More on permissions for activities and cases
This commit is contained in:
parent
ec99009f16
commit
352ea000f0
@ -28,13 +28,24 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
|
||||
$account->hasPermission('view published case entities') // activity permissions are inherited from case
|
||||
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|
||||
);
|
||||
case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit cases
|
||||
case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit activities
|
||||
if (!$account->hasPermission('edit activity entities')) {
|
||||
return AccessResult::forbidden();
|
||||
} else {
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('edit case entities')
|
||||
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity))
|
||||
$account->hasPermission('view published case entities')
|
||||
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|
||||
);
|
||||
case 'delete':
|
||||
return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
|
||||
}
|
||||
case 'delete': // allowed only if a) they can see the case the activity is on and b) they can delete activities
|
||||
if (!$account->hasPermission('delete activity entities')) {
|
||||
return AccessResult::forbidden();
|
||||
} else {
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('view published case entities')
|
||||
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Unknown operation, no opinion.
|
||||
|
@ -34,8 +34,11 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
|
||||
$account->hasPermission('edit case entities')
|
||||
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
|
||||
);
|
||||
case 'delete':
|
||||
return AccessResult::allowedIfHasPermission($account, 'delete case entities');
|
||||
case 'delete': // you can delete the case only if a) you can see it and b) you have the permission to delete cases.
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('delete case entities')
|
||||
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
|
||||
);
|
||||
}
|
||||
|
||||
// Unknown operation, no opinion.
|
||||
|
Reference in New Issue
Block a user