You are here

Home » API reference » Deploy - Content Staging 8 » ReplicationAccessControlHandler.php » ReplicationAccessControlHandler

protected function ReplicationAccessControlHandler::checkCreateAccess in Deploy - Content Staging 8

Performs create access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

array $context: An array of key-value pairs to pass additional context when needed.

string|null $entity_bundle: (optional) The bundle of the entity. Required if the entity supports bundles, defaults to NULL otherwise.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkCreateAccess

File

src/ReplicationAccessControlHandler.php, line 82

Class

ReplicationAccessControlHandler
ReplicationAccessControlHandler class.

Namespace

Drupal\deploy

Code

protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
  $access = parent::checkCreateAccess($account, $context, $entity_bundle);
  $active_workspace = $this->workspaceManager
    ->getActiveWorkspace();
  $upstream_workspace_pointer = $active_workspace->upstream->entity;

  // When no upstream workspace pointer is set the access is forbidden.
  if (!$upstream_workspace_pointer) {
    return AccessResult::forbidden('No target is set for the active workspace.');
  }
  if (\Drupal::state()
    ->get('workspace.last_replication_failed', FALSE)) {
    return AccessResult::forbidden('Replication is blocked.');
  }
  $replication_in_queue = $this->entityTypeManager
    ->getStorage('replication')
    ->getQuery()
    ->condition('source', WorkspacePointer::loadFromWorkspace($active_workspace)
    ->id())
    ->condition('target', $upstream_workspace_pointer
    ->id())
    ->condition('replication_status', [
    Replication::QUEUED,
    Replication::REPLICATING,
  ], 'IN')
    ->execute();
  if (!empty($replication_in_queue)) {
    $this
      ->messenger()
      ->addWarning(t('Users are only allowed to create one push and one pull deployment between the same source and target workspace. New deployments are only allowed after the currently queued deployment finish.'));
    return AccessResult::forbidden('Replication queued or in progress.');
  }

  // The 'deploy to any workspace' permission will always allow the user to
  // create replication entities and perform deployments.
  if ($account
    ->hasPermission('deploy to any workspace')) {
    return AccessResult::allowed();
  }

  // Load just the ID and workspace separately to allow for remote workspace
  // pointers which won't have the workspace_pointer field set.
  $upstream_workspace_id = $upstream_workspace_pointer->workspace_pointer->target_id;
  $upstream_workspace = Workspace::load($upstream_workspace_id);

  // When the upstream workspace is set, the owner matches the account, and
  // the user has the correct permission then allow access.
  if ($upstream_workspace && $upstream_workspace
    ->getOwnerId() == $account
    ->id() && $account
    ->hasPermission('deploy to own workspace')) {
    return AccessResult::allowed();
  }

  // When the user doesn't have permissions to deploy to the upstream the
  // access is forbidden.
  if (!$account
    ->hasPermission('Deploy to ' . $upstream_workspace_pointer
    ->label())) {
    return AccessResult::forbidden('You do not have permission to deploy to the target.');
  }
  return $access;
}