diff --git a/modules/opencase_entities/opencase_entities.permissions.yml b/modules/opencase_entities/opencase_entities.permissions.yml
index 564d348..7cab3f9 100644
--- a/modules/opencase_entities/opencase_entities.permissions.yml
+++ b/modules/opencase_entities/opencase_entities.permissions.yml
@@ -1,33 +1,66 @@
-add actor entities:
- title: 'Create new Actor entities'
-
administer actor entities:
title: 'Administer Actor entities'
description: 'Allow to access the administration form to configure Actor entities.'
restrict access: true
-delete actor entities:
- title: 'Delete Actor entities'
+view client involvement in cases:
+ title: 'View Client Involvement in Cases (see their name, but nothing else)'
-edit actor entities:
- title: 'Edit Actor entities'
+add client entities:
+ title: 'Create new Client entities'
-view published actor entities:
- title: 'View published Actor entities'
+delete client entities:
+ title: 'Delete Client entities'
-view unpublished actor entities:
- title: 'View unpublished Actor entities'
+edit client entities:
+ title: 'Edit Client entities'
-view all actor revisions:
- title: 'View all Actor revisions'
+view published client entities:
+ title: 'View published Client entities'
-revert all actor revisions:
- title: 'Revert all Actor revisions'
- description: 'Role requires permission view Actor revisions and edit rights for actor entities in question or administer actor entities.'
+view unpublished client entities:
+ title: 'View unpublished Client entities'
+
+view all client revisions:
+ title: 'View all Client revisions'
+
+revert all client revisions:
+ title: 'Revert all Client revisions'
+ description: 'Role requires permission view Client revisions and edit rights for client entities in question or administer client entities.'
+
+delete all client revisions:
+ title: 'Delete all Client revisions'
+ description: 'Role requires permission to view Client revisions and delete rights for client entities in question or administer client entities.'
+
+view volunteer involvement in cases:
+ title: 'View Volunteer Involvement in Cases (see their name, but nothing else)'
+
+add volunteer entities:
+ title: 'Create new Volunteer entities'
+
+delete volunteer entities:
+ title: 'Delete Volunteer entities'
+
+edit volunteer entities:
+ title: 'Edit Volunteer entities'
+
+view published volunteer entities:
+ title: 'View published Volunteer entities'
+
+view unpublished volunteer entities:
+ title: 'View unpublished Volunteer entities'
+
+view all volunteer revisions:
+ title: 'View all Volunteer revisions'
+
+revert all volunteer revisions:
+ title: 'Revert all Volunteer revisions'
+ description: 'Role requires permission view Volunteer revisions and edit rights for volunteer entities in question or administer volunteer entities.'
+
+delete all volunteer revisions:
+ title: 'Delete all Volunteer revisions'
+ description: 'Role requires permission to view Volunteer revisions and delete rights for volunteer entities in question or administer volunteer entities.'
-delete all actor revisions:
- title: 'Delete all revisions'
- description: 'Role requires permission to view Actor revisions and delete rights for actor entities in question or administer actor entities.'
add case entities:
title: 'Create new Case entities'
diff --git a/modules/opencase_entities/src/OCActorAccessControlHandler.php b/modules/opencase_entities/src/OCActorAccessControlHandler.php
index 8eeda18..abc59cc 100644
--- a/modules/opencase_entities/src/OCActorAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCActorAccessControlHandler.php
@@ -16,21 +16,34 @@ class OCActorAccessControlHandler extends EntityAccessControlHandler {
/**
* {@inheritdoc}
+ * Permissions are assigned by bundle.
+ *
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\opencase_entities\Entity\OCActorInterface $entity */
+ $bundle = $entity->bundle();
+ $route_name = \Drupal::routeMatch()->getRouteName();
+ $case_routes = ['entity.oc_case.canonical', 'entity.oc_case.edit_form', 'view.cases.page_1'];
+ $is_case_context = in_array($route_name, $case_routes);
+
switch ($operation) {
case 'view':
if (!$entity->isPublished()) {
- return AccessResult::allowedIfHasPermission($account, 'view unpublished actor entities');
+ return AccessResult::allowedIfallowedIf(
+ $account->hasPermission("view unpublished $bundle entities")
+ or ($is_case_context && $account->hasPermission("view unpublished $bundle entities"))
+ );
}
- return AccessResult::allowedIfHasPermission($account, 'view published actor entities');
+ return AccessResult::allowedIf(
+ $account->hasPermission("view published $bundle entities")
+ or ($is_case_context && $account->hasPermission("view $bundle involvement in cases"))
+ );
- case 'update':
- return AccessResult::allowedIfHasPermission($account, 'edit actor entities');
+ case "update":
+ return AccessResult::allowedIfHasPermission($account, "edit $bundle entities");
- case 'delete':
- return AccessResult::allowedIfHasPermission($account, 'delete actor entities');
+ case "delete":
+ return AccessResult::allowedIfHasPermission($account, "delete $bundle entities");
}
// Unknown operation, no opinion.
@@ -41,7 +54,8 @@ class OCActorAccessControlHandler extends EntityAccessControlHandler {
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
- return AccessResult::allowedIfHasPermission($account, 'add actor entities');
+ $bundle = $entity->bundle();
+ return AccessResult::allowedIfHasPermission($account, "add $bundle entities");
}
}