function supports(string $attribute, $subject): bool { if (!$subject instanceof User) { return false; } return in_array($attribute, [self::EDIT, self::VIEW, self::DELETE]); } protected function voteOnAttribute(string $attribute, $subject, TokenInterface $token): bool { $currentUser = $token->getUser(); if (!$currentUser instanceof User) { return false; } // If user is a master admin, allow all operations if ($currentUser->isMasterAdmin()) { return true; } // Users can only edit/view their own data $user = $subject; switch ($attribute) { case self::EDIT: return $currentUser->getId() === $user->getId(); case self::VIEW: return $currentUser->getId() === $user->getId(); case self::DELETE: return false; // Regular users can't delete accounts } return false; }}