em->getRepository(Employee::class)->find(Uuid::fromString($id)); if (!$target instanceof Employee) { throw new NotFoundHttpException('Mitarbeiter nicht gefunden.'); } if (!$target->hasLogin()) { throw new BadRequestHttpException('Dieser Mitarbeiter hat kein Login.'); } $this->assertInScope($target); // Nur absteigend: Ziel-Ebene muss unter der eigenen liegen if ($this->roles->levelOfRoles($target->getRoles()) >= $this->roles->actorLevel()) { throw new AccessDeniedHttpException('Nur als niedrigere Ebene möglich.'); } $actor = $this->security->getUser(); $impersonator = $actor instanceof Employee ? $actor->getUserIdentifier() : ''; $token = $this->jwt->createFromPayload($target, ['imp' => $impersonator]); return new JsonResponse([ 'token' => $token, 'actingAs' => [ 'name' => trim($target->getFirstName().' '.$target->getLastName()), 'email' => $target->getLoginEmail(), ], ]); } private function assertInScope(Employee $target): void { if ($this->tenant->isPlatformAdmin()) { return; } if (null !== $company = $this->tenant->getCompany()) { if (!$target->getCompany()->getId()->equals($company->getId())) { throw new AccessDeniedHttpException('Außerhalb der eigenen Firma.'); } return; } if (null !== $reseller = $this->tenant->getReseller()) { if ($target->getCompany()->getReseller()?->getId()->equals($reseller->getId()) !== true) { throw new AccessDeniedHttpException('Außerhalb des eigenen Resellers.'); } } } }