More on permissions for activities and cases

2018-07-19 15:35:22 +02:00 · 2018-07-19 15:35:22 +02:00 · 352ea000f0
parent ec99009f16
commit 352ea000f0
2 changed files with 23 additions and 9 deletions
--- a/modules/opencase_entities/src/OCActivityAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCActivityAccessControlHandler.php
@ -28,13 +28,24 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
            $account->hasPermission('view published case entities')  // activity permissions are inherited from case
            || CaseInvolvement::userIsInvolved_activity($account, $entity)
        );
-      case 'update':  // allowed only if a) they can see the case the activity is on and b) they can edit cases
-        return AccessResult::allowedIf(
-            $account->hasPermission('edit case entities')
-            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity))
-        );
-      case 'delete':
-        return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
+      case 'update':  // allowed only if a) they can see the case the activity is on and b) they can edit activities
+        if (!$account->hasPermission('edit activity entities')) {
+            return AccessResult::forbidden();
+        } else {
+            return AccessResult::allowedIf(
+              $account->hasPermission('view published case entities') 
+              || CaseInvolvement::userIsInvolved_activity($account, $entity)
+            );
+        }
+      case 'delete':  // allowed only if a) they can see the case the activity is on and b) they can delete activities
+        if (!$account->hasPermission('delete activity entities')) {
+            return AccessResult::forbidden();
+        } else {
+            return AccessResult::allowedIf(
+              $account->hasPermission('view published case entities') 
+              || CaseInvolvement::userIsInvolved_activity($account, $entity)
+            );
+        }
    }

    // Unknown operation, no opinion.
--- a/modules/opencase_entities/src/OCCaseAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCCaseAccessControlHandler.php
@ -34,8 +34,11 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
            $account->hasPermission('edit case entities')
            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
        );
-      case 'delete':
-        return AccessResult::allowedIfHasPermission($account, 'delete case entities');
+      case 'delete':   // you can delete the case only if a) you can see it and b) you have the permission to delete cases.
+        return AccessResult::allowedIf(
+            $account->hasPermission('delete case entities')
+            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
+        );
    }

    // Unknown operation, no opinion.