public function YamlFormEntityAccessControlHandler::checkAccess in YAML Form 8
Performs access checks.
This method is supposed to be overwritten by extending classes that do their own custom access checking.
Parameters
\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.
string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.
\Drupal\Core\Session\AccountInterface $account: The user for which to check access.
Return value
\Drupal\Core\Access\AccessResultInterface The access result.
Overrides EntityAccessControlHandler::checkAccess
File
- src/
YamlFormEntityAccessControlHandler.php, line 32
Class
- YamlFormEntityAccessControlHandler
- Defines the access control handler for the form entity type.
Namespace
Drupal\yamlformCode
public function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\yamlform\YamlFormInterface $entity */
// Check 'view' using 'create' custom form submission access rules.
// Viewing a form is the same as creating a form submission.
if ($operation == 'view') {
return AccessResult::allowed();
}
$uid = $entity
->getOwnerId();
$is_owner = $account
->isAuthenticated() && $account
->id() == $uid;
// Check if 'update' or 'delete' of 'own' or 'any' form is allowed.
if ($account
->isAuthenticated()) {
switch ($operation) {
case 'update':
if ($account
->hasPermission('edit any yamlform') || $account
->hasPermission('edit own yamlform') && $is_owner) {
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser()
->addCacheableDependency($entity);
}
break;
case 'duplicate':
if ($entity
->isTemplate() || ($account
->hasPermission('edit any yamlform') || $account
->hasPermission('edit own yamlform') && $is_owner)) {
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser()
->addCacheableDependency($entity);
}
break;
case 'delete':
if ($account
->hasPermission('delete any yamlform') || $account
->hasPermission('delete own yamlform') && $is_owner) {
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser()
->addCacheableDependency($entity);
}
break;
}
}
// Check submission_* operation.
if (strpos($operation, 'submission_') === 0) {
// Allow users with 'view any yamlform submission' to view all submissions.
if ($operation == 'submission_view_any' && $account
->hasPermission('view any yamlform submission')) {
return AccessResult::allowed();
}
// Completely block access to a template if the user can't create new
// Forms.
if ($operation == 'submission_page' && $entity
->isTemplate() && !$entity
->access('create')) {
return AccessResult::forbidden()
->cachePerPermissions()
->cachePerUser()
->addCacheableDependency($entity);
}
// Check custom form submission access rules.
if ($this
->checkAccess($entity, 'update', $account)
->isAllowed() || $entity
->checkAccessRules(str_replace('submission_', '', $operation), $account)) {
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser()
->addCacheableDependency($entity);
}
}
return parent::checkAccess($entity, $operation, $account);
}