Chris@17: entityTypeManager = $entity_type_manager; Chris@17: $this->workspaceManager = $workspace_manager; Chris@17: } Chris@17: Chris@17: /** Chris@17: * {@inheritdoc} Chris@17: */ Chris@17: public static function create(ContainerInterface $container) { Chris@17: return new static( Chris@17: $container->get('entity_type.manager'), Chris@17: $container->get('workspaces.manager') Chris@17: ); Chris@17: } Chris@17: Chris@17: /** Chris@17: * Implements a hook bridge for hook_entity_access(). Chris@17: * Chris@17: * @param \Drupal\Core\Entity\EntityInterface $entity Chris@17: * The entity to check access for. Chris@17: * @param string $operation Chris@17: * The operation being performed. Chris@17: * @param \Drupal\Core\Session\AccountInterface $account Chris@17: * The user account making the to check access for. Chris@17: * Chris@17: * @return \Drupal\Core\Access\AccessResult Chris@17: * The result of the access check. Chris@17: * Chris@17: * @see hook_entity_access() Chris@17: */ Chris@17: public function entityOperationAccess(EntityInterface $entity, $operation, AccountInterface $account) { Chris@17: // Workspaces themselves are handled by their own access handler and we Chris@17: // should not try to do any access checks for entity types that can not Chris@17: // belong to a workspace. Chris@17: if ($entity->getEntityTypeId() === 'workspace' || !$this->workspaceManager->isEntityTypeSupported($entity->getEntityType())) { Chris@17: return AccessResult::neutral(); Chris@17: } Chris@17: Chris@17: return $this->bypassAccessResult($account); Chris@17: } Chris@17: Chris@17: /** Chris@17: * Implements a hook bridge for hook_entity_create_access(). Chris@17: * Chris@17: * @param \Drupal\Core\Session\AccountInterface $account Chris@17: * The user account making the to check access for. Chris@17: * @param array $context Chris@17: * The context of the access check. Chris@17: * @param string $entity_bundle Chris@17: * The bundle of the entity. Chris@17: * Chris@17: * @return \Drupal\Core\Access\AccessResult Chris@17: * The result of the access check. Chris@17: * Chris@17: * @see hook_entity_create_access() Chris@17: */ Chris@17: public function entityCreateAccess(AccountInterface $account, array $context, $entity_bundle) { Chris@17: // Workspaces themselves are handled by their own access handler and we Chris@17: // should not try to do any access checks for entity types that can not Chris@17: // belong to a workspace. Chris@17: $entity_type = $this->entityTypeManager->getDefinition($context['entity_type_id']); Chris@17: if ($entity_type->id() === 'workspace' || !$this->workspaceManager->isEntityTypeSupported($entity_type)) { Chris@17: return AccessResult::neutral(); Chris@17: } Chris@17: Chris@17: return $this->bypassAccessResult($account); Chris@17: } Chris@17: Chris@17: /** Chris@17: * Checks the 'bypass' permissions. Chris@17: * Chris@17: * @param \Drupal\Core\Session\AccountInterface $account Chris@17: * The user account making the to check access for. Chris@17: * Chris@17: * @return \Drupal\Core\Access\AccessResult Chris@17: * The result of the access check. Chris@17: */ Chris@17: protected function bypassAccessResult(AccountInterface $account) { Chris@17: // This approach assumes that the current "global" active workspace is Chris@17: // correct, i.e. if you're "in" a given workspace then you get ALL THE PERMS Chris@17: // to ALL THE THINGS! That's why this is a dangerous permission. Chris@17: $active_workspace = $this->workspaceManager->getActiveWorkspace(); Chris@17: Chris@17: return AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())->cachePerUser()->addCacheableDependency($active_workspace) Chris@17: ->andIf(AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace')); Chris@17: } Chris@17: Chris@17: }