You are here

Home » API reference » Apigee Edge 8 » TeamInvitationAccessControlHandler.php » TeamInvitationAccessControlHandler

protected function TeamInvitationAccessControlHandler::checkAccess in Apigee Edge 8

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandlerBase::checkAccess

File

modules/apigee_edge_teams/src/Entity/TeamInvitationAccessControlHandler.php, line 70

Class

TeamInvitationAccessControlHandler
Access controller handler for team_invitation.

Namespace

Drupal\apigee_edge_teams\Entity

Code

protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var \Drupal\apigee_edge_teams\Entity\TeamInvitation $entity */
  $account = $this
    ->prepareUser($account);

  // Check if team exists.
  if (!$entity
    ->getTeam()) {
    return AccessResult::forbidden('Team does not exist.')
      ->addCacheableDependency($entity);
  }

  // Access is allowed if the user can accept invitation and the invitation
  // is pending.
  if ($entity
    ->isPending() && $operation === 'accept') {
    return AccessResult::allowedIf($account
      ->getEmail() == $entity
      ->getRecipient())
      ->andIf(AccessResult::allowedIfHasPermissions($account, [
      'accept own team invitation',
      'accept any team invitation',
    ], 'OR'))
      ->addCacheableDependency($entity)
      ->cachePerUser();
  }

  // Access is allowed if the user can decline invitation and the invitation
  // is pending.
  if ($entity
    ->isPending() && $operation === 'decline') {
    return AccessResult::allowedIf($account
      ->getEmail() == $entity
      ->getRecipient())
      ->andIf(AccessResult::allowedIfHasPermissions($account, [
      'decline own team invitation',
      'decline any team invitation',
    ], 'OR'))
      ->addCacheableDependency($entity)
      ->cachePerUser();
  }

  // Access allowed if user can administer team invitations for team or if
  // user has permissions to administer all team invitations.
  // Note: This is handled at team level permissions.
  if ($operation === 'delete' || $operation === "resend") {
    return AccessResult::allowedIf(in_array('team_manage_members', $this->teamPermissionHandler
      ->getDeveloperPermissionsByTeam($entity
      ->getTeam(), $account)))
      ->orIf(AccessResult::allowedIfHasPermissions($account, [
      'administer team',
      'manage team members',
    ], 'OR'))
      ->addCacheableDependency($entity)
      ->cachePerUser();
  }
  return parent::checkAccess($entity, $operation, $account);
}