You are here

public function GroupContentAccessControlHandler::relationAccess in Group 8

Checks access to an operation on the relation.

Parameters

\Drupal\group\Entity\GroupContentInterface $group_content: The group content for which to check access.

string $operation: The operation access should be checked for. Usually one of "view", "update" or "delete".

\Drupal\Core\Session\AccountInterface $account: The user session for which to check access.

bool $return_as_object: (optional) Defaults to FALSE.

Return value

bool|\Drupal\Core\Access\AccessResultInterface The access result. Returns a boolean if $return_as_object is FALSE (this is the default) and otherwise an AccessResultInterface object. When a boolean is returned, the result of AccessInterface::isAllowed() is returned, i.e. TRUE means access is explicitly allowed, FALSE means access is either explicitly forbidden or "no opinion".

Overrides GroupContentAccessControlHandlerInterface::relationAccess

File

src/Plugin/GroupContentAccessControlHandler.php, line 54

Class

GroupContentAccessControlHandler
Provides access control for GroupContent entities and grouped entities.

Namespace

Drupal\group\Plugin

Code

public function relationAccess(GroupContentInterface $group_content, $operation, AccountInterface $account, $return_as_object = FALSE) {
  $result = AccessResult::neutral();

  // Check if the account is the owner.
  $is_owner = $group_content
    ->getOwnerId() === $account
    ->id();

  // Add in the admin permission and filter out the unsupported permissions.
  $permissions = [
    $this->permissionProvider
      ->getAdminPermission(),
  ];
  $permissions[] = $this->permissionProvider
    ->getPermission($operation, 'relation', 'any');
  $own_permission = $this->permissionProvider
    ->getPermission($operation, 'relation', 'own');
  if ($is_owner) {
    $permissions[] = $own_permission;
  }
  $permissions = array_filter($permissions);

  // If we still have permissions left, check for access.
  if (!empty($permissions)) {
    $result = GroupAccessResult::allowedIfHasGroupPermissions($group_content
      ->getGroup(), $account, $permissions, 'OR');
  }

  // If there was an owner permission to check, the result needs to vary per
  // user. We also need to add the relation as a dependency because if its
  // owner changes, someone might suddenly gain or lose access.
  if ($own_permission) {

    // @todo Not necessary if admin, could boost performance here.
    $result
      ->cachePerUser()
      ->addCacheableDependency($group_content);
  }
  return $return_as_object ? $result : $result
    ->isAllowed();
}