You are here

protected function WorkspaceAccessControlHandler::checkAccess in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/workspaces/src/WorkspaceAccessControlHandler.php \Drupal\workspaces\WorkspaceAccessControlHandler::checkAccess()
  2. 9 core/modules/workspaces/src/WorkspaceAccessControlHandler.php \Drupal\workspaces\WorkspaceAccessControlHandler::checkAccess()

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkAccess

File

core/modules/workspaces/src/WorkspaceAccessControlHandler.php, line 20

Class

WorkspaceAccessControlHandler
Defines the access control handler for the workspace entity type.

Namespace

Drupal\workspaces

Code

protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var \Drupal\workspaces\WorkspaceInterface $entity */
  if ($operation === 'publish' && $entity
    ->hasParent()) {
    $message = $this
      ->t('Only top-level workspaces can be published.');
    return AccessResult::forbidden((string) $message)
      ->addCacheableDependency($entity);
  }
  if ($account
    ->hasPermission('administer workspaces')) {
    return AccessResult::allowed()
      ->cachePerPermissions();
  }

  // @todo Consider adding explicit "publish any|own workspace" permissions in
  //   https://www.drupal.org/project/drupal/issues/3084260.
  $permission_operation = $operation === 'update' || $operation === 'publish' ? 'edit' : $operation;

  // Check if the user has permission to access all workspaces.
  $access_result = AccessResult::allowedIfHasPermission($account, $permission_operation . ' any workspace');

  // Check if it's their own workspace, and they have permission to access
  // their own workspace.
  if ($access_result
    ->isNeutral() && $account
    ->isAuthenticated() && $account
    ->id() === $entity
    ->getOwnerId()) {
    $access_result = AccessResult::allowedIfHasPermission($account, $permission_operation . ' own workspace')
      ->cachePerUser()
      ->addCacheableDependency($entity);
  }
  return $access_result;
}