WebformSubmissionAccessControlHandler.php in Webform 6.x
File
src/WebformSubmissionAccessControlHandler.php
View source
<?php
namespace Drupal\webform;
use Drupal\Core\Entity\EntityAccessControlHandler;
use Drupal\Core\Entity\EntityHandlerInterface;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityTypeInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\webform\Access\WebformAccessResult;
use Symfony\Component\DependencyInjection\ContainerInterface;
class WebformSubmissionAccessControlHandler extends EntityAccessControlHandler implements EntityHandlerInterface {
protected $accessRulesManager;
protected $request;
public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
$instance = new static($entity_type);
$instance->accessRulesManager = $container
->get('webform.access_rules_manager');
$instance->request = $container
->get('request_stack')
->getCurrentRequest();
return $instance;
}
public function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
if ($account
->hasPermission('administer webform')) {
return WebformAccessResult::allowed();
}
if ($account
->hasPermission('administer webform submission')) {
return WebformAccessResult::allowed();
}
if ($entity
->getWebform()
->access('update', $account)) {
return WebformAccessResult::allowed($entity, TRUE);
}
if (($operation === 'view' || $operation === 'delete') && $entity
->getWebform()
->getSetting('token_' . $operation)) {
$token = $this->request->query
->get('token');
if ($token === $entity
->getToken()) {
return WebformAccessResult::allowed($entity)
->addCacheContexts([
'url.query_args:token',
]);
}
}
$operations = [
'view' => 'view',
'update' => 'edit',
'delete' => 'delete',
];
if (isset($operations[$operation])) {
$action = $operations[$operation];
if ($account
->hasPermission("{$action} any webform submission")) {
return WebformAccessResult::allowed();
}
if ($account
->hasPermission("{$action} own webform submission") && $entity
->isOwner($account)) {
return WebformAccessResult::allowed($entity, TRUE);
}
}
switch ($operation) {
case 'duplicate':
return WebformAccessResult::allowedIf($entity
->access('create', $account) || $entity
->access('update', $account));
case 'resend':
return WebformAccessResult::allowedIf($entity
->getWebform()
->access('submission_update_any', $account));
}
$webform_access = $this->accessRulesManager
->checkWebformSubmissionAccess($operation, $account, $entity);
if ($webform_access
->isAllowed()) {
return $webform_access;
}
return parent::checkAccess($entity, $operation, $account);
}
}