Chris@17
|
1 <?php
|
Chris@17
|
2
|
Chris@17
|
3 namespace Drupal\workspaces;
|
Chris@17
|
4
|
Chris@17
|
5 use Drupal\Core\Access\AccessResult;
|
Chris@17
|
6 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
|
Chris@17
|
7 use Drupal\Core\Entity\EntityInterface;
|
Chris@17
|
8 use Drupal\Core\Entity\EntityTypeManagerInterface;
|
Chris@17
|
9 use Drupal\Core\Session\AccountInterface;
|
Chris@17
|
10 use Drupal\Core\StringTranslation\StringTranslationTrait;
|
Chris@17
|
11 use Symfony\Component\DependencyInjection\ContainerInterface;
|
Chris@17
|
12
|
Chris@17
|
13 /**
|
Chris@17
|
14 * Service wrapper for hooks relating to entity access control.
|
Chris@17
|
15 *
|
Chris@17
|
16 * @internal
|
Chris@17
|
17 */
|
Chris@17
|
18 class EntityAccess implements ContainerInjectionInterface {
|
Chris@17
|
19
|
Chris@17
|
20 use StringTranslationTrait;
|
Chris@17
|
21
|
Chris@17
|
22 /**
|
Chris@17
|
23 * The entity type manager service.
|
Chris@17
|
24 *
|
Chris@17
|
25 * @var \Drupal\Core\Entity\EntityTypeManagerInterface
|
Chris@17
|
26 */
|
Chris@17
|
27 protected $entityTypeManager;
|
Chris@17
|
28
|
Chris@17
|
29 /**
|
Chris@17
|
30 * The workspace manager service.
|
Chris@17
|
31 *
|
Chris@17
|
32 * @var \Drupal\workspaces\WorkspaceManagerInterface
|
Chris@17
|
33 */
|
Chris@17
|
34 protected $workspaceManager;
|
Chris@17
|
35
|
Chris@17
|
36 /**
|
Chris@17
|
37 * Constructs a new EntityAccess instance.
|
Chris@17
|
38 *
|
Chris@17
|
39 * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
|
Chris@17
|
40 * The entity type manager service.
|
Chris@17
|
41 * @param \Drupal\workspaces\WorkspaceManagerInterface $workspace_manager
|
Chris@17
|
42 * The workspace manager service.
|
Chris@17
|
43 */
|
Chris@17
|
44 public function __construct(EntityTypeManagerInterface $entity_type_manager, WorkspaceManagerInterface $workspace_manager) {
|
Chris@17
|
45 $this->entityTypeManager = $entity_type_manager;
|
Chris@17
|
46 $this->workspaceManager = $workspace_manager;
|
Chris@17
|
47 }
|
Chris@17
|
48
|
Chris@17
|
49 /**
|
Chris@17
|
50 * {@inheritdoc}
|
Chris@17
|
51 */
|
Chris@17
|
52 public static function create(ContainerInterface $container) {
|
Chris@17
|
53 return new static(
|
Chris@17
|
54 $container->get('entity_type.manager'),
|
Chris@17
|
55 $container->get('workspaces.manager')
|
Chris@17
|
56 );
|
Chris@17
|
57 }
|
Chris@17
|
58
|
Chris@17
|
59 /**
|
Chris@17
|
60 * Implements a hook bridge for hook_entity_access().
|
Chris@17
|
61 *
|
Chris@17
|
62 * @param \Drupal\Core\Entity\EntityInterface $entity
|
Chris@17
|
63 * The entity to check access for.
|
Chris@17
|
64 * @param string $operation
|
Chris@17
|
65 * The operation being performed.
|
Chris@17
|
66 * @param \Drupal\Core\Session\AccountInterface $account
|
Chris@17
|
67 * The user account making the to check access for.
|
Chris@17
|
68 *
|
Chris@17
|
69 * @return \Drupal\Core\Access\AccessResult
|
Chris@17
|
70 * The result of the access check.
|
Chris@17
|
71 *
|
Chris@17
|
72 * @see hook_entity_access()
|
Chris@17
|
73 */
|
Chris@17
|
74 public function entityOperationAccess(EntityInterface $entity, $operation, AccountInterface $account) {
|
Chris@17
|
75 // Workspaces themselves are handled by their own access handler and we
|
Chris@17
|
76 // should not try to do any access checks for entity types that can not
|
Chris@17
|
77 // belong to a workspace.
|
Chris@17
|
78 if ($entity->getEntityTypeId() === 'workspace' || !$this->workspaceManager->isEntityTypeSupported($entity->getEntityType())) {
|
Chris@17
|
79 return AccessResult::neutral();
|
Chris@17
|
80 }
|
Chris@17
|
81
|
Chris@17
|
82 return $this->bypassAccessResult($account);
|
Chris@17
|
83 }
|
Chris@17
|
84
|
Chris@17
|
85 /**
|
Chris@17
|
86 * Implements a hook bridge for hook_entity_create_access().
|
Chris@17
|
87 *
|
Chris@17
|
88 * @param \Drupal\Core\Session\AccountInterface $account
|
Chris@17
|
89 * The user account making the to check access for.
|
Chris@17
|
90 * @param array $context
|
Chris@17
|
91 * The context of the access check.
|
Chris@17
|
92 * @param string $entity_bundle
|
Chris@17
|
93 * The bundle of the entity.
|
Chris@17
|
94 *
|
Chris@17
|
95 * @return \Drupal\Core\Access\AccessResult
|
Chris@17
|
96 * The result of the access check.
|
Chris@17
|
97 *
|
Chris@17
|
98 * @see hook_entity_create_access()
|
Chris@17
|
99 */
|
Chris@17
|
100 public function entityCreateAccess(AccountInterface $account, array $context, $entity_bundle) {
|
Chris@17
|
101 // Workspaces themselves are handled by their own access handler and we
|
Chris@17
|
102 // should not try to do any access checks for entity types that can not
|
Chris@17
|
103 // belong to a workspace.
|
Chris@17
|
104 $entity_type = $this->entityTypeManager->getDefinition($context['entity_type_id']);
|
Chris@17
|
105 if ($entity_type->id() === 'workspace' || !$this->workspaceManager->isEntityTypeSupported($entity_type)) {
|
Chris@17
|
106 return AccessResult::neutral();
|
Chris@17
|
107 }
|
Chris@17
|
108
|
Chris@17
|
109 return $this->bypassAccessResult($account);
|
Chris@17
|
110 }
|
Chris@17
|
111
|
Chris@17
|
112 /**
|
Chris@17
|
113 * Checks the 'bypass' permissions.
|
Chris@17
|
114 *
|
Chris@17
|
115 * @param \Drupal\Core\Session\AccountInterface $account
|
Chris@17
|
116 * The user account making the to check access for.
|
Chris@17
|
117 *
|
Chris@17
|
118 * @return \Drupal\Core\Access\AccessResult
|
Chris@17
|
119 * The result of the access check.
|
Chris@17
|
120 */
|
Chris@17
|
121 protected function bypassAccessResult(AccountInterface $account) {
|
Chris@17
|
122 // This approach assumes that the current "global" active workspace is
|
Chris@17
|
123 // correct, i.e. if you're "in" a given workspace then you get ALL THE PERMS
|
Chris@17
|
124 // to ALL THE THINGS! That's why this is a dangerous permission.
|
Chris@17
|
125 $active_workspace = $this->workspaceManager->getActiveWorkspace();
|
Chris@17
|
126
|
Chris@17
|
127 return AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())->cachePerUser()->addCacheableDependency($active_workspace)
|
Chris@17
|
128 ->andIf(AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace'));
|
Chris@17
|
129 }
|
Chris@17
|
130
|
Chris@17
|
131 }
|