getRoles(); $isPlatform = \in_array(Employee::ROLE_PLATFORM_ADMIN, $roles, true); $isReseller = \in_array(Employee::ROLE_RESELLER_ADMIN, $roles, true); if ($isPlatform) { return true; } $userReseller = $user->getReseller(); $userCompany = $user->getCompany(); return match ($tenant->kind) { ResolvedTenant::KIND_PLATFORM => $isReseller, ResolvedTenant::KIND_RESELLER => null !== $userReseller && null !== $tenant->reseller && $userReseller->getId()->equals($tenant->reseller->getId()), ResolvedTenant::KIND_COMPANY => $this->canLoginCompany($userCompany, $userReseller, $isReseller, $tenant), default => false, }; } private function canLoginCompany( ?\App\Entity\Company $userCompany, ?\App\Entity\Reseller $userReseller, bool $isReseller, ResolvedTenant $tenant, ): bool { if (null !== $userCompany && null !== $tenant->company && $userCompany->getId()->equals($tenant->company->getId())) { return true; } // Reseller-Admin des zugehörigen Resellers darf den Firmen-Host ebenfalls nutzen return $isReseller && null !== $userReseller && null !== $tenant->reseller && $userReseller->getId()->equals($tenant->reseller->getId()); } }