From c7297507052ce0de03334acdbd121de4f5a8721b Mon Sep 17 00:00:00 2001 From: naomi Date: Mon, 9 Jul 2018 19:36:47 +0200 Subject: [PATCH] Case views are now filtered by user involvement unless the user has the see all cases permission --- .../opencase_entities/opencase_entities.module | 18 ++++++++++++++++++ .../opencase_entities/src/CaseInvolvement.php | 8 ++++---- .../src/OCCaseAccessControlHandler.php | 2 +- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/modules/opencase_entities/opencase_entities.module b/modules/opencase_entities/opencase_entities.module index e15eb52..4d44380 100644 --- a/modules/opencase_entities/opencase_entities.module +++ b/modules/opencase_entities/opencase_entities.module @@ -6,6 +6,7 @@ */ use Drupal\Core\Routing\RouteMatchInterface; +use Drupal\opencase_entities\CaseInvolvement; /** * Implements hook_help(). @@ -111,3 +112,20 @@ function opencase_entities_theme_suggestions_oc_activity(array $variables) { $suggestions[] = 'oc_activity__' . $entity->id() . '__' . $sanitized_view_mode; return $suggestions; } + +function opencase_views_query_alter(Drupal\views\ViewExecutable $view, $query) { + if ($view->getBaseEntityType()->id() == 'oc_case') { + $query->addTag('oc_case_access'); + } +} + +function opencase_query_oc_case_access_alter($query) { + if (\Drupal::currentUser()->hasPermission('view published case entities')) { + return; + } elseif (\Drupal::currentUser()->hasPermission('view own cases')) { + $linked_actor_id = CaseInvolvement::getLinkedActorId(\Drupal::currentUser()); + $query->addJoin('INNER', 'oc_case__actors_involved', 'access_filter', 'access_filter.entity_id = oc_case_field_data.id'); + $query->condition('access_filter.actors_involved_target_id', $linked_actor_id); + return $query; + } +} diff --git a/modules/opencase_entities/src/CaseInvolvement.php b/modules/opencase_entities/src/CaseInvolvement.php index 60cf622..5ea82c8 100644 --- a/modules/opencase_entities/src/CaseInvolvement.php +++ b/modules/opencase_entities/src/CaseInvolvement.php @@ -4,12 +4,12 @@ namespace Drupal\opencase_entities; class CaseInvolvement { - private function getLinkedActorId($userId) { - return \Drupal\user\Entity\User::load($userId)->get('field_linked_opencase_actor')->target_id; + public static function getLinkedActorId($account) { + return \Drupal\user\Entity\User::load($account->id())->get('field_linked_opencase_actor')->target_id; } - public function userIsInvolved($account, $case) { - $actorId = $this->getLinkedActorId($account->id()); + public static function userIsInvolved($account, $case) { + $actorId = self::getLinkedActorId($account); $involvedIds = array_column($case->actors_involved->getValue(), 'target_id'); return in_array($actorId, $involvedIds); } diff --git a/modules/opencase_entities/src/OCCaseAccessControlHandler.php b/modules/opencase_entities/src/OCCaseAccessControlHandler.php index e6a441c..edcacd8 100644 --- a/modules/opencase_entities/src/OCCaseAccessControlHandler.php +++ b/modules/opencase_entities/src/OCCaseAccessControlHandler.php @@ -27,7 +27,7 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler { } return AccessResult::allowedIf( $account->hasPermission('view published case entities') - || (new CaseInvolvement())->userIsInvolved($account, $entity) + || CaseInvolvement::userIsInvolved($account, $entity) ); case 'update': return AccessResult::allowedIfHasPermission($account, 'edit case entities');