diff --git a/modules/opencase_entities/src/OCActivityAccessControlHandler.php b/modules/opencase_entities/src/OCActivityAccessControlHandler.php index 69c29cf..486093a 100644 --- a/modules/opencase_entities/src/OCActivityAccessControlHandler.php +++ b/modules/opencase_entities/src/OCActivityAccessControlHandler.php @@ -26,26 +26,17 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler { } return AccessResult::allowedIf( $account->hasPermission('view published case entities') // activity permissions are inherited from case - || CaseInvolvement::userIsInvolved_activity($account, $entity) + || $entity->owner()->id() == $account->id(); ); case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit activities - if (!$account->hasPermission('edit activity entities')) { - return AccessResult::forbidden(); - } else { - return AccessResult::allowedIf( - $account->hasPermission('view published case entities') - || CaseInvolvement::userIsInvolved_activity($account, $entity) - ); - } + return AccessResult::allowedIf( + $account->hasPermission('edit activity entities') // activity permissions are inherited from case + || $entity->owner()->id() == $account->id(); + ); case 'delete': // allowed only if a) they can see the case the activity is on and b) they can delete activities - if (!$account->hasPermission('delete activity entities')) { - return AccessResult::forbidden(); - } else { - return AccessResult::allowedIf( - $account->hasPermission('view published case entities') - || CaseInvolvement::userIsInvolved_activity($account, $entity) - ); - } + return AccessResult::allowedIf( + $account->hasPermission('delete case entities') + ); } // Unknown operation, no opinion.