You are here

Home » API reference » Apigee Edge 8 » TeamAppAccessHandler.php

final class TeamAppAccessHandler in Apigee Edge 8

Access handler for Team App entities.

Hierarchy

Expanded class hierarchy of TeamAppAccessHandler

File

modules/apigee_edge_teams/src/Entity/TeamAppAccessHandler.php, line 38

Namespace

Drupal\apigee_edge_teams\Entity
View source 
final class TeamAppAccessHandler extends EntityAccessControlHandler implements EntityHandlerInterface {

  /**
   * The entity type manager.
   *
   * @var \Drupal\Core\Entity\EntityTypeManagerInterface
   */
  private $entityTypeManager;

  /**
   * The current route match.
   *
   * @var \Drupal\Core\Routing\RouteMatchInterface
   */
  private $routeMatch;

  /**
   * The team permissions handler.
   *
   * @var \Drupal\apigee_edge_teams\TeamPermissionHandlerInterface
   */
  private $teamPermissionHandler;

  /**
   * TeamAppAccessHandler constructor.
   *
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type.
   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
   *   The entity type manager.
   * @param \Drupal\apigee_edge_teams\TeamPermissionHandlerInterface $team_permission_handler
   *   The team permissions handler.
   * @param \Drupal\Core\Routing\RouteMatchInterface $route_match
   *   The current route match.
   */
  public function __construct(EntityTypeInterface $entity_type, EntityTypeManagerInterface $entity_type_manager, TeamPermissionHandlerInterface $team_permission_handler, RouteMatchInterface $route_match) {
    parent::__construct($entity_type);
    $this->entityTypeManager = $entity_type_manager;
    $this->routeMatch = $route_match;
    $this->teamPermissionHandler = $team_permission_handler;
  }

  /**
   * {@inheritdoc}
   */
  public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
    return new static($entity_type, $container
      ->get('entity_type.manager'), $container
      ->get('apigee_edge_teams.team_permissions'), $container
      ->get('current_route_match'));
  }

  /**
   * {@inheritdoc}
   */
  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

    /** @var \Drupal\apigee_edge_teams\Entity\TeamAppInterface $entity */
    $result = parent::checkAccess($entity, $operation, $account);
    if ($result
      ->isNeutral()) {
      $result = $this
        ->checkAccessByPermissions($account);
      if ($result
        ->isNeutral()) {

        /** @var \Drupal\apigee_edge_teams\Entity\TeamInterface $team */
        $team = $this->entityTypeManager
          ->getStorage('team')
          ->load($entity
          ->getCompanyName());
        if ($team) {

          // The developer is not member of the team.
          // @see hook_apigee_edge_teams_developer_permissions_by_team_alter()
          $result = $this
            ->checkAccessByTeamMemberPermissions($team, $operation, $account);
          $this
            ->processAccessResult($result, $account);
        }
        else {

          // Probably this could never happen...
          $result = AccessResult::neutral("The team ({$entity->getCompanyName()}) that the team app ({$entity->getAppId()}) belongs does not exist.");
        }
      }
    }
    return $result;
  }

  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
    $result = parent::checkCreateAccess($account, $context, $entity_bundle);
    if ($result
      ->isNeutral()) {

      // Applies to "add-form" link template of Team App entity.
      $result = $this
        ->checkAccessByPermissions($account);
      if ($result
        ->isNeutral()) {

        // Applies to "add-form-for-team" link template of Team App entity.
        $team = $this->routeMatch
          ->getParameter('team');
        if ($team) {
          $result = $this
            ->checkAccessByTeamMemberPermissions($team, 'create', $account);
        }
        else {
          $result = AccessResult::neutral("Team parameter has not been found in {$this->routeMatch->getRouteObject()->getPath()} path.");
        }
      }
    }
    return $result;
  }

  /**
   * Performs access check based on a user's site-wide permissions.
   *
   * @param \Drupal\Core\Session\AccountInterface $account
   *   The user for which to check access.
   *
   * @return \Drupal\Core\Access\AccessResultInterface
   *   The access result.
   */
  private function checkAccessByPermissions(AccountInterface $account) : AccessResultInterface {
    $permissions = [
      TeamAppPermissionProvider::MANAGE_TEAM_APPS_PERMISSION,
    ];
    if ($this->entityType
      ->getAdminPermission()) {
      $permissions[] = $this->entityType
        ->getAdminPermission();
    }
    return AccessResult::allowedIfHasPermissions($account, $permissions, 'OR');
  }

  /**
   * Performs access check based on a user's team-level permissions.
   *
   * @param \Drupal\apigee_edge_teams\Entity\TeamInterface $team
   *   The team that owns the app.
   * @param string $operation
   *   The entity operation on a team app: view, create, delete, update
   *   analytics, add_api_key, delete_api_key or revoke_api_key.
   * @param \Drupal\Core\Session\AccountInterface $account
   *   The user for which to check access.
   *
   * @return \Drupal\Core\Access\AccessResultInterface
   *   The access result.
   */
  private function checkAccessByTeamMemberPermissions(TeamInterface $team, string $operation, AccountInterface $account) : AccessResultInterface {
    $covered_operations = [
      'view',
      'create',
      'delete',
      'update',
      'analytics',
      'add_api_key',
      'delete_api_key',
      'revoke_api_key',
    ];
    if (!in_array($operation, $covered_operations)) {
      return AccessResult::neutral("Team membership based access check does not support {$operation} operation on team apps.");
    }
    if ($account
      ->isAnonymous()) {
      $result = AccessResult::forbidden('Anonymous user can not be member of a team.');
    }
    else {
      $result = AccessResult::allowedIf(in_array("team_app_{$operation}", $this->teamPermissionHandler
        ->getDeveloperPermissionsByTeam($team, $account)));

      // Ensure that access is re-evaluated when the team entity changes.
      $result
        ->addCacheableDependency($team);
    }
    return $result;
  }

  /**
   * Processes access result before it gets returned.
   *
   * Adds necessary cache tags to the access result object.
   *
   * @param \Drupal\Core\Access\AccessResultInterface $result
   *   The access result to be altered if needed.
   * @param \Drupal\Core\Session\AccountInterface $account
   *   The user for which to access check has happened.
   */
  private function processAccessResult(AccessResultInterface $result, AccountInterface $account) {

    // Ensure that access is re-evaluated when developer entity changes.
    if ($account
      ->isAuthenticated() && $result instanceof AccessResult) {
      $developer = $this->entityTypeManager
        ->getStorage('developer')
        ->load($account
        ->getEmail());
      if ($developer) {
        $result
          ->addCacheableDependency($developer);
      }
    }
  }

}

Members

Namesort descending Modifiers Type Description Overrides
DependencySerializationTrait::$_entityStorages protected property An array of entity type IDs keyed by the property name of their storages.
DependencySerializationTrait::$_serviceIds protected property An array of service IDs keyed by property name used for serialization.
DependencySerializationTrait::__sleep public function 1
DependencySerializationTrait::__wakeup public function 2
EntityAccessControlHandler::$accessCache protected property Stores calculated access check results.
EntityAccessControlHandler::$entityType protected property Information about the entity type.
EntityAccessControlHandler::$entityTypeId protected property The entity type ID of the access control handler instance.
EntityAccessControlHandler::$viewLabelOperation protected property Allows to grant access to just the labels. 5
EntityAccessControlHandler::access public function Checks access to an operation on a given entity or entity translation. Overrides EntityAccessControlHandlerInterface::access 1
EntityAccessControlHandler::checkFieldAccess protected function Default field access as determined by this access control handler. 4
EntityAccessControlHandler::createAccess public function Checks access to create an entity. Overrides EntityAccessControlHandlerInterface::createAccess 1
EntityAccessControlHandler::fieldAccess public function Checks access to an operation on a given entity field. Overrides EntityAccessControlHandlerInterface::fieldAccess
EntityAccessControlHandler::getCache protected function Tries to retrieve a previously cached access value from the static cache.
EntityAccessControlHandler::prepareUser protected function Loads the current account object, if it does not exist yet.
EntityAccessControlHandler::processAccessHookResults protected function We grant access to the entity if both of these conditions are met:
EntityAccessControlHandler::resetCache public function Clears all cached access checks. Overrides EntityAccessControlHandlerInterface::resetCache
EntityAccessControlHandler::setCache protected function Statically caches whether the given user has access.
EntityHandlerBase::$moduleHandler protected property The module handler to invoke hooks on. 2
EntityHandlerBase::moduleHandler protected function Gets the module handler. 2
EntityHandlerBase::setModuleHandler public function Sets the module handler for this handler.
StringTranslationTrait::$stringTranslation protected property The string translation service. 1
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.
TeamAppAccessHandler::$entityTypeManager private property The entity type manager.
TeamAppAccessHandler::$routeMatch private property The current route match.
TeamAppAccessHandler::$teamPermissionHandler private property The team permissions handler.
TeamAppAccessHandler::checkAccess protected function Performs access checks. Overrides EntityAccessControlHandler::checkAccess
TeamAppAccessHandler::checkAccessByPermissions private function Performs access check based on a user's site-wide permissions.
TeamAppAccessHandler::checkAccessByTeamMemberPermissions private function Performs access check based on a user's team-level permissions.
TeamAppAccessHandler::checkCreateAccess protected function Performs create access checks. Overrides EntityAccessControlHandler::checkCreateAccess
TeamAppAccessHandler::createInstance public static function Instantiates a new instance of this entity handler. Overrides EntityHandlerInterface::createInstance
TeamAppAccessHandler::processAccessResult private function Processes access result before it gets returned.
TeamAppAccessHandler::__construct public function TeamAppAccessHandler constructor. Overrides EntityAccessControlHandler::__construct