Chris@0
|
1 <?php
|
Chris@0
|
2
|
Chris@0
|
3 namespace Drupal\media;
|
Chris@0
|
4
|
Chris@0
|
5 use Drupal\Core\Access\AccessResult;
|
Chris@0
|
6 use Drupal\Core\Entity\EntityAccessControlHandler;
|
Chris@0
|
7 use Drupal\Core\Entity\EntityInterface;
|
Chris@0
|
8 use Drupal\Core\Session\AccountInterface;
|
Chris@0
|
9
|
Chris@0
|
10 /**
|
Chris@14
|
11 * Defines an access control handler for media items.
|
Chris@0
|
12 */
|
Chris@0
|
13 class MediaAccessControlHandler extends EntityAccessControlHandler {
|
Chris@0
|
14
|
Chris@0
|
15 /**
|
Chris@0
|
16 * {@inheritdoc}
|
Chris@0
|
17 */
|
Chris@0
|
18 protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
|
Chris@0
|
19 if ($account->hasPermission('administer media')) {
|
Chris@0
|
20 return AccessResult::allowed()->cachePerPermissions();
|
Chris@0
|
21 }
|
Chris@0
|
22
|
Chris@14
|
23 $type = $entity->bundle();
|
Chris@0
|
24 $is_owner = ($account->id() && $account->id() === $entity->getOwnerId());
|
Chris@0
|
25 switch ($operation) {
|
Chris@0
|
26 case 'view':
|
Chris@18
|
27 if ($entity->isPublished()) {
|
Chris@18
|
28 $access_result = AccessResult::allowedIf($account->hasPermission('view media'))
|
Chris@18
|
29 ->cachePerPermissions()
|
Chris@18
|
30 ->addCacheableDependency($entity);
|
Chris@18
|
31 if (!$access_result->isAllowed()) {
|
Chris@18
|
32 $access_result->setReason("The 'view media' permission is required when the media item is published.");
|
Chris@18
|
33 }
|
Chris@18
|
34 }
|
Chris@18
|
35 elseif ($account->hasPermission('view own unpublished media')) {
|
Chris@18
|
36 $access_result = AccessResult::allowedIf($is_owner)
|
Chris@18
|
37 ->cachePerPermissions()
|
Chris@18
|
38 ->cachePerUser()
|
Chris@18
|
39 ->addCacheableDependency($entity);
|
Chris@18
|
40 if (!$access_result->isAllowed()) {
|
Chris@18
|
41 $access_result->setReason("The user must be the owner and the 'view own unpublished media' permission is required when the media item is unpublished.");
|
Chris@18
|
42 }
|
Chris@18
|
43 }
|
Chris@18
|
44 else {
|
Chris@18
|
45 $access_result = AccessResult::neutral()
|
Chris@18
|
46 ->cachePerPermissions()
|
Chris@18
|
47 ->addCacheableDependency($entity)
|
Chris@18
|
48 ->setReason("The user must be the owner and the 'view own unpublished media' permission is required when the media item is unpublished.");
|
Chris@0
|
49 }
|
Chris@0
|
50 return $access_result;
|
Chris@0
|
51
|
Chris@0
|
52 case 'update':
|
Chris@14
|
53 if ($account->hasPermission('edit any ' . $type . ' media')) {
|
Chris@14
|
54 return AccessResult::allowed()->cachePerPermissions();
|
Chris@14
|
55 }
|
Chris@14
|
56 if ($account->hasPermission('edit own ' . $type . ' media') && $is_owner) {
|
Chris@14
|
57 return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->addCacheableDependency($entity);
|
Chris@14
|
58 }
|
Chris@14
|
59 // @todo Deprecate this permission in
|
Chris@14
|
60 // https://www.drupal.org/project/drupal/issues/2925459.
|
Chris@0
|
61 if ($account->hasPermission('update any media')) {
|
Chris@0
|
62 return AccessResult::allowed()->cachePerPermissions();
|
Chris@0
|
63 }
|
Chris@14
|
64 if ($account->hasPermission('update media') && $is_owner) {
|
Chris@14
|
65 return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->addCacheableDependency($entity);
|
Chris@14
|
66 }
|
Chris@17
|
67 return AccessResult::neutral("The following permissions are required: 'update any media' OR 'update own media' OR '$type: edit any media' OR '$type: edit own media'.")->cachePerPermissions();
|
Chris@0
|
68
|
Chris@0
|
69 case 'delete':
|
Chris@14
|
70 if ($account->hasPermission('delete any ' . $type . ' media')) {
|
Chris@14
|
71 return AccessResult::allowed()->cachePerPermissions();
|
Chris@14
|
72 }
|
Chris@14
|
73 if ($account->hasPermission('delete own ' . $type . ' media') && $is_owner) {
|
Chris@14
|
74 return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->addCacheableDependency($entity);
|
Chris@14
|
75 }
|
Chris@14
|
76 // @todo Deprecate this permission in
|
Chris@14
|
77 // https://www.drupal.org/project/drupal/issues/2925459.
|
Chris@0
|
78 if ($account->hasPermission('delete any media')) {
|
Chris@0
|
79 return AccessResult::allowed()->cachePerPermissions();
|
Chris@0
|
80 }
|
Chris@14
|
81 if ($account->hasPermission('delete media') && $is_owner) {
|
Chris@14
|
82 return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->addCacheableDependency($entity);
|
Chris@14
|
83 }
|
Chris@17
|
84 return AccessResult::neutral("The following permissions are required: 'delete any media' OR 'delete own media' OR '$type: delete any media' OR '$type: delete own media'.")->cachePerPermissions();
|
Chris@0
|
85
|
Chris@0
|
86 default:
|
Chris@0
|
87 return AccessResult::neutral()->cachePerPermissions();
|
Chris@0
|
88 }
|
Chris@0
|
89 }
|
Chris@0
|
90
|
Chris@0
|
91 /**
|
Chris@0
|
92 * {@inheritdoc}
|
Chris@0
|
93 */
|
Chris@0
|
94 protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
|
Chris@14
|
95 $permissions = [
|
Chris@14
|
96 'administer media',
|
Chris@14
|
97 'create media',
|
Chris@14
|
98 'create ' . $entity_bundle . ' media',
|
Chris@14
|
99 ];
|
Chris@14
|
100 return AccessResult::allowedIfHasPermissions($account, $permissions, 'OR');
|
Chris@0
|
101 }
|
Chris@0
|
102
|
Chris@0
|
103 }
|