Added access control for viewing activity
Can only view activity if involved in the case.
This commit is contained in:
parent
d2bd27c960
commit
ec99009f16
@ -13,4 +13,10 @@ class CaseInvolvement {
|
|||||||
$involvedIds = array_column($case->actors_involved->getValue(), 'target_id');
|
$involvedIds = array_column($case->actors_involved->getValue(), 'target_id');
|
||||||
return in_array($actorId, $involvedIds);
|
return in_array($actorId, $involvedIds);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static function userIsInvolved_activity($account, $activity) {
|
||||||
|
$case_id = $activity->oc_case->target_id;
|
||||||
|
$case = \Drupal::entityTypeManager()->getStorage('oc_case')->load($case_id);
|
||||||
|
return self::userIsInvolved($account, $case);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -24,11 +24,15 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
|
|||||||
if (!$entity->isPublished()) {
|
if (!$entity->isPublished()) {
|
||||||
return AccessResult::allowedIfHasPermission($account, 'view unpublished activity entities');
|
return AccessResult::allowedIfHasPermission($account, 'view unpublished activity entities');
|
||||||
}
|
}
|
||||||
return AccessResult::allowedIfHasPermission($account, 'view published activity entities');
|
return AccessResult::allowedIf(
|
||||||
|
$account->hasPermission('view published case entities') // activity permissions are inherited from case
|
||||||
case 'update':
|
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|
||||||
return AccessResult::allowedIfHasPermission($account, 'edit activity entities');
|
);
|
||||||
|
case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit cases
|
||||||
|
return AccessResult::allowedIf(
|
||||||
|
$account->hasPermission('edit case entities')
|
||||||
|
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity))
|
||||||
|
);
|
||||||
case 'delete':
|
case 'delete':
|
||||||
return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
|
return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
|
||||||
}
|
}
|
||||||
|
@ -29,10 +29,10 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
|
|||||||
$account->hasPermission('view published case entities')
|
$account->hasPermission('view published case entities')
|
||||||
|| CaseInvolvement::userIsInvolved($account, $entity)
|
|| CaseInvolvement::userIsInvolved($account, $entity)
|
||||||
);
|
);
|
||||||
case 'update':
|
case 'update': // you can edit the case only if a) you can see it and b) you have the permission to edit cases.
|
||||||
return AccessResult::allowedIf(
|
return AccessResult::allowedIf(
|
||||||
$account->hasPermission('edit published case entities')
|
$account->hasPermission('edit case entities')
|
||||||
|| CaseInvolvement::userIsInvolved($account, $entity)
|
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
|
||||||
);
|
);
|
||||||
case 'delete':
|
case 'delete':
|
||||||
return AccessResult::allowedIfHasPermission($account, 'delete case entities');
|
return AccessResult::allowedIfHasPermission($account, 'delete case entities');
|
||||||
|
Reference in New Issue
Block a user