Authenticated user can see cases they are a provider for.

changed activity access controller to allow users to view and edit ones they own
changed CaseInvolvement to reference case provisions
2022-01-20 14:48:53 +00:00 · 2022-01-20 10:52:28 +00:00 · 2022-01-20 10:52:04 +00:00
6 changed files with 13 additions and 36 deletions
--- a/css/opencase.css
+++ b/css/opencase.css
@ -147,14 +147,6 @@ td.views-field {
  font-weight: bold !important;
 }

-/* Styling for grouped views */
-table.views-table.views-view-table caption {
-  text-align: left;
-  margin-bottom: 1em;
-  margin-top: 2em;
-  font-weight: bold;
-}
-
 /* remove "details" accordion, see https://drupal.stackexchange.com/questions/294312/why-has-this-details-accordion-appeared-in-this-view */
 .views-table details {
    display: none;
--- a/modules/opencase_cases/opencase_cases.permissions.yml
+++ b/modules/opencase_cases/opencase_cases.permissions.yml
@ -59,7 +59,3 @@ revert all case fee revisions:
 delete all case fee revisions:
  title: 'Delete all revisions'
  description: 'Role requires permission to <em>view Case Fee revisions</em> and <em>delete rights</em> for case fee entities in question or <em>administer case fee entities</em>.'
-
-permission_callbacks:
-  - \Drupal\opencase_cases\OCCaseFeePermissions::generatePermissions
-  - \Drupal\opencase_cases\OCCaseProvisionPermissions::generatePermissions
--- a/modules/opencase_cases/src/CaseInvolvement.php
+++ b/modules/opencase_cases/src/CaseInvolvement.php
@ -10,8 +10,11 @@ class CaseInvolvement {

  public static function userIsInvolved($account, $case) {
    $actorId = self::getLinkedActorId($account);        
-    $involvedIds = array_column($case->actors_involved->getValue(), 'target_id');
-    return in_array($actorId, $involvedIds);
+    $query = \Drupal::entityQuery('oc_case_provision')
+    ->condition('oc_provider', $actorId)
+    ->condition('oc_case', $case->id());
+    $results = $query->execute();
+    return !empty($results);
  }

  public static function userIsInvolved_activity($account, $activity) {
--- a/modules/opencase_cases/src/OCCaseAccessControlHandler.php
+++ b/modules/opencase_cases/src/OCCaseAccessControlHandler.php
@ -32,7 +32,6 @@ class OCCaseAccessControlHandler extends EntityAccessControlHandler {
      case 'update':   // you can edit the case only if a) you can see it and b) you have the permission to edit cases.
        return AccessResult::allowedIf(
            $account->hasPermission('edit case entities')
-            && ($account->hasPermission('view published case entities') || CaseInvolvement::userIsInvolved($account, $entity))
        );
      case 'delete':   // you can delete the case only if a) you can see it and b) you have the permission to delete cases.
        return AccessResult::allowedIf(
--- a/modules/opencase_entities/opencase_entities.permissions.yml
+++ b/modules/opencase_entities/opencase_entities.permissions.yml
@ -1,8 +1,4 @@

-permission_callbacks:
-  - \Drupal\opencase_entities\OCOrganisationPermissions::generatePermissions
-  - \Drupal\opencase_entities\OCEventPermissions::generatePermissions
-  - Drupal\opencase_entities\OpenCaseEntityPermissions::permissions

 view edit delete all actor entities:
  title: 'View/Edit/Delete all types of people'
--- a/modules/opencase_entities/src/OCActivityAccessControlHandler.php
+++ b/modules/opencase_entities/src/OCActivityAccessControlHandler.php
@ -26,26 +26,17 @@ class OCActivityAccessControlHandler extends EntityAccessControlHandler {
        }
        return AccessResult::allowedIf(
            $account->hasPermission('view published case entities')  // activity permissions are inherited from case
-            || CaseInvolvement::userIsInvolved_activity($account, $entity)
+            || $entity->getOwner()->id() == $account->id()
        );
      case 'update':  // allowed only if a) they can see the case the activity is on and b) they can edit activities
-        if (!$account->hasPermission('edit activity entities')) {
-            return AccessResult::forbidden();
-        } else {
-            return AccessResult::allowedIf(
-              $account->hasPermission('view published case entities') 
-              || CaseInvolvement::userIsInvolved_activity($account, $entity)
-            );
-        }
+        return AccessResult::allowedIf(
+            $account->hasPermission('edit activity entities')  // activity permissions are inherited from case
+            || $entity->getOwner()->id() == $account->id()
+        );
      case 'delete':  // allowed only if a) they can see the case the activity is on and b) they can delete activities
-        if (!$account->hasPermission('delete activity entities')) {
-            return AccessResult::forbidden();
-        } else {
-            return AccessResult::allowedIf(
-              $account->hasPermission('view published case entities') 
-              || CaseInvolvement::userIsInvolved_activity($account, $entity)
-            );
-        }
+        return AccessResult::allowedIf(
+          $account->hasPermission('delete case entities') 
+        );
    }

    // Unknown operation, no opinion.
Author	SHA1	Message	Date
naomi	7c3b007ff9	Authenticated user can see cases they are a provider for.	2022-01-20 14:48:53 +00:00
naomi	f39f4a331d	changed activity access controller to allow users to view and edit ones they own	2022-01-20 10:52:28 +00:00
naomi	6069ac0901	changed CaseInvolvement to reference case provisions	2022-01-20 10:52:04 +00:00