changed activity access controller to allow users to view and edit ones they own
This commit is contained in:
parent
6069ac0901
commit
f39f4a331d
@ -26,26 +26,17 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
|
||||
}
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('view published case entities') // activity permissions are inherited from case
|
||||
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|
||||
|| $entity->owner()->id() == $account->id();
|
||||
);
|
||||
case 'update': // allowed only if a) they can see the case the activity is on and b) they can edit activities
|
||||
if (!$account->hasPermission('edit activity entities')) {
|
||||
return AccessResult::forbidden();
|
||||
} else {
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('view published case entities')
|
||||
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|
||||
);
|
||||
}
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('edit activity entities') // activity permissions are inherited from case
|
||||
|| $entity->owner()->id() == $account->id();
|
||||
);
|
||||
case 'delete': // allowed only if a) they can see the case the activity is on and b) they can delete activities
|
||||
if (!$account->hasPermission('delete activity entities')) {
|
||||
return AccessResult::forbidden();
|
||||
} else {
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('view published case entities')
|
||||
|| CaseInvolvement::userIsInvolved_activity($account, $entity)
|
||||
);
|
||||
}
|
||||
return AccessResult::allowedIf(
|
||||
$account->hasPermission('delete case entities')
|
||||
);
|
||||
}
|
||||
|
||||
// Unknown operation, no opinion.
|
||||
|
Reference in New Issue
Block a user