Secure the twig renderer template loader

src/Service/SnipParser/Twig/SnipLoader.php

@@ -4,7 +4,9 @@ namespace App\Service\SnipParser\Twig;
 
 use App\Entity\Snip;
 use App\Repository\SnipRepository;
+use App\Security\Voter\SnipVoter;
 use App\Service\SnipContent\SnipContentService;
+use Symfony\Bundle\SecurityBundle\Security;
 use Twig\Error\LoaderError;
 use Twig\Loader\LoaderInterface;
 use Twig\Source;
@@ -14,6 +16,7 @@ class SnipLoader implements LoaderInterface
     public function __construct(
         private readonly SnipRepository     $repository,
         private readonly SnipContentService $contentService,
+        private readonly Security           $security,
     ) {}
 
     public function getSourceContext(string $name): Source
@@ -50,6 +53,9 @@ class SnipLoader implements LoaderInterface
         if (!$snip) {
             throw new LoaderError(\sprintf('Template "%s" is not defined.', $key));
         }
+        if (!$this->security->isGranted(SnipVoter::VIEW, $snip)) {
+            throw new LoaderError(\sprintf('You do not have permission to view the template "%s".', $key));
+        }
 
         return $snip;
     }

src/Service/SnipParser/Twig/SnipTwigExtension.php

@@ -48,8 +48,13 @@ class SnipTwigExtension extends AbstractExtension
 
     private function snipsByTag(string $tag): array
     {
+        // Todo: get 'context' user from the snip it is called from
+        $user = $this->security->getUser();
+        if ($user === null) {
+            return [];
+        }
         $request = new SnipFilterRequest(SnipFilterRequest::VISIBILITY_ALL, tag: $tag);
-        $snips = $this->snipRepo->findByRequest($this->security->getUser(), $request);
+        $snips = $this->snipRepo->findByRequest($user, $request);
         return array_map(fn(Snip $snip) => [
             'id' => $snip->getId(),
             'name' => $snip->getName(),