Added access control for viewing activity

Can only view activity if involved in the case.
2018-07-19 15:10:02 +02:00 · 2018-07-19 15:10:02 +02:00 · ec99009f16
parent d2bd27c960
commit ec99009f16
3 changed files with 18 additions and 8 deletions
--- a/modules/opencase_entities/src/CaseInvolvement.php
+++ b/modules/opencase_entities/src/CaseInvolvement.php
@ -13,4 +13,10 @@ class CaseInvolvement {
    $involvedIds = array_column($case->actors_involved->getValue(), 'target_id');
    return in_array($actorId, $involvedIds);
  }
+
+  public static function userIsInvolved_activity($account, $activity) {
+    $case_id = $activity->oc_case->target_id;
+    $case = \Drupal::entityTypeManager()->getStorage('oc_case')->load($case_id);
+    return self::userIsInvolved($account, $case);
+  }
 }
--- a/modules/opencase_entities/src/OCActivityAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCActivityAccessControlHandler.php
@ -24,11 +24,15 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
        if (!$entity->isPublished()) {
          return AccessResult::allowedIfHasPermission($account, 'view unpublished activity entities');
        }
-        return AccessResult::allowedIfHasPermission($account, 'view published activity entities');
-
-      case 'update':
-        return AccessResult::allowedIfHasPermission($account, 'edit activity entities');
-
+        return AccessResult::allowedIf(
+            $account->hasPermission('view published case entities')  // activity permissions are inherited from case
+            || CaseInvolvement::userIsInvolved_activity($account, $entity)
+        );
+      case 'update':  // allowed only if a) they can see the case the activity is on and b) they can edit cases
+        return AccessResult::allowedIf(
+            $account->hasPermission('edit case entities')
+            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity))
+        );
      case 'delete':
        return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
    }
--- a/modules/opencase_entities/src/OCCaseAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCCaseAccessControlHandler.php
@ -29,10 +29,10 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
            $account->hasPermission('view published case entities')
            || CaseInvolvement::userIsInvolved($account, $entity)
        );
-      case 'update':
+      case 'update':   // you can edit the case only if a) you can see it and b) you have the permission to edit cases.
        return AccessResult::allowedIf(
-            $account->hasPermission('edit published case entities')
-            || CaseInvolvement::userIsInvolved($account, $entity)
+            $account->hasPermission('edit case entities')
+            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
        );
      case 'delete':
        return AccessResult::allowedIfHasPermission($account, 'delete case entities');