nextcloud_webdav_client-1.0.x-dev/src/NextCloudUserTokenAccessControlHandler.php

<?php

namespace Drupal\nextcloud_webdav_client;

use Drupal\Core\Access\AccessResult;
use Drupal\Core\Entity\EntityAccessControlHandler;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Session\AccountInterface;

/**
 * Access controller for the NextCloud User Token entity.
 *
 * Ensures users can only access their own tokens.
 */
class NextCloudUserTokenAccessControlHandler extends EntityAccessControlHandler {

  /**
   * {@inheritdoc}
   */
  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
    /** @var \Drupal\nextcloud_webdav_client\Entity\NextCloudUserToken $entity */

    // Administrators can do everything.
    if ($account->hasPermission('administer nextcloud webdav')) {
      return AccessResult::allowed()->cachePerPermissions();
    }

    // Users can only access their own tokens.
    $is_owner = $entity->getOwnerId() === $account->id();

    switch ($operation) {
      case 'view':
        // Users can view their own tokens.
        // Also allow viewing if user has permission to use own nextcloud storage.
        return AccessResult::allowedIf(
          $is_owner && $account->hasPermission('use own nextcloud storage')
        )
          ->cachePerPermissions()
          ->cachePerUser()
          ->addCacheableDependency($entity);

      case 'update':
        // Users cannot directly update token entities.
        // Updates should only happen through OAuth2 flows.
        return AccessResult::forbidden('Token entities cannot be updated directly.')
          ->cachePerPermissions();

      case 'delete':
        // Users can delete (unlink) their own tokens.
        return AccessResult::allowedIf(
          $is_owner && $account->hasPermission('link nextcloud account')
        )
          ->cachePerPermissions()
          ->cachePerUser()
          ->addCacheableDependency($entity);

      default:
        // No opinion on other operations.
        return AccessResult::neutral()->cachePerPermissions();
    }
  }

  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
    // Users cannot directly create token entities.
    // Tokens should only be created through OAuth2 flows.
    return AccessResult::forbidden('Token entities cannot be created directly.')
      ->cachePerPermissions();
  }

}