You are here

function commerce_entity_access in Commerce Core 7

Generic access control for Drupal Commerce entities.

Parameters

$op: The operation being performed. One of 'view', 'update', 'create' or 'delete'.

$entity: Optionally an entity to check access for. If no entity is given, it will be determined whether access is allowed for all entities of the given type.

$account: The user to check for. Leave it to NULL to check for the global user.

$entity_type: The entity type of the entity to check for.

See also

entity_access()

3 calls to commerce_entity_access()
commerce_customer_profile_access in modules/customer/commerce_customer.module
Checks customer profile access for various operations.
commerce_order_access in modules/order/commerce_order.module
Checks order access for various operations.
commerce_product_access in modules/product/commerce_product.module
Checks product access for various operations.
3 string references to 'commerce_entity_access'
commerce_customer_entity_info in modules/customer/commerce_customer.module
Implements hook_entity_info().
commerce_order_entity_info in modules/order/commerce_order.module
Implements hook_entity_info().
commerce_product_entity_info in modules/product/commerce_product.module
Implements hook_entity_info().

File

./commerce.module, line 984
Defines features and functions common to the Commerce modules.

Code

function commerce_entity_access($op, $entity, $account, $entity_type) {
  global $user;
  $account = isset($account) ? $account : $user;
  $entity_info = entity_get_info($entity_type);
  if ($op == 'view') {
    if (isset($entity)) {

      // When trying to figure out access to an entity, query the base table using
      // our access control tag.
      if (!empty($entity_info['access arguments']['access tag']) && module_implements('query_' . $entity_info['access arguments']['access tag'] . '_alter')) {
        $query = db_select($entity_info['base table']);
        $query
          ->addExpression('1');
        return (bool) $query
          ->addTag($entity_info['access arguments']['access tag'])
          ->addMetaData('account', $account)
          ->addMetaData('entity', $entity)
          ->condition($entity_info['entity keys']['id'], $entity->{$entity_info['entity keys']['id']})
          ->range(0, 1)
          ->execute()
          ->fetchField();
      }
      else {
        return TRUE;
      }
    }
    else {
      return user_access('view any ' . $entity_type . ' entity', $account);
    }
  }
  else {

    // First grant access to the entity for the specified operation if no other
    // module denies it and at least one other module says to grant access.
    $access_results = module_invoke_all('commerce_entity_access', $op, $entity, $account, $entity_type);
    if (in_array(FALSE, $access_results, TRUE)) {
      return FALSE;
    }
    elseif (in_array(TRUE, $access_results, TRUE)) {
      return TRUE;
    }

    // Grant generic administrator level access.
    if (user_access('administer ' . $entity_type . ' entities', $account)) {
      return TRUE;
    }

    // Grant access based on entity type and bundle specific permissions with
    // special handling for the create operation since the entity passed in will
    // be initialized without ownership.
    if ($op == 'create') {

      // Assuming an entity was passed in and we know its bundle key, perform
      // the entity type and bundle-level access checks.
      if (isset($entity) && !empty($entity_info['entity keys']['bundle'])) {
        return user_access('create ' . $entity_type . ' entities', $account) || user_access('create ' . $entity_type . ' entities of bundle ' . $entity->{$entity_info['entity keys']['bundle']}, $account);
      }
      else {

        // Otherwise perform an entity type-level access check.
        return user_access('create ' . $entity_type . ' entities', $account);
      }
    }
    else {

      // Next perform checks for the edit and delete operations. Begin by
      // extracting the bundle name from the entity if available.
      $bundle_name = '';
      if (isset($entity) && !empty($entity_info['entity keys']['bundle'])) {
        $bundle_name = $entity->{$entity_info['entity keys']['bundle']};
      }

      // For the edit and delete operations, first perform the entity type and
      // bundle-level access check for any entity.
      if (user_access('edit any ' . $entity_type . ' entity', $account) || user_access('edit any ' . $entity_type . ' entity of bundle ' . $bundle_name, $account)) {
        return TRUE;
      }

      // Then check an authenticated user's access to edit his own entities.
      if ($account->uid && !empty($entity_info['access arguments']['user key']) && isset($entity->{$entity_info['access arguments']['user key']}) && $entity->{$entity_info['access arguments']['user key']} == $account->uid) {
        if (user_access('edit own ' . $entity_type . ' entities', $account) || user_access('edit own ' . $entity_type . ' entities of bundle ' . $bundle_name, $account)) {
          return TRUE;
        }
      }
    }
  }
  return FALSE;
}