You are here

function commerce_payment_query_commerce_payment_transaction_access_alter in Commerce Core 7

Implements hook_query_TAG_alter().

Implement access control on payment transaction. This is different from other entities because the access to a payment transaction is partially delegated to its order.

File

modules/payment/commerce_payment.module, line 1049
Defines the payment system and checkout integration.

Code

function commerce_payment_query_commerce_payment_transaction_access_alter(QueryAlterableInterface $query) {

  // Read the meta-data from the query.
  if (!($account = $query
    ->getMetaData('account'))) {
    global $user;
    $account = $user;
  }

  // If the user has the administration permission, nothing to do.
  if (user_access('administer payments', $account)) {
    return;
  }

  // Join the payment transaction to their orders.
  if (user_access('view payments', $account)) {
    $tables =& $query
      ->getTables();

    // Look for an existing commerce_order table.
    foreach ($tables as $table) {
      if ($table['table'] === 'commerce_order') {
        $order_alias = $table['alias'];
        break;
      }
    }

    // If not found, attempt a join against the first table.
    if (!isset($order_alias)) {
      reset($tables);
      $base_table = key($tables);
      $order_alias = $query
        ->innerJoin('commerce_order', 'co', '%alias.order_id = ' . $base_table . '.order_id');
    }

    // Perform the access control on the order.
    commerce_entity_access_query_alter($query, 'commerce_order', $order_alias);
  }
  else {

    // The user has access to no payment transaction.
    $query
      ->where('1 = 0');
  }
}