function commerce_entity_access in Commerce Core 7
Generic access control for Drupal Commerce entities.
Parameters
$op: The operation being performed. One of 'view', 'update', 'create' or 'delete'.
$entity: Optionally an entity to check access for. If no entity is given, it will be determined whether access is allowed for all entities of the given type.
$account: The user to check for. Leave it to NULL to check for the global user.
$entity_type: The entity type of the entity to check for.
See also
3 calls to commerce_entity_access()
- commerce_customer_profile_access in modules/
customer/ commerce_customer.module - Checks customer profile access for various operations.
- commerce_order_access in modules/
order/ commerce_order.module - Checks order access for various operations.
- commerce_product_access in modules/
product/ commerce_product.module - Checks product access for various operations.
3 string references to 'commerce_entity_access'
- commerce_customer_entity_info in modules/
customer/ commerce_customer.module - Implements hook_entity_info().
- commerce_order_entity_info in modules/
order/ commerce_order.module - Implements hook_entity_info().
- commerce_product_entity_info in modules/
product/ commerce_product.module - Implements hook_entity_info().
File
- ./
commerce.module, line 984 - Defines features and functions common to the Commerce modules.
Code
function commerce_entity_access($op, $entity, $account, $entity_type) {
global $user;
$account = isset($account) ? $account : $user;
$entity_info = entity_get_info($entity_type);
if ($op == 'view') {
if (isset($entity)) {
// When trying to figure out access to an entity, query the base table using
// our access control tag.
if (!empty($entity_info['access arguments']['access tag']) && module_implements('query_' . $entity_info['access arguments']['access tag'] . '_alter')) {
$query = db_select($entity_info['base table']);
$query
->addExpression('1');
return (bool) $query
->addTag($entity_info['access arguments']['access tag'])
->addMetaData('account', $account)
->addMetaData('entity', $entity)
->condition($entity_info['entity keys']['id'], $entity->{$entity_info['entity keys']['id']})
->range(0, 1)
->execute()
->fetchField();
}
else {
return TRUE;
}
}
else {
return user_access('view any ' . $entity_type . ' entity', $account);
}
}
else {
// First grant access to the entity for the specified operation if no other
// module denies it and at least one other module says to grant access.
$access_results = module_invoke_all('commerce_entity_access', $op, $entity, $account, $entity_type);
if (in_array(FALSE, $access_results, TRUE)) {
return FALSE;
}
elseif (in_array(TRUE, $access_results, TRUE)) {
return TRUE;
}
// Grant generic administrator level access.
if (user_access('administer ' . $entity_type . ' entities', $account)) {
return TRUE;
}
// Grant access based on entity type and bundle specific permissions with
// special handling for the create operation since the entity passed in will
// be initialized without ownership.
if ($op == 'create') {
// Assuming an entity was passed in and we know its bundle key, perform
// the entity type and bundle-level access checks.
if (isset($entity) && !empty($entity_info['entity keys']['bundle'])) {
return user_access('create ' . $entity_type . ' entities', $account) || user_access('create ' . $entity_type . ' entities of bundle ' . $entity->{$entity_info['entity keys']['bundle']}, $account);
}
else {
// Otherwise perform an entity type-level access check.
return user_access('create ' . $entity_type . ' entities', $account);
}
}
else {
// Next perform checks for the edit and delete operations. Begin by
// extracting the bundle name from the entity if available.
$bundle_name = '';
if (isset($entity) && !empty($entity_info['entity keys']['bundle'])) {
$bundle_name = $entity->{$entity_info['entity keys']['bundle']};
}
// For the edit and delete operations, first perform the entity type and
// bundle-level access check for any entity.
if (user_access('edit any ' . $entity_type . ' entity', $account) || user_access('edit any ' . $entity_type . ' entity of bundle ' . $bundle_name, $account)) {
return TRUE;
}
// Then check an authenticated user's access to edit his own entities.
if ($account->uid && !empty($entity_info['access arguments']['user key']) && isset($entity->{$entity_info['access arguments']['user key']}) && $entity->{$entity_info['access arguments']['user key']} == $account->uid) {
if (user_access('edit own ' . $entity_type . ' entities', $account) || user_access('edit own ' . $entity_type . ' entities of bundle ' . $bundle_name, $account)) {
return TRUE;
}
}
}
}
return FALSE;
}