Added permissions for client and volunteers

Plus permission to see just their involvement in cases
This commit is contained in:
naomi 2018-05-08 15:41:02 +02:00
parent 1eb54e69e5
commit 7dba72ef66
2 changed files with 73 additions and 26 deletions

View File

@ -1,33 +1,66 @@
add actor entities:
title: 'Create new Actor entities'
administer actor entities: administer actor entities:
title: 'Administer Actor entities' title: 'Administer Actor entities'
description: 'Allow to access the administration form to configure Actor entities.' description: 'Allow to access the administration form to configure Actor entities.'
restrict access: true restrict access: true
delete actor entities: view client involvement in cases:
title: 'Delete Actor entities' title: 'View Client Involvement in Cases (see their name, but nothing else)'
edit actor entities: add client entities:
title: 'Edit Actor entities' title: 'Create new Client entities'
view published actor entities: delete client entities:
title: 'View published Actor entities' title: 'Delete Client entities'
view unpublished actor entities: edit client entities:
title: 'View unpublished Actor entities' title: 'Edit Client entities'
view all actor revisions: view published client entities:
title: 'View all Actor revisions' title: 'View published Client entities'
revert all actor revisions: view unpublished client entities:
title: 'Revert all Actor revisions' title: 'View unpublished Client entities'
description: 'Role requires permission <em>view Actor revisions</em> and <em>edit rights</em> for actor entities in question or <em>administer actor entities</em>.'
view all client revisions:
title: 'View all Client revisions'
revert all client revisions:
title: 'Revert all Client revisions'
description: 'Role requires permission <em>view Client revisions</em> and <em>edit rights</em> for client entities in question or <em>administer client entities</em>.'
delete all client revisions:
title: 'Delete all Client revisions'
description: 'Role requires permission to <em>view Client revisions</em> and <em>delete rights</em> for client entities in question or <em>administer client entities</em>.'
view volunteer involvement in cases:
title: 'View Volunteer Involvement in Cases (see their name, but nothing else)'
add volunteer entities:
title: 'Create new Volunteer entities'
delete volunteer entities:
title: 'Delete Volunteer entities'
edit volunteer entities:
title: 'Edit Volunteer entities'
view published volunteer entities:
title: 'View published Volunteer entities'
view unpublished volunteer entities:
title: 'View unpublished Volunteer entities'
view all volunteer revisions:
title: 'View all Volunteer revisions'
revert all volunteer revisions:
title: 'Revert all Volunteer revisions'
description: 'Role requires permission <em>view Volunteer revisions</em> and <em>edit rights</em> for volunteer entities in question or <em>administer volunteer entities</em>.'
delete all volunteer revisions:
title: 'Delete all Volunteer revisions'
description: 'Role requires permission to <em>view Volunteer revisions</em> and <em>delete rights</em> for volunteer entities in question or <em>administer volunteer entities</em>.'
delete all actor revisions:
title: 'Delete all revisions'
description: 'Role requires permission to <em>view Actor revisions</em> and <em>delete rights</em> for actor entities in question or <em>administer actor entities</em>.'
add case entities: add case entities:
title: 'Create new Case entities' title: 'Create new Case entities'

View File

@ -16,21 +16,34 @@ class OCActorAccessControlHandler extends EntityAccessControlHandler {
/** /**
* {@inheritdoc} * {@inheritdoc}
* Permissions are assigned by bundle.
*
*/ */
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\opencase_entities\Entity\OCActorInterface $entity */ /** @var \Drupal\opencase_entities\Entity\OCActorInterface $entity */
$bundle = $entity->bundle();
$route_name = \Drupal::routeMatch()->getRouteName();
$case_routes = ['entity.oc_case.canonical', 'entity.oc_case.edit_form', 'view.cases.page_1'];
$is_case_context = in_array($route_name, $case_routes);
switch ($operation) { switch ($operation) {
case 'view': case 'view':
if (!$entity->isPublished()) { if (!$entity->isPublished()) {
return AccessResult::allowedIfHasPermission($account, 'view unpublished actor entities'); return AccessResult::allowedIfallowedIf(
$account->hasPermission("view unpublished $bundle entities")
or ($is_case_context && $account->hasPermission("view unpublished $bundle entities"))
);
} }
return AccessResult::allowedIfHasPermission($account, 'view published actor entities'); return AccessResult::allowedIf(
$account->hasPermission("view published $bundle entities")
or ($is_case_context && $account->hasPermission("view $bundle involvement in cases"))
);
case 'update': case "update":
return AccessResult::allowedIfHasPermission($account, 'edit actor entities'); return AccessResult::allowedIfHasPermission($account, "edit $bundle entities");
case 'delete': case "delete":
return AccessResult::allowedIfHasPermission($account, 'delete actor entities'); return AccessResult::allowedIfHasPermission($account, "delete $bundle entities");
} }
// Unknown operation, no opinion. // Unknown operation, no opinion.
@ -41,7 +54,8 @@ class OCActorAccessControlHandler extends EntityAccessControlHandler {
* {@inheritdoc} * {@inheritdoc}
*/ */
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
return AccessResult::allowedIfHasPermission($account, 'add actor entities'); $bundle = $entity->bundle();
return AccessResult::allowedIfHasPermission($account, "add $bundle entities");
} }
} }