You are here

Home » API reference » Commerce Core 8.2 » OrderAccessControlHandler.php » OrderAccessControlHandler

protected function OrderAccessControlHandler::checkAccess in Commerce Core 8.2

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandlerBase::checkAccess

File

modules/order/src/OrderAccessControlHandler.php, line 18

Class

OrderAccessControlHandler
Controls access based on the Order entity permissions.

Namespace

Drupal\commerce_order

Code

protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var \Drupal\commerce_order\Entity\OrderInterface $entity */
  $account = $this
    ->prepareUser($account);

  // Unlocking an order requires the same permissions as 'update', with an
  // additional check to ensure that the order is actually locked.
  $additional_operation = '';
  if ($operation == 'unlock') {
    $operation = 'update';
    $additional_operation = 'unlock';
  }
  elseif ($operation == 'resend_receipt') {
    if ($entity
      ->getState()
      ->getId() == 'draft') {
      return AccessResult::forbidden()
        ->addCacheableDependency($entity);
    }
    $operation = 'view';
    $additional_operation = 'resend_receipt';
  }

  /** @var \Drupal\Core\Access\AccessResult $result */
  $result = parent::checkAccess($entity, $operation, $account);

  /** @var \Drupal\commerce_order\Entity\OrderInterface $entity */
  if ($result
    ->isNeutral() && $operation == 'view') {
    if ($account
      ->isAuthenticated() && $account
      ->id() == $entity
      ->getCustomerId() && empty($additional_operation)) {
      $result = AccessResult::allowedIfHasPermissions($account, [
        'view own commerce_order',
      ]);
      $result = $result
        ->cachePerUser()
        ->addCacheableDependency($entity);
    }
  }
  elseif (in_array($operation, [
    'update',
    'delete',
  ])) {
    $lock_check = $additional_operation == 'unlock' ? $entity
      ->isLocked() : !$entity
      ->isLocked();
    $result = AccessResult::allowedIf($lock_check)
      ->andIf($result);
    $result = $result
      ->addCacheableDependency($entity);
  }
  return $result;
}