annotate core/modules/workspaces/src/EntityAccess.php @ 19:fa3358dc1485 tip

Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents 129ea1e6d783
children
rev   line source
Chris@17 1 <?php
Chris@17 2
Chris@17 3 namespace Drupal\workspaces;
Chris@17 4
Chris@17 5 use Drupal\Core\Access\AccessResult;
Chris@17 6 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
Chris@17 7 use Drupal\Core\Entity\EntityInterface;
Chris@17 8 use Drupal\Core\Entity\EntityTypeManagerInterface;
Chris@17 9 use Drupal\Core\Session\AccountInterface;
Chris@17 10 use Drupal\Core\StringTranslation\StringTranslationTrait;
Chris@17 11 use Symfony\Component\DependencyInjection\ContainerInterface;
Chris@17 12
Chris@17 13 /**
Chris@17 14 * Service wrapper for hooks relating to entity access control.
Chris@17 15 *
Chris@17 16 * @internal
Chris@17 17 */
Chris@17 18 class EntityAccess implements ContainerInjectionInterface {
Chris@17 19
Chris@17 20 use StringTranslationTrait;
Chris@17 21
Chris@17 22 /**
Chris@17 23 * The entity type manager service.
Chris@17 24 *
Chris@17 25 * @var \Drupal\Core\Entity\EntityTypeManagerInterface
Chris@17 26 */
Chris@17 27 protected $entityTypeManager;
Chris@17 28
Chris@17 29 /**
Chris@17 30 * The workspace manager service.
Chris@17 31 *
Chris@17 32 * @var \Drupal\workspaces\WorkspaceManagerInterface
Chris@17 33 */
Chris@17 34 protected $workspaceManager;
Chris@17 35
Chris@17 36 /**
Chris@17 37 * Constructs a new EntityAccess instance.
Chris@17 38 *
Chris@17 39 * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
Chris@17 40 * The entity type manager service.
Chris@17 41 * @param \Drupal\workspaces\WorkspaceManagerInterface $workspace_manager
Chris@17 42 * The workspace manager service.
Chris@17 43 */
Chris@17 44 public function __construct(EntityTypeManagerInterface $entity_type_manager, WorkspaceManagerInterface $workspace_manager) {
Chris@17 45 $this->entityTypeManager = $entity_type_manager;
Chris@17 46 $this->workspaceManager = $workspace_manager;
Chris@17 47 }
Chris@17 48
Chris@17 49 /**
Chris@17 50 * {@inheritdoc}
Chris@17 51 */
Chris@17 52 public static function create(ContainerInterface $container) {
Chris@17 53 return new static(
Chris@17 54 $container->get('entity_type.manager'),
Chris@17 55 $container->get('workspaces.manager')
Chris@17 56 );
Chris@17 57 }
Chris@17 58
Chris@17 59 /**
Chris@17 60 * Implements a hook bridge for hook_entity_access().
Chris@17 61 *
Chris@17 62 * @param \Drupal\Core\Entity\EntityInterface $entity
Chris@17 63 * The entity to check access for.
Chris@17 64 * @param string $operation
Chris@17 65 * The operation being performed.
Chris@17 66 * @param \Drupal\Core\Session\AccountInterface $account
Chris@17 67 * The user account making the to check access for.
Chris@17 68 *
Chris@17 69 * @return \Drupal\Core\Access\AccessResult
Chris@17 70 * The result of the access check.
Chris@17 71 *
Chris@17 72 * @see hook_entity_access()
Chris@17 73 */
Chris@17 74 public function entityOperationAccess(EntityInterface $entity, $operation, AccountInterface $account) {
Chris@17 75 // Workspaces themselves are handled by their own access handler and we
Chris@17 76 // should not try to do any access checks for entity types that can not
Chris@17 77 // belong to a workspace.
Chris@17 78 if ($entity->getEntityTypeId() === 'workspace' || !$this->workspaceManager->isEntityTypeSupported($entity->getEntityType())) {
Chris@17 79 return AccessResult::neutral();
Chris@17 80 }
Chris@17 81
Chris@17 82 return $this->bypassAccessResult($account);
Chris@17 83 }
Chris@17 84
Chris@17 85 /**
Chris@17 86 * Implements a hook bridge for hook_entity_create_access().
Chris@17 87 *
Chris@17 88 * @param \Drupal\Core\Session\AccountInterface $account
Chris@17 89 * The user account making the to check access for.
Chris@17 90 * @param array $context
Chris@17 91 * The context of the access check.
Chris@17 92 * @param string $entity_bundle
Chris@17 93 * The bundle of the entity.
Chris@17 94 *
Chris@17 95 * @return \Drupal\Core\Access\AccessResult
Chris@17 96 * The result of the access check.
Chris@17 97 *
Chris@17 98 * @see hook_entity_create_access()
Chris@17 99 */
Chris@17 100 public function entityCreateAccess(AccountInterface $account, array $context, $entity_bundle) {
Chris@17 101 // Workspaces themselves are handled by their own access handler and we
Chris@17 102 // should not try to do any access checks for entity types that can not
Chris@17 103 // belong to a workspace.
Chris@17 104 $entity_type = $this->entityTypeManager->getDefinition($context['entity_type_id']);
Chris@17 105 if ($entity_type->id() === 'workspace' || !$this->workspaceManager->isEntityTypeSupported($entity_type)) {
Chris@17 106 return AccessResult::neutral();
Chris@17 107 }
Chris@17 108
Chris@17 109 return $this->bypassAccessResult($account);
Chris@17 110 }
Chris@17 111
Chris@17 112 /**
Chris@17 113 * Checks the 'bypass' permissions.
Chris@17 114 *
Chris@17 115 * @param \Drupal\Core\Session\AccountInterface $account
Chris@17 116 * The user account making the to check access for.
Chris@17 117 *
Chris@17 118 * @return \Drupal\Core\Access\AccessResult
Chris@17 119 * The result of the access check.
Chris@17 120 */
Chris@17 121 protected function bypassAccessResult(AccountInterface $account) {
Chris@17 122 // This approach assumes that the current "global" active workspace is
Chris@17 123 // correct, i.e. if you're "in" a given workspace then you get ALL THE PERMS
Chris@17 124 // to ALL THE THINGS! That's why this is a dangerous permission.
Chris@17 125 $active_workspace = $this->workspaceManager->getActiveWorkspace();
Chris@17 126
Chris@17 127 return AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())->cachePerUser()->addCacheableDependency($active_workspace)
Chris@17 128 ->andIf(AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace'));
Chris@17 129 }
Chris@17 130
Chris@17 131 }