Chris@0: <?php
Chris@0: 
Chris@0: namespace Drupal\user\Access;
Chris@0: 
Chris@0: use Drupal\Core\Access\AccessResult;
Chris@0: use Drupal\Core\Routing\Access\AccessInterface;
Chris@0: use Drupal\Core\Session\AccountInterface;
Chris@0: use Symfony\Component\Routing\Route;
Chris@0: 
Chris@0: /**
Chris@0:  * Determines access to routes based on roles.
Chris@0:  *
Chris@0:  * You can specify the '_role' key on route requirements. If you specify a
Chris@0:  * single role, users with that role with have access. If you specify multiple
Chris@0:  * ones you can conjunct them with AND by using a "," and with OR by using "+".
Chris@0:  */
Chris@0: class RoleAccessCheck implements AccessInterface {
Chris@0: 
Chris@0:   /**
Chris@0:    * Checks access.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\Routing\Route $route
Chris@0:    *   The route to check against.
Chris@0:    * @param \Drupal\Core\Session\AccountInterface $account
Chris@0:    *   The currently logged in account.
Chris@0:    *
Chris@0:    * @return \Drupal\Core\Access\AccessResultInterface
Chris@0:    *   The access result.
Chris@0:    */
Chris@0:   public function access(Route $route, AccountInterface $account) {
Chris@0:     // Requirements just allow strings, so this might be a comma separated list.
Chris@0:     $rid_string = $route->getRequirement('_role');
Chris@0: 
Chris@0:     $explode_and = array_filter(array_map('trim', explode(',', $rid_string)));
Chris@0:     if (count($explode_and) > 1) {
Chris@0:       $diff = array_diff($explode_and, $account->getRoles());
Chris@0:       if (empty($diff)) {
Chris@0:         return AccessResult::allowed()->addCacheContexts(['user.roles']);
Chris@0:       }
Chris@0:     }
Chris@0:     else {
Chris@0:       $explode_or = array_filter(array_map('trim', explode('+', $rid_string)));
Chris@0:       $intersection = array_intersect($explode_or, $account->getRoles());
Chris@0:       if (!empty($intersection)) {
Chris@0:         return AccessResult::allowed()->addCacheContexts(['user.roles']);
Chris@0:       }
Chris@0:     }
Chris@0: 
Chris@0:     // If there is no allowed role, give other access checks a chance.
Chris@0:     return AccessResult::neutral()->addCacheContexts(['user.roles']);
Chris@0:   }
Chris@0: 
Chris@0: }