Case views are now filtered by user involvement

unless the user has the see all cases permission
This commit is contained in:
naomi 2018-07-09 19:36:47 +02:00
parent 351bdb5afd
commit c729750705
3 changed files with 23 additions and 5 deletions

View File

@ -6,6 +6,7 @@
*/ */
use Drupal\Core\Routing\RouteMatchInterface; use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\opencase_entities\CaseInvolvement;
/** /**
* Implements hook_help(). * Implements hook_help().
@ -111,3 +112,20 @@ function opencase_entities_theme_suggestions_oc_activity(array $variables) {
$suggestions[] = 'oc_activity__' . $entity->id() . '__' . $sanitized_view_mode; $suggestions[] = 'oc_activity__' . $entity->id() . '__' . $sanitized_view_mode;
return $suggestions; return $suggestions;
} }
function opencase_views_query_alter(Drupal\views\ViewExecutable $view, $query) {
if ($view->getBaseEntityType()->id() == 'oc_case') {
$query->addTag('oc_case_access');
}
}
function opencase_query_oc_case_access_alter($query) {
if (\Drupal::currentUser()->hasPermission('view published case entities')) {
return;
} elseif (\Drupal::currentUser()->hasPermission('view own cases')) {
$linked_actor_id = CaseInvolvement::getLinkedActorId(\Drupal::currentUser());
$query->addJoin('INNER', 'oc_case__actors_involved', 'access_filter', 'access_filter.entity_id = oc_case_field_data.id');
$query->condition('access_filter.actors_involved_target_id', $linked_actor_id);
return $query;
}
}

View File

@ -4,12 +4,12 @@ namespace Drupal\opencase_entities;
class CaseInvolvement { class CaseInvolvement {
private function getLinkedActorId($userId) { public static function getLinkedActorId($account) {
return \Drupal\user\Entity\User::load($userId)->get('field_linked_opencase_actor')->target_id; return \Drupal\user\Entity\User::load($account->id())->get('field_linked_opencase_actor')->target_id;
} }
public function userIsInvolved($account, $case) { public static function userIsInvolved($account, $case) {
$actorId = $this->getLinkedActorId($account->id()); $actorId = self::getLinkedActorId($account);
$involvedIds = array_column($case->actors_involved->getValue(), 'target_id'); $involvedIds = array_column($case->actors_involved->getValue(), 'target_id');
return in_array($actorId, $involvedIds); return in_array($actorId, $involvedIds);
} }

View File

@ -27,7 +27,7 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
} }
return AccessResult::allowedIf( return AccessResult::allowedIf(
$account->hasPermission('view published case entities') $account->hasPermission('view published case entities')
|| (new CaseInvolvement())->userIsInvolved($account, $entity) || CaseInvolvement::userIsInvolved($account, $entity)
); );
case 'update': case 'update':
return AccessResult::allowedIfHasPermission($account, 'edit case entities'); return AccessResult::allowedIfHasPermission($account, 'edit case entities');