autonomic-cooperative/opencase
Archived
0
0
Fork 0
Code Issues 43 Pull Requests Releases Wiki Activity

changed activity access controller to allow users to view and edit ones they own

Browse Source
This commit is contained in:
naomi 2022-01-20 10:52:28 +00:00
parent 6069ac0901
commit f39f4a331d
1 changed files with 8 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
modules/opencase_entities/src/OCActivityAccessControlHandler.php
View File

@ -26,26 +26,17 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
}
return AccessResult::allowedIf(
$account->hasPermission('view published case entities') // activity permissions are inherited from case
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|| $entity->owner()->id() == $account->id();
);
case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit activities
if (!$account->hasPermission('edit activity entities')) {
return AccessResult::forbidden();
} else {
return AccessResult::allowedIf(
$account->hasPermission('view published case entities')
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
);
}
return AccessResult::allowedIf(
$account->hasPermission('edit activity entities') // activity permissions are inherited from case
|| $entity->owner()->id() == $account->id();
);
case 'delete': // allowed only if a) they can see the case the activity is on and b) they can delete activities
if (!$account->hasPermission('delete activity entities')) {
return AccessResult::forbidden();
} else {
return AccessResult::allowedIf(
$account->hasPermission('view published case entities')
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
);
}
return AccessResult::allowedIf(
$account->hasPermission('delete case entities')
);
}
// Unknown operation, no opinion.