/**
* Declare this module's structured permissions.
*
* A set of structured permissions is defined as a list of objects and a list
* of verbs. The permissions are created by combining these. For example, the
* list of node types and the verbs (create, edit, delete) form a grid of
* permissions for operations on all the node types.
*
* This hook may be placed in the file MODULE.permissions.inc.
*
* @return
* An array of data for object types that have multiple permissions associated
* with them. The array keys are object machine names, eg, 'node' (though note
* these need not be entities).
* Values are arrays with the following properties:
* - 'label': The human-readable label of the object type.
* - 'objects': An array of the different objects of this type that have
* their own permissions, for example, node types, which each provide
* permissions such as 'create foo node types'. These will form the rows
* of the permissions grid. The keys are the substrings of the permission
* strings, and the values are human-readable labels.
* - 'verb_groups': An array of one or more verb groups. Each verb group
* defines a list of verbs and a pattern for the permissions using those
* verbs. The verb groups keys are arbitrary (but using the name of the
* providing module is a good idea for ease of alterability), and each
* array has the following properties:
* - 'verbs': An array of verbs. The keys are the 'machine names', that is,
* the strings that are replaced into the pattern. The values may be
* human-readable labels. Note that verb machine names must be unique
* across all the verb groups for the object type.
* - 'pattern': The pattern of the permissions machine name, with the
* following replacements:
* - '%verb': The verb of the permission. This takes all the keys in the
* verbs array in this verb group.
* - '%object': The object of the permission. This takes all the keys in
* the objects array.
* - 'object_process_callback' (optional) A function to process the object
* name before replacing it into the pattern. (This is just a hack for
* taxonomy to work.)
*/
function hook_permission_grid_info()
{
$return = array('node' => array('label' => t('Content type'), 'objects' => array(), 'verb_groups' => array('node' => array('pattern' => '%verb %object content', 'verbs' => array('create' => t('Create'), 'edit own' => t('Edit own'), 'edit any' => t('Edit any'), 'delete own' => t('Delete own'), 'delete any' => t('Delete any'))))));
$node_types = node_type_get_types();
$configured_types = node_permissions_get_configured_types();
foreach ($configured_types as $type) {
$return['node']['objects'][$type] = $node_types[$type]->name;
}
return $return;
}
/**
* Checks access to the node add page for the node type.
*
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param \Drupal\node\NodeTypeInterface $node_type
* (optional) The node type. If not specified, access is allowed if there
* exists at least one node type for which the user may create a node.
*
* @return string
* A \Drupal\Core\Access\AccessInterface constant value.
*/
public function access(AccountInterface $account, NodeTypeInterface $node_type = NULL)
{
$access_controller = $this->entityManager->getAccessController('node');
// If checking whether a node of a particular type may be created.
if ($node_type) {
return $access_controller->createAccess($node_type->id(), $account) ? static::ALLOW : static::DENY;
}
// If checking whether a node of any type may be created.
foreach (node_permissions_get_configured_types() as $node_type) {
if ($access_controller->createAccess($node_type->id(), $account)) {
return static::ALLOW;
}
}
return static::DENY;
}
/**
* Overrides Drupal\configuration\Config\Configuration::alterDependencies().
*/
public static function alterDependencies(Configuration $config)
{
if ($config->getComponent() == 'permission') {
foreach (node_permissions_get_configured_types() as $type) {
foreach (array_keys(node_list_permissions($type)) as $permission) {
$data = $config->getData();
if ($permission == $data['permission']) {
$content_type = ConfigurationManagement::createConfigurationInstance('content_type.' . $type);
$config->addToDependencies($content_type);
break;
}
}
}
}
}
/**
* Control access to a node.
*
* Modules may implement this hook if they want to have a say in whether or not
* a given user has access to perform a given operation on a node.
*
* The administrative account (user ID #1) always passes any access check,
* so this hook is not called in that case. Users with the "bypass node access"
* permission may always view and edit content through the administrative
* interface.
*
* Note that not all modules will want to influence access on all
* node types. If your module does not want to actively grant or
* block access, return NODE_ACCESS_IGNORE or simply return nothing.
* Blindly returning FALSE will break other node access modules.
*
* @link http://api.drupal.org/api/group/node_access/7 More on the node access system @endlink
* @ingroup node_access
* @param $node
* The node on which the operation is to be performed, or, if it does
* not yet exist, the type of node to be created.
* @param $op
* The operation to be performed. Possible values:
* - "create"
* - "delete"
* - "update"
* - "view"
* @param $account
* A user object representing the user for whom the operation is to be
* performed.
*
* @return
* NODE_ACCESS_ALLOW if the operation is to be allowed;
* NODE_ACCESS_DENY if the operation is to be denied;
* NODE_ACCESSS_IGNORE to not affect this operation at all.
*/
function hook_node_access($node, $op, $account)
{
$type = is_string($node) ? $node : $node->type;
if (in_array($type, node_permissions_get_configured_types())) {
if ($op == 'create' && user_access('create ' . $type . ' content', $account)) {
return NODE_ACCESS_ALLOW;
}
if ($op == 'update') {
if (user_access('edit any ' . $type . ' content', $account) || user_access('edit own ' . $type . ' content', $account) && $account->uid == $node->uid) {
return NODE_ACCESS_ALLOW;
}
}
if ($op == 'delete') {
if (user_access('delete any ' . $type . ' content', $account) || user_access('delete own ' . $type . ' content', $account) && $account->uid == $node->uid) {
return NODE_ACCESS_ALLOW;
}
}
}
// Returning nothing from this function would have the same effect.
return NODE_ACCESS_IGNORE;
}
/**
* Controls access to a node.
*
* Modules may implement this hook if they want to have a say in whether or not
* a given user has access to perform a given operation on a node.
*
* The administrative account (user ID #1) always passes any access check, so
* this hook is not called in that case. Users with the "bypass node access"
* permission may always view and edit content through the administrative
* interface.
*
* Note that not all modules will want to influence access on all node types. If
* your module does not want to actively grant or block access, return
* NODE_ACCESS_IGNORE or simply return nothing. Blindly returning FALSE will
* break other node access modules.
*
* Also note that this function isn't called for node listings (e.g., RSS feeds,
* the default home page at path 'node', a recent content block, etc.) See
* @link node_access Node access rights @endlink for a full explanation.
*
* @param \Drupal\node\NodeInterface|string $node
* Either a node entity or the machine name of the content type on which to
* perform the access check.
* @param string $op
* The operation to be performed. Possible values:
* - "create"
* - "delete"
* - "update"
* - "view"
* @param \Drupal\Core\Session\AccountInterface $account
* The user object to perform the access check operation on.
* @param object $langcode
* The language code to perform the access check operation on.
*
* @return string
* - NODE_ACCESS_ALLOW: if the operation is to be allowed.
* - NODE_ACCESS_DENY: if the operation is to be denied.
* - NODE_ACCESS_IGNORE: to not affect this operation at all.
*
* @ingroup node_access
*/
function hook_node_access(\Drupal\node\NodeInterface $node, $op, \Drupal\Core\Session\AccountInterface $account, $langcode)
{
$type = is_string($node) ? $node : $node->getType();
$configured_types = node_permissions_get_configured_types();
if (isset($configured_types[$type])) {
if ($op == 'create' && $account->hasPermission('create ' . $type . ' content')) {
return NODE_ACCESS_ALLOW;
}
if ($op == 'update') {
if ($account->hasPermission('edit any ' . $type . ' content', $account) || $account->hasPermission('edit own ' . $type . ' content') && $account->id() == $node->getOwnerId()) {
return NODE_ACCESS_ALLOW;
}
}
if ($op == 'delete') {
if ($account->hasPermission('delete any ' . $type . ' content', $account) || $account->hasPermission('delete own ' . $type . ' content') && $account->id() == $node->getOwnerId()) {
return NODE_ACCESS_ALLOW;
}
}
}
// Returning nothing from this function would have the same effect.
return NODE_ACCESS_IGNORE;
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL)
{
$configured_types = node_permissions_get_configured_types();
if (isset($configured_types[$entity_bundle])) {
return $account->hasPermission('create ' . $entity_bundle . ' content');
}
}
