function webform_query_webform_submission_access_alter in Webform 6.x
Same name and namespace in other branches
- 8.5 includes/webform.query.inc \webform_query_webform_submission_access_alter()
Implements hook_query_TAG_alter().
This hook implementation adds webform submission access checks for the account stored in the 'account' meta-data (or current user if not provided), for an operation stored in the 'op' meta-data (or 'view' if not provided).
File
- includes/
webform.query.inc, line 64 - Webform module query hooks.
Code
function webform_query_webform_submission_access_alter(AlterableInterface $query) {
/** @var \Drupal\Core\Database\Query\SelectInterface $query */
$op = $query
->getMetaData('op') ?: 'view';
$account = $query
->getMetaData('account') ?: \Drupal::currentUser();
$entity_type = \Drupal::entityTypeManager()
->getDefinition('webform_submission');
// Get webform submission tables which are used to build the alter query.
$webform_submission_tables = [];
foreach ($query
->getTables() as $table) {
if (is_string($table['table']) && $table['table'] === $entity_type
->getBaseTable()) {
$webform_submission_tables[] = [
'alias' => $table['alias'],
'condition' => $query
->orConditionGroup(),
];
}
}
// If there are no webform submission tables then nothing needs to be altered.
if (empty($webform_submission_tables)) {
return;
}
// If the user has administer access then exit.
if ($account
->hasPermission('administer webform submission') || $account
->hasPermission('administer webform')) {
return;
}
// Apply operation specific any and own permissions.
if (in_array($op, [
'view',
'edit',
'delete',
])) {
$permission_any = "{$op} any webform submission";
$permission_own = "{$op} own webform submission";
// If the user has any permission the query does not have to be altered.
if ($account
->hasPermission($permission_any)) {
return;
}
// If the user has own permission, then add the account id to all
// webform submission tables conditions.
if ($account
->hasPermission($permission_own)) {
foreach ($webform_submission_tables as $table) {
$table['condition']
->condition($table['alias'] . '.uid', $account
->id());
}
}
}
// Alter query based on update access to all webforms.
/** @var \Drupal\webform\WebformInterface[] $webforms */
if ($account
->isAuthenticated()) {
// Get cached list of webforms that the user can update so that we don't
// have to continually load every webform.
$cached = \Drupal::cache()
->get('webform_submission_access__account_update__' . $account
->id());
if ($cached) {
$webform_account_access_update = $cached->data;
}
else {
$webform_account_access_update = [];
/** @var \Drupal\webform\WebformInterface[] $webforms */
$webforms = Webform::loadMultiple();
foreach ($webforms as $webform) {
if ($webform
->access('update', $account)) {
$webform_account_access_update[] = $webform
->id();
}
}
\Drupal::cache()
->set('webform_submission_access__account_update__' . $account
->id(), $webform_account_access_update, Cache::PERMANENT, [
'config:webform_list',
'user:' . $account
->id(),
]);
}
foreach ($webform_account_access_update as $webform_id) {
foreach ($webform_submission_tables as $table) {
$table['condition']
->condition($table['alias'] . '.webform_id', $webform_id);
}
}
}
else {
/** @var \Drupal\webform\WebformSubmissionStorageInterface $submission_storage */
$submission_storage = \Drupal::entityTypeManager()
->getStorage('webform_submission');
$sids = $submission_storage
->getAnonymousSubmissionIds($account);
if ($sids) {
foreach ($webform_submission_tables as $table) {
$table['condition']
->condition($table['alias'] . '.sid', $sids, 'IN');
}
}
}
// Alter query based on access rules.
/** @var \Drupal\webform\WebformAccessRulesManagerInterface $access_rules_manager */
$access_rules_manager = \Drupal::service('webform.access_rules_manager');
// Get cached webform access rules and cache tags so that we don't have
// to continually load every webform.
$cached = \Drupal::cache()
->get('webform_submission_access__webform_access_rules');
if ($cached) {
$webform_access_rules = $cached->data;
}
else {
/** @var \Drupal\webform\WebformInterface[] $webforms */
$webforms = Webform::loadMultiple();
$webform_access_rules = [];
foreach ($webforms as $webform_id => $webform) {
$webform_access_rules[$webform_id] = $access_rules_manager
->getAccessRules($webform) ?: [];
}
\Drupal::cache()
->set('webform_submission_access__webform_access_rules', $webform_access_rules, Cache::PERMANENT, [
'config:webform_list',
]);
}
foreach ($webform_access_rules as $webform_id => $access_rules) {
// Check basic and any access rules and add webform id to all
// webform submission tables conditions.
if ($access_rules_manager
->checkAccessRules($op, $account, $access_rules) || $access_rules_manager
->checkAccessRules($op . '_any', $account, $access_rules)) {
foreach ($webform_submission_tables as $table) {
$table['condition']
->condition($table['alias'] . '.webform_id', $webform_id);
}
}
elseif ($access_rules_manager
->checkAccessRules($op . '_own', $account, $access_rules)) {
foreach ($webform_submission_tables as $table) {
/** @var \Drupal\Core\Database\Query\SelectInterface $query */
$condition = $query
->andConditionGroup();
$condition
->condition($table['alias'] . '.uid', $account
->id());
$condition
->condition($table['alias'] . '.webform_id', $webform_id);
$table['condition']
->condition($condition);
}
}
}
// Allow modules to alter and add their query access rules.
\Drupal::moduleHandler()
->alter('webform_submission_query_access', $query, $webform_submission_tables);
// Apply webform submission table conditions to query.
foreach ($webform_submission_tables as $table) {
// If a webform submission table does not have any conditions,
// we have to block access to the table.
if (count($table['condition']
->conditions()) === 1) {
$table['condition']
->where('1 = 0');
}
$query
->condition($table['condition']);
}
}