You are here

Home » API reference » Ubercart 8.4 » OrderAccessControlHandler.php » OrderAccessControlHandler

protected function OrderAccessControlHandler::checkAccess in Ubercart 8.4

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkAccess

File

uc_order/src/OrderAccessControlHandler.php, line 18

Class

OrderAccessControlHandler
Defines the access control handler for Ubercart orders.

Namespace

Drupal\uc_order

Code

protected function checkAccess(EntityInterface $order, $operation, AccountInterface $account) {

  /** @var \Drupal\uc_order\OrderInterface $order */
  switch ($operation) {
    case 'view':
    case 'invoice':

      // Admins can view all orders.
      if ($account
        ->hasPermission('view all orders')) {
        return AccessResult::allowed()
          ->cachePerPermissions();
      }

      // Non-anonymous users can view their own orders
      // and invoices with permission.
      $permission = $operation == 'view' ? 'view own orders' : 'view own invoices';
      if ($account
        ->id() && $account
        ->id() == $order
        ->getOwnerId() && $account
        ->hasPermission($permission)) {
        return AccessResult::allowed()
          ->cachePerPermissions()
          ->cachePerUser()
          ->cacheUntilEntityChanges($order);
      }
      return AccessResult::forbidden()
        ->cachePerPermissions()
        ->cachePerUser()
        ->cacheUntilEntityChanges($order);
    case 'update':
      return AccessResult::allowedIfHasPermission($account, 'edit orders')
        ->cachePerPermissions()
        ->cachePerUser();
    case 'delete':
      if ($account
        ->hasPermission('unconditionally delete orders')) {

        // Unconditional deletion perms are always TRUE.
        return AccessResult::allowed()
          ->cachePerPermissions()
          ->cachePerUser();
      }
      if ($account
        ->hasPermission('delete orders')) {

        // Only users with unconditional deletion perms
        // can delete completed orders.
        if ($order
          ->getStateId() == 'completed') {
          return AccessResult::forbidden()
            ->cachePerPermissions()
            ->cachePerUser()
            ->cacheUntilEntityChanges($order);
        }
        else {

          // See if any modules have a say in this order's
          // eligibility for deletion.
          $module_handler = \Drupal::moduleHandler();
          foreach ($module_handler
            ->getImplementations('uc_order_can_delete') as $module) {
            $function = $module . '_uc_order_can_delete';
            if ($function($order) === FALSE) {
              return AccessResult::forbidden()
                ->cachePerPermissions()
                ->cachePerUser()
                ->cacheUntilEntityChanges($order);
            }
          }
          return AccessResult::allowed()
            ->cachePerPermissions()
            ->cachePerUser()
            ->cacheUntilEntityChanges($order);
        }
      }
      return AccessResult::forbidden()
        ->cachePerPermissions()
        ->cachePerUser()
        ->cacheUntilEntityChanges($order);
  }
}