From 7dba72ef663247897e8b649497c5fd28626c06b7 Mon Sep 17 00:00:00 2001 From: naomi Date: Tue, 8 May 2018 15:41:02 +0200 Subject: [PATCH] Added permissions for client and volunteers Plus permission to see just their involvement in cases --- .../opencase_entities.permissions.yml | 71 ++++++++++++++----- .../src/OCActorAccessControlHandler.php | 28 ++++++-- 2 files changed, 73 insertions(+), 26 deletions(-) diff --git a/modules/opencase_entities/opencase_entities.permissions.yml b/modules/opencase_entities/opencase_entities.permissions.yml index 564d348..7cab3f9 100644 --- a/modules/opencase_entities/opencase_entities.permissions.yml +++ b/modules/opencase_entities/opencase_entities.permissions.yml @@ -1,33 +1,66 @@ -add actor entities: - title: 'Create new Actor entities' - administer actor entities: title: 'Administer Actor entities' description: 'Allow to access the administration form to configure Actor entities.' restrict access: true -delete actor entities: - title: 'Delete Actor entities' +view client involvement in cases: + title: 'View Client Involvement in Cases (see their name, but nothing else)' -edit actor entities: - title: 'Edit Actor entities' +add client entities: + title: 'Create new Client entities' -view published actor entities: - title: 'View published Actor entities' +delete client entities: + title: 'Delete Client entities' -view unpublished actor entities: - title: 'View unpublished Actor entities' +edit client entities: + title: 'Edit Client entities' -view all actor revisions: - title: 'View all Actor revisions' +view published client entities: + title: 'View published Client entities' -revert all actor revisions: - title: 'Revert all Actor revisions' - description: 'Role requires permission view Actor revisions and edit rights for actor entities in question or administer actor entities.' +view unpublished client entities: + title: 'View unpublished Client entities' + +view all client revisions: + title: 'View all Client revisions' + +revert all client revisions: + title: 'Revert all Client revisions' + description: 'Role requires permission view Client revisions and edit rights for client entities in question or administer client entities.' + +delete all client revisions: + title: 'Delete all Client revisions' + description: 'Role requires permission to view Client revisions and delete rights for client entities in question or administer client entities.' + +view volunteer involvement in cases: + title: 'View Volunteer Involvement in Cases (see their name, but nothing else)' + +add volunteer entities: + title: 'Create new Volunteer entities' + +delete volunteer entities: + title: 'Delete Volunteer entities' + +edit volunteer entities: + title: 'Edit Volunteer entities' + +view published volunteer entities: + title: 'View published Volunteer entities' + +view unpublished volunteer entities: + title: 'View unpublished Volunteer entities' + +view all volunteer revisions: + title: 'View all Volunteer revisions' + +revert all volunteer revisions: + title: 'Revert all Volunteer revisions' + description: 'Role requires permission view Volunteer revisions and edit rights for volunteer entities in question or administer volunteer entities.' + +delete all volunteer revisions: + title: 'Delete all Volunteer revisions' + description: 'Role requires permission to view Volunteer revisions and delete rights for volunteer entities in question or administer volunteer entities.' -delete all actor revisions: - title: 'Delete all revisions' - description: 'Role requires permission to view Actor revisions and delete rights for actor entities in question or administer actor entities.' add case entities: title: 'Create new Case entities' diff --git a/modules/opencase_entities/src/OCActorAccessControlHandler.php b/modules/opencase_entities/src/OCActorAccessControlHandler.php index 8eeda18..abc59cc 100644 --- a/modules/opencase_entities/src/OCActorAccessControlHandler.php +++ b/modules/opencase_entities/src/OCActorAccessControlHandler.php @@ -16,21 +16,34 @@ class OCActorAccessControlHandler extends EntityAccessControlHandler { /** * {@inheritdoc} + * Permissions are assigned by bundle. + * */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\opencase_entities\Entity\OCActorInterface $entity */ + $bundle = $entity->bundle(); + $route_name = \Drupal::routeMatch()->getRouteName(); + $case_routes = ['entity.oc_case.canonical', 'entity.oc_case.edit_form', 'view.cases.page_1']; + $is_case_context = in_array($route_name, $case_routes); + switch ($operation) { case 'view': if (!$entity->isPublished()) { - return AccessResult::allowedIfHasPermission($account, 'view unpublished actor entities'); + return AccessResult::allowedIfallowedIf( + $account->hasPermission("view unpublished $bundle entities") + or ($is_case_context && $account->hasPermission("view unpublished $bundle entities")) + ); } - return AccessResult::allowedIfHasPermission($account, 'view published actor entities'); + return AccessResult::allowedIf( + $account->hasPermission("view published $bundle entities") + or ($is_case_context && $account->hasPermission("view $bundle involvement in cases")) + ); - case 'update': - return AccessResult::allowedIfHasPermission($account, 'edit actor entities'); + case "update": + return AccessResult::allowedIfHasPermission($account, "edit $bundle entities"); - case 'delete': - return AccessResult::allowedIfHasPermission($account, 'delete actor entities'); + case "delete": + return AccessResult::allowedIfHasPermission($account, "delete $bundle entities"); } // Unknown operation, no opinion. @@ -41,7 +54,8 @@ class OCActorAccessControlHandler extends EntityAccessControlHandler { * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { - return AccessResult::allowedIfHasPermission($account, 'add actor entities'); + $bundle = $entity->bundle(); + return AccessResult::allowedIfHasPermission($account, "add $bundle entities"); } }