From 352ea000f0f4d79c338908fe05a7547ccd6325c3 Mon Sep 17 00:00:00 2001
From: naomi <naomirosenberguk@gmail.com>
Date: Thu, 19 Jul 2018 15:35:22 +0200
Subject: [PATCH] More on permissions for activities and cases

---
 .../src/OCActivityAccessControlHandler.php    | 25 +++++++++++++------
 .../src/OCCaseAccessControlHandler.php        |  7 ++++--
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/modules/opencase_entities/src/OCActivityAccessControlHandler.php b/modules/opencase_entities/src/OCActivityAccessControlHandler.php
index f104107..69c29cf 100644
--- a/modules/opencase_entities/src/OCActivityAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCActivityAccessControlHandler.php
@@ -28,13 +28,24 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
             $account->hasPermission('view published case entities')  // activity permissions are inherited from case
             || CaseInvolvement::userIsInvolved_activity($account, $entity)
         );
-      case 'update':  // allowed only if a) they can see the case the activity is on and b) they can edit cases
-        return AccessResult::allowedIf(
-            $account->hasPermission('edit case entities')
-            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity))
-        );
-      case 'delete':
-        return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
+      case 'update':  // allowed only if a) they can see the case the activity is on and b) they can edit activities
+        if (!$account->hasPermission('edit activity entities')) {
+            return AccessResult::forbidden();
+        } else {
+            return AccessResult::allowedIf(
+              $account->hasPermission('view published case entities') 
+              || CaseInvolvement::userIsInvolved_activity($account, $entity)
+            );
+        }
+      case 'delete':  // allowed only if a) they can see the case the activity is on and b) they can delete activities
+        if (!$account->hasPermission('delete activity entities')) {
+            return AccessResult::forbidden();
+        } else {
+            return AccessResult::allowedIf(
+              $account->hasPermission('view published case entities') 
+              || CaseInvolvement::userIsInvolved_activity($account, $entity)
+            );
+        }
     }
 
     // Unknown operation, no opinion.
diff --git a/modules/opencase_entities/src/OCCaseAccessControlHandler.php b/modules/opencase_entities/src/OCCaseAccessControlHandler.php
index 36e5eab..f349de9 100644
--- a/modules/opencase_entities/src/OCCaseAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCCaseAccessControlHandler.php
@@ -34,8 +34,11 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
             $account->hasPermission('edit case entities')
             && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
         );
-      case 'delete':
-        return AccessResult::allowedIfHasPermission($account, 'delete case entities');
+      case 'delete':   // you can delete the case only if a) you can see it and b) you have the permission to delete cases.
+        return AccessResult::allowedIf(
+            $account->hasPermission('delete case entities')
+            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
+        );
     }
 
     // Unknown operation, no opinion.