More on permissions for activities and cases

This commit is contained in:
naomi 2018-07-19 15:35:22 +02:00
parent ec99009f16
commit 352ea000f0
2 changed files with 23 additions and 9 deletions

View File

@ -28,13 +28,24 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
$account->hasPermission('view published case entities') // activity permissions are inherited from case $account->hasPermission('view published case entities') // activity permissions are inherited from case
|| CaseInvolvement::userIsInvolved_activity($account, $entity) || CaseInvolvement::userIsInvolved_activity($account, $entity)
); );
case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit cases case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit activities
return AccessResult::allowedIf( if (!$account->hasPermission('edit activity entities')) {
$account->hasPermission('edit case entities') return AccessResult::forbidden();
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity)) } else {
); return AccessResult::allowedIf(
case 'delete': $account->hasPermission('view published case entities')
return AccessResult::allowedIfHasPermission($account, 'delete activity entities'); || CaseInvolvement::userIsInvolved_activity($account, $entity)
);
}
case 'delete': // allowed only if a) they can see the case the activity is on and b) they can delete activities
if (!$account->hasPermission('delete activity entities')) {
return AccessResult::forbidden();
} else {
return AccessResult::allowedIf(
$account->hasPermission('view published case entities')
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
);
}
} }
// Unknown operation, no opinion. // Unknown operation, no opinion.

View File

@ -34,8 +34,11 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
$account->hasPermission('edit case entities') $account->hasPermission('edit case entities')
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity)) && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
); );
case 'delete': case 'delete': // you can delete the case only if a) you can see it and b) you have the permission to delete cases.
return AccessResult::allowedIfHasPermission($account, 'delete case entities'); return AccessResult::allowedIf(
$account->hasPermission('delete case entities')
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
);
} }
// Unknown operation, no opinion. // Unknown operation, no opinion.