You are here

public function YamlFormEntityAccessControlHandler::checkAccess in YAML Form 8

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkAccess

File

src/YamlFormEntityAccessControlHandler.php, line 32

Class

YamlFormEntityAccessControlHandler
Defines the access control handler for the form entity type.

Namespace

Drupal\yamlform

Code

public function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var  \Drupal\yamlform\YamlFormInterface $entity */

  // Check 'view' using 'create' custom form submission access rules.
  // Viewing a form is the same as creating a form submission.
  if ($operation == 'view') {
    return AccessResult::allowed();
  }
  $uid = $entity
    ->getOwnerId();
  $is_owner = $account
    ->isAuthenticated() && $account
    ->id() == $uid;

  // Check if 'update' or 'delete' of 'own' or 'any' form is allowed.
  if ($account
    ->isAuthenticated()) {
    switch ($operation) {
      case 'update':
        if ($account
          ->hasPermission('edit any yamlform') || $account
          ->hasPermission('edit own yamlform') && $is_owner) {
          return AccessResult::allowed()
            ->cachePerPermissions()
            ->cachePerUser()
            ->addCacheableDependency($entity);
        }
        break;
      case 'duplicate':
        if ($entity
          ->isTemplate() || ($account
          ->hasPermission('edit any yamlform') || $account
          ->hasPermission('edit own yamlform') && $is_owner)) {
          return AccessResult::allowed()
            ->cachePerPermissions()
            ->cachePerUser()
            ->addCacheableDependency($entity);
        }
        break;
      case 'delete':
        if ($account
          ->hasPermission('delete any yamlform') || $account
          ->hasPermission('delete own yamlform') && $is_owner) {
          return AccessResult::allowed()
            ->cachePerPermissions()
            ->cachePerUser()
            ->addCacheableDependency($entity);
        }
        break;
    }
  }

  // Check submission_* operation.
  if (strpos($operation, 'submission_') === 0) {

    // Allow users with 'view any yamlform submission' to view all submissions.
    if ($operation == 'submission_view_any' && $account
      ->hasPermission('view any yamlform submission')) {
      return AccessResult::allowed();
    }

    // Completely block access to a template if the user can't create new
    // Forms.
    if ($operation == 'submission_page' && $entity
      ->isTemplate() && !$entity
      ->access('create')) {
      return AccessResult::forbidden()
        ->cachePerPermissions()
        ->cachePerUser()
        ->addCacheableDependency($entity);
    }

    // Check custom form submission access rules.
    if ($this
      ->checkAccess($entity, 'update', $account)
      ->isAllowed() || $entity
      ->checkAccessRules(str_replace('submission_', '', $operation), $account)) {
      return AccessResult::allowed()
        ->cachePerPermissions()
        ->cachePerUser()
        ->addCacheableDependency($entity);
    }
  }
  return parent::checkAccess($entity, $operation, $account);
}