competition-8.x-1.x-dev/src/CompetitionEntryAccessControlHandler.php

src/CompetitionEntryAccessControlHandler.php
<?php

namespace Drupal\competition;

use Drupal\Core\Entity\EntityAccessControlHandler;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Access\AccessResult;

/**
 * Access controller for the Competition entry entity.
 *
 * @see \Drupal\competition\Entity\CompetitionEntry.
 */
class CompetitionEntryAccessControlHandler extends EntityAccessControlHandler {

  /**
   * Performs create access checks.
   *
   * Generally, user can access entry creation form if they have
   * 'access content' perm or the administrative perm for the entry entity type.
   *
   * NOTE: additional "access checks" are performed in the controller callback
   * instead of here. These allow helpful redirections instead of 403s.
   *
   * @param \Drupal\Core\Session\AccountInterface $account
   *   The user for which to check access.
   * @param array $context
   *   An array of key-value pairs to pass additional context when needed.
   * @param string|null $entity_bundle
   *   (optional) The bundle of the entity. Required if the entity supports
   *   bundles, defaults to NULL otherwise.
   *
   * @return \Drupal\Core\Access\AccessResultInterface
   *   The access result.
   *
   * @see \Drupal\competition\Controller\CompetitionEntryController::getForm()
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {

    // 2017-02-14, Tory:
    // This permission used to be the only access control applied to the
    // 'entity.competition_entry.add_form' route. Port it here.
    $result = AccessResult::allowedIfHasPermission($account, 'access content');

    if ($admin_permission = $this->entityType->getAdminPermission()) {
      $result->orIf(AccessResult::allowedIfHasPermission($account, $admin_permission));
    }

    return $result;

  }

  /**
   * {@inheritdoc}
   */
  protected function checkAccess(EntityInterface $entry, $operation, AccountInterface $account) {
    $result = AccessResult::forbidden();
    // Get the competition the entry belongs to.
    $competition = \Drupal::entityTypeManager()
      ->getStorage($entry->getEntityType()->getBundleEntityType())
      ->load($entry->bundle());
    switch ($operation) {
      case 'update':
        // Get current competition's entry limit.
        $limits = $competition
          ->getEntryLimits();

        if ($account->hasPermission('administer competition entries')) {
          $result = AccessResult::allowed();
        }
        elseif ($entry->getOwnerId() == $account->id()) {
          if ($competition->getStatus() == CompetitionInterface::STATUS_OPEN) {
            if (!empty($limits->require_user) && !empty($limits->allow_partial_save)) {
              // User may update entry as long as it is not Finalized.
              // Note: technically, this is the correct place to disallow
              // access...but just throwing a 403 at user in this case is not
              // great; instead just allow passthrough here, and check
              // STATUS_FINALIZED in the form callback itself.
              // @see CompetitionEntryForm::buildForm()
              $result = AccessResult::allowed();
            }
            else {
              $result = AccessResult::allowed();
            }
          }
        }
        break;

      case 'delete':
        if ($account->hasPermission('administer competition entries')) {
          $result = AccessResult::allowed();
        }
        break;

      case 'view':
        $archived_cycles = $competition->getCyclesArchived();
        if ($account->hasPermission('administer competition entries')) {
          $result = AccessResult::allowed();
        }
        elseif ($entry->getOwnerId() == $account->id()) {
          $result = AccessResult::allowed();
        }
        elseif ($entry->getStatus() == CompetitionEntryInterface::STATUS_ARCHIVED && in_array($entry->getCycle(), $archived_cycles)) {
          $result = AccessResult::allowed();
        }
        break;
    }

    return $result;
  }

}

Главная | Обратная связь

drupal hosting | друпал хостинг | it patrol .inc