protected function OrderQueryAccessHandler::buildEntityConditions in Commerce Core 8.2
Builds the conditions for entities that do not have an owner.
Parameters
string $operation: The access operation. Usually one of "view", "update", "duplicate", or "delete".
\Drupal\Core\Session\AccountInterface $account: The user for which to restrict access.
Return value
\Drupal\entity\QueryAccess\ConditionGroup|null The conditions, or NULL if the user doesn't have access to any entity.
Overrides QueryAccessHandlerBase::buildEntityConditions
File
- modules/
order/ src/ OrderQueryAccessHandler.php, line 20
Class
- OrderQueryAccessHandler
- Controls query access based on the Order entity permissions.
Namespace
Drupal\commerce_orderCode
protected function buildEntityConditions($operation, AccountInterface $account) {
// Orders don't implement EntityOwnerInterface, but they do have a
// "view own" permission.
if ($operation == 'view') {
$conditions = new ConditionGroup('OR');
$conditions
->addCacheContexts([
'user.permissions',
]);
// The $entity_type permission.
if ($account
->hasPermission('view commerce_order')) {
// The user has full access, no conditions needed.
return $conditions;
}
// Own $entity_type permission.
if ($account
->hasPermission('view own commerce_order')) {
$conditions
->addCacheContexts([
'user',
]);
$conditions
->addCondition('uid', $account
->id());
}
$bundles = array_keys($this->bundleInfo
->getBundleInfo('commerce_order'));
$bundles_with_any_permission = [];
foreach ($bundles as $bundle) {
if ($account
->hasPermission("view {$bundle} commerce_order")) {
$bundles_with_any_permission[] = $bundle;
}
}
// The $bundle permission.
if ($bundles_with_any_permission) {
$conditions
->addCondition('type', $bundles_with_any_permission);
}
return $conditions
->count() ? $conditions : NULL;
}
return parent::buildEntityConditions($operation, $account);
}