Added access control for viewing activity

Can only view activity if involved in the case.
This commit is contained in:
naomi 2018-07-19 15:10:02 +02:00
parent d2bd27c960
commit ec99009f16
3 changed files with 18 additions and 8 deletions

View File

@ -13,4 +13,10 @@ class CaseInvolvement {
$involvedIds = array_column($case->actors_involved->getValue(), 'target_id'); $involvedIds = array_column($case->actors_involved->getValue(), 'target_id');
return in_array($actorId, $involvedIds); return in_array($actorId, $involvedIds);
} }
public static function userIsInvolved_activity($account, $activity) {
$case_id = $activity->oc_case->target_id;
$case = \Drupal::entityTypeManager()->getStorage('oc_case')->load($case_id);
return self::userIsInvolved($account, $case);
}
} }

View File

@ -24,11 +24,15 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
if (!$entity->isPublished()) { if (!$entity->isPublished()) {
return AccessResult::allowedIfHasPermission($account, 'view unpublished activity entities'); return AccessResult::allowedIfHasPermission($account, 'view unpublished activity entities');
} }
return AccessResult::allowedIfHasPermission($account, 'view published activity entities'); return AccessResult::allowedIf(
$account->hasPermission('view published case entities') // activity permissions are inherited from case
case 'update': || CaseInvolvement::userIsInvolved_activity($account, $entity)
return AccessResult::allowedIfHasPermission($account, 'edit activity entities'); );
case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit cases
return AccessResult::allowedIf(
$account->hasPermission('edit case entities')
&& ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved_activity($account, $entity))
);
case 'delete': case 'delete':
return AccessResult::allowedIfHasPermission($account, 'delete activity entities'); return AccessResult::allowedIfHasPermission($account, 'delete activity entities');
} }

View File

@ -29,10 +29,10 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
$account->hasPermission('view published case entities') $account->hasPermission('view published case entities')
|| CaseInvolvement::userIsInvolved($account, $entity) || CaseInvolvement::userIsInvolved($account, $entity)
); );
case 'update': case 'update': // you can edit the case only if a) you can see it and b) you have the permission to edit cases.
return AccessResult::allowedIf( return AccessResult::allowedIf(
$account->hasPermission('edit published case entities') $account->hasPermission('edit case entities')
|| CaseInvolvement::userIsInvolved($account, $entity) && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
); );
case 'delete': case 'delete':
return AccessResult::allowedIfHasPermission($account, 'delete case entities'); return AccessResult::allowedIfHasPermission($account, 'delete case entities');