You are here

public function WebformSubmissionAccessControlHandler::checkAccess in Webform 8.5

Same name and namespace in other branches
  1. 6.x src/WebformSubmissionAccessControlHandler.php \Drupal\webform\WebformSubmissionAccessControlHandler::checkAccess()

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkAccess

File

src/WebformSubmissionAccessControlHandler.php, line 66

Class

WebformSubmissionAccessControlHandler
Defines the access control handler for the webform submission entity type.

Namespace

Drupal\webform

Code

public function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var \Drupal\webform\WebformSubmissionInterface $entity */

  // Check 'administer webform' permission.
  if ($account
    ->hasPermission('administer webform')) {
    return WebformAccessResult::allowed();
  }

  // Check 'administer webform submission' permission.
  if ($account
    ->hasPermission('administer webform submission')) {
    return WebformAccessResult::allowed();
  }

  // Check webform 'update' permission.
  if ($entity
    ->getWebform()
    ->access('update', $account)) {
    return WebformAccessResult::allowed($entity, TRUE);
  }

  // Check view and delete operations token access.
  if (($operation === 'view' || $operation === 'delete') && $entity
    ->getWebform()
    ->getSetting('token_' . $operation)) {
    $token = $this->request->query
      ->get('token');
    if ($token === $entity
      ->getToken()) {
      return WebformAccessResult::allowed($entity)
        ->addCacheContexts([
        'url.query_args:token',
      ]);
    }
  }

  // Check 'any' or 'own' webform submission permissions.
  $operations = [
    'view' => 'view',
    'update' => 'edit',
    'delete' => 'delete',
  ];
  if (isset($operations[$operation])) {
    $action = $operations[$operation];

    // Check operation any.
    if ($account
      ->hasPermission("{$action} any webform submission")) {
      return WebformAccessResult::allowed();
    }

    // Check operation own.
    if ($account
      ->hasPermission("{$action} own webform submission") && $entity
      ->isOwner($account)) {
      return WebformAccessResult::allowed($entity, TRUE);
    }
  }

  // Check other operations.
  switch ($operation) {
    case 'duplicate':

      // Check for 'create' or 'update' access.
      return WebformAccessResult::allowedIf($entity
        ->access('create', $account) || $entity
        ->access('update', $account));
    case 'resend':

      // Check for 'update any submission' access.
      return WebformAccessResult::allowedIf($entity
        ->getWebform()
        ->access('submission_update_any', $account));
  }

  // Check webform access rules.
  $webform_access = $this->accessRulesManager
    ->checkWebformSubmissionAccess($operation, $account, $entity);
  if ($webform_access
    ->isAllowed()) {
    return $webform_access;
  }
  return parent::checkAccess($entity, $operation, $account);
}