You are here

Home » API reference » Apigee Edge 8 » TeamMemberApiProductAccessHandler.php » TeamMemberApiProductAccessHandler

public function TeamMemberApiProductAccessHandler::access in Apigee Edge 8

Checks access to an operation on a given API product.

Parameters

\Drupal\apigee_edge\Entity\ApiProductInterface $api_product: The API Product entity for which to check access.

string $operation: The operation access should be checked for. Usually one of "view", "view label", "update", "delete" or "assign".

\Drupal\apigee_edge_teams\Entity\TeamInterface $team: The team for which to check access.

\Drupal\Core\Session\AccountInterface|null $account: (optional) The user for which to check access, default is the current user.

bool $return_as_object: (optional) Defaults to FALSE.

Return value

bool|\Drupal\Core\Access\AccessResultInterface The access result. Returns a boolean if $return_as_object is FALSE (this is the default) and otherwise an AccessResultInterface object. When a boolean is returned, the result of AccessInterface::isAllowed() is returned, i.e. TRUE means access is explicitly allowed, FALSE means access is either explicitly forbidden or "no opinion".

Overrides TeamMemberApiProductAccessHandlerInterface::access

File

modules/apigee_edge_teams/src/TeamMemberApiProductAccessHandler.php, line 95

Class

TeamMemberApiProductAccessHandler
Default team member API product access handler implementation.

Namespace

Drupal\apigee_edge_teams

Code

public function access(ApiProductInterface $api_product, string $operation, TeamInterface $team, AccountInterface $account = NULL, bool $return_as_object = FALSE) {
  if ($account === NULL) {
    $account = $this->currentUser;
  }
  if (($return = $this
    ->getCache($api_product, $operation, $team, $account)) !== NULL) {

    // Cache hit, no work necessary.
    return $return_as_object ? $return : $return
      ->isAllowed();
  }
  if ($account
    ->isAnonymous()) {
    $return = AccessResult::forbidden('Anonymous user can not be member of a team.');
  }
  else {
    try {
      $developer_team_ids = $this->teamMembershipManager
        ->getTeams($account
        ->getEmail());
    } catch (\Exception $e) {
      $developer_team_ids = [];
    }
    if (in_array($team
      ->id(), $developer_team_ids)) {

      // We grant access to the entity if both of these conditions are met:
      // - No modules say to deny access.
      // - At least one module says to grant access.
      $access = $this->moduleHandler
        ->invokeAll('apigee_edge_teams_team_api_product_access', [
        $api_product,
        $operation,
        $team,
        $account,
      ]);
      $return = $this
        ->processAccessHookResults($access);

      // Also execute the default access check except when the access result
      // is already forbidden, as in that case, it can not be anything else.
      if (!$return
        ->isForbidden()) {
        $return = $return
          ->orIf($this
          ->checkAccess($api_product, $operation, $team, $account));
      }
    }
    else {
      $return = AccessResultForbidden::forbidden("{$account->getEmail()} is not member of {$team->id()} team.");
    }
  }
  $this
    ->setCache($return, $api_product, $operation, $team, $account);
  return $return_as_object ? $return : $return
    ->isAllowed();
}