You are here

Home » API reference » Apigee Edge 8 » apigee_edge.module

function apigee_edge_api_product_access in Apigee Edge 8

Implements hook_ENTITY_TYPE_access().

Supported operations: view, view label, assign.

"assign" is a custom entity on API Products. It is being used on app create/edit forms. A developer may have view access to an API product but they can not assign it to an app (they can not obtain an API key for that API product).

Rules:

  • The user gets allowed if has "Bypass API Product access control"

permission always.

  • If operation is "view" or "view label" then the user gets access allowed

for the API Product (entity) if the API product's access attribute value is either one of the selected access attribute values OR if a developer app is in association with the selected API product.

  • If operation is "assign" then disallow access if the role is configured

in the "Access by visibility" settings at the route apigee_edge.settings.developer.api_product_access.

File

./apigee_edge.module, line 490
Copyright 2018 Google Inc.

Code

function apigee_edge_api_product_access(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var \Drupal\apigee_edge\Entity\ApiProductInterface $entity */
  if (!in_array($operation, [
    'view',
    'view label',
    'assign',
  ])) {
    return AccessResult::neutral(sprintf('%s is not supported by %s.', $operation, __FUNCTION__));
  }
  $config_name = 'apigee_edge.api_product_settings';
  $result = AccessResult::allowedIfHasPermission($account, 'bypass api product access control');
  if ($result
    ->isNeutral()) {

    // Attribute may not exists but in that case it means public.
    $product_visibility = $entity
      ->getAttributeValue('access') ?? 'public';
    $visible_to_roles = \Drupal::config($config_name)
      ->get('access')[$product_visibility] ?? [];

    // A user may not have access to this API product based on the current
    // access setting but we should still grant view access
    // if they have a developer app in association with this API product.
    if (empty(array_intersect($visible_to_roles, $account
      ->getRoles()))) {
      if ($operation === 'assign') {

        // If the apigee_edge.settings.developer.api_product_access settings
        // limits access to this API product, do not allow user to assign it
        // to an application.
        $result = AccessResult::forbidden("User {$account->getEmail()} is does not have permissions to see API Product with visibility {$product_visibility}.");
      }
      else {
        $result = _apigee_edge_user_has_an_app_with_product($entity
          ->id(), $account, TRUE);
      }
    }
    else {
      $result = AccessResult::allowed();
    }
  }

  // If the API product gets updated it should not have any effect this
  // access control so we did not add $entity as a dependency to the result.
  return $result
    ->cachePerUser()
    ->addCacheTags([
    'config:' . $config_name,
  ]);
}