protected function OrderAccessControlHandler::checkAccess in Ubercart 8.4
Performs access checks.
This method is supposed to be overwritten by extending classes that do their own custom access checking.
Parameters
\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.
string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.
\Drupal\Core\Session\AccountInterface $account: The user for which to check access.
Return value
\Drupal\Core\Access\AccessResultInterface The access result.
Overrides EntityAccessControlHandler::checkAccess
File
- uc_order/
src/ OrderAccessControlHandler.php, line 18
Class
- OrderAccessControlHandler
- Defines the access control handler for Ubercart orders.
Namespace
Drupal\uc_orderCode
protected function checkAccess(EntityInterface $order, $operation, AccountInterface $account) {
/** @var \Drupal\uc_order\OrderInterface $order */
switch ($operation) {
case 'view':
case 'invoice':
// Admins can view all orders.
if ($account
->hasPermission('view all orders')) {
return AccessResult::allowed()
->cachePerPermissions();
}
// Non-anonymous users can view their own orders
// and invoices with permission.
$permission = $operation == 'view' ? 'view own orders' : 'view own invoices';
if ($account
->id() && $account
->id() == $order
->getOwnerId() && $account
->hasPermission($permission)) {
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser()
->cacheUntilEntityChanges($order);
}
return AccessResult::forbidden()
->cachePerPermissions()
->cachePerUser()
->cacheUntilEntityChanges($order);
case 'update':
return AccessResult::allowedIfHasPermission($account, 'edit orders')
->cachePerPermissions()
->cachePerUser();
case 'delete':
if ($account
->hasPermission('unconditionally delete orders')) {
// Unconditional deletion perms are always TRUE.
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser();
}
if ($account
->hasPermission('delete orders')) {
// Only users with unconditional deletion perms
// can delete completed orders.
if ($order
->getStateId() == 'completed') {
return AccessResult::forbidden()
->cachePerPermissions()
->cachePerUser()
->cacheUntilEntityChanges($order);
}
else {
// See if any modules have a say in this order's
// eligibility for deletion.
$module_handler = \Drupal::moduleHandler();
foreach ($module_handler
->getImplementations('uc_order_can_delete') as $module) {
$function = $module . '_uc_order_can_delete';
if ($function($order) === FALSE) {
return AccessResult::forbidden()
->cachePerPermissions()
->cachePerUser()
->cacheUntilEntityChanges($order);
}
}
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser()
->cacheUntilEntityChanges($order);
}
}
return AccessResult::forbidden()
->cachePerPermissions()
->cachePerUser()
->cacheUntilEntityChanges($order);
}
}