View source
<?php
namespace Drupal\webform;
use Drupal\Core\Access\AccessResultReasonInterface;
use Drupal\Core\Entity\EntityAccessControlHandler;
use Drupal\Core\Entity\EntityHandlerInterface;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityTypeInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\webform\Access\WebformAccessResult;
use Drupal\webform\EntityStorage\WebformEntityStorageTrait;
use Symfony\Component\DependencyInjection\ContainerInterface;
class WebformEntityAccessControlHandler extends EntityAccessControlHandler implements EntityHandlerInterface {
use WebformEntityStorageTrait;
protected $requestStack;
protected $webformSourceEntityManager;
protected $accessRulesManager;
public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
$instance = new static($entity_type);
$instance->requestStack = $container
->get('request_stack');
$instance->entityTypeManager = $container
->get('entity_type.manager');
$instance->webformSourceEntityManager = $container
->get('plugin.manager.webform.source_entity');
$instance->accessRulesManager = $container
->get('webform.access_rules_manager');
return $instance;
}
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
if ($account
->hasPermission('administer webform')) {
return WebformAccessResult::allowed();
}
elseif ($account
->hasPermission('create webform')) {
return WebformAccessResult::allowed();
}
else {
return WebformAccessResult::neutral();
}
}
public function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
if ($account
->hasPermission('administer webform')) {
return WebformAccessResult::allowed();
}
if ($account
->isAuthenticated()) {
$administer_access_result = $this->accessRulesManager
->checkWebformAccess('administer', $account, $entity);
if ($administer_access_result
->isAllowed()) {
return $administer_access_result;
}
}
$is_owner = (int) $account
->id() === (int) $entity
->getOwnerId();
if ($operation === 'view') {
$is_html = $this->requestStack
->getCurrentRequest()
->getRequestFormat() === 'html';
$is_jsonapi = strpos($this->requestStack
->getCurrentRequest()
->getPathInfo(), '/jsonapi/') === 0 ? TRUE : FALSE;
if ($is_html && !$is_jsonapi) {
$access_result = $this->accessRulesManager
->checkWebformAccess('create', $account, $entity);
}
else {
if ($account
->hasPermission('access any webform configuration') || $account
->hasPermission('access own webform configuration') && $is_owner) {
$access_result = WebformAccessResult::allowed($entity, TRUE);
}
else {
$access_result = $this->accessRulesManager
->checkWebformAccess('configuration', $account, $entity);
}
}
if ($access_result instanceof AccessResultReasonInterface) {
$access_result
->setReason('Access to webform configuration is required.');
}
return $access_result
->addCacheContexts([
'url.path',
'request_format',
]);
}
if ($account
->isAuthenticated()) {
switch ($operation) {
case 'test':
case 'update':
if ($account
->hasPermission('edit any webform') || $account
->hasPermission('edit own webform') && $is_owner) {
return WebformAccessResult::allowed($entity, TRUE);
}
break;
case 'duplicate':
if ($account
->hasPermission('create webform') && ($entity
->isTemplate() || ($account
->hasPermission('edit any webform') || $account
->hasPermission('edit own webform') && $is_owner))) {
return WebformAccessResult::allowed($entity, TRUE);
}
break;
case 'delete':
if ($account
->hasPermission('delete any webform') || $account
->hasPermission('delete own webform') && $is_owner) {
return WebformAccessResult::allowed($entity, TRUE);
}
break;
}
}
$rules_access_result = $this->accessRulesManager
->checkWebformAccess($operation, $account, $entity);
if ($rules_access_result
->isAllowed()) {
return $rules_access_result;
}
if (strpos($operation, 'submission_') === 0) {
if ($account
->hasPermission('administer webform submission')) {
return WebformAccessResult::allowed();
}
if ($operation === 'submission_view_any' && ($account
->hasPermission('view any webform submission') || $account
->hasPermission('administer webform submission'))) {
return WebformAccessResult::allowed();
}
if ($operation === 'submission_view_own' && $account
->hasPermission('view own webform submission')) {
return WebformAccessResult::allowed();
}
if ($operation === 'submission_update_any' && $account
->hasPermission('edit any webform submission')) {
return WebformAccessResult::allowed();
}
if ($operation === 'submission_update_own' && $account
->hasPermission('edit own webform submission')) {
return WebformAccessResult::allowed();
}
if (in_array($operation, [
'submission_page',
'submission_create',
])) {
if ($entity
->getSetting('limit_total_unique')) {
$source_entity = $this->webformSourceEntityManager
->getSourceEntity('webform');
$last_submission = $this
->getSubmissionStorage()
->getLastSubmission($entity, $source_entity, NULL, [
'in_draft' => FALSE,
]);
if ($last_submission && $last_submission
->access('update')) {
return WebformAccessResult::allowed($last_submission);
}
}
if ($entity
->getSetting('limit_user_unique')) {
if (!$account
->isAuthenticated()) {
return WebformAccessResult::forbidden($entity);
}
$source_entity = $this->webformSourceEntityManager
->getSourceEntity('webform');
$last_submission = $this
->getSubmissionStorage()
->getLastSubmission($entity, $source_entity, $account, [
'in_draft' => FALSE,
]);
if ($last_submission && $last_submission
->access('update')) {
return WebformAccessResult::allowed($last_submission);
}
}
$token = $this->requestStack
->getCurrentRequest()->query
->get('token');
if ($token && $entity
->isOpen()) {
$source_entity = $this->webformSourceEntityManager
->getSourceEntity('webform');
if ($submission = $this
->getSubmissionStorage()
->loadFromToken($token, $entity, $source_entity)) {
return WebformAccessResult::allowed($submission)
->addCacheContexts([
'url',
]);
}
}
}
if ($operation === 'submission_page') {
$create_access = $entity
->access('create', $account, TRUE);
if ($entity
->isTemplate() && !$create_access
->isAllowed()) {
return WebformAccessResult::forbidden($entity)
->addCacheableDependency($create_access);
}
if (!$entity
->getSetting('page')) {
$source_entity = $this->webformSourceEntityManager
->getSourceEntity('webform');
if (!$source_entity) {
return WebformAccessResult::forbidden($entity);
}
}
}
$submission_operation = str_replace('submission_page', 'submission_create', $operation);
$submission_operation = str_replace('submission_', '', $submission_operation);
$submission_access_result = $this->accessRulesManager
->checkWebformAccess($submission_operation, $account, $entity);
if ($submission_access_result
->isAllowed()) {
return $submission_access_result;
}
$update_access_result = $this
->checkAccess($entity, 'update', $account);
if ($update_access_result
->isAllowed()) {
return $update_access_result;
}
}
if ($operation === 'delete' && $entity
->isNew()) {
return WebformAccessResult::forbidden($entity);
}
else {
return WebformAccessResult::neutral($entity);
}
}
}