/** * {@inheritdoc} */ public function allowed(WorkflowTransition $transition, WorkflowInterface $workflow, EntityInterface $entity) { $to_state = $transition->getToState()->getId(); // Disable virtual state. if ($to_state == self::NON_STATE) { return FALSE; } $from_state = $this->getState($entity); // Allowed transitions are already filtered so we only need to check // for the transitions defined in the settings if they include a role the // user has. // @see: solution.settings.yml $allowed_conditions = \Drupal::config('solution.settings')->get('transitions'); if (\Drupal::currentUser()->hasPermission('bypass node access')) { return TRUE; } // Check if the user has one of the allowed system roles. $authorized_roles = isset($allowed_conditions[$to_state][$from_state]) ? $allowed_conditions[$to_state][$from_state] : []; $user = $this->workflowUserProvider->getUser(); if (array_intersect($authorized_roles, $user->getRoles())) { return TRUE; } // Check if the user has one of the allowed group roles. $membership = Og::getMembership($entity, $user); return $membership && array_intersect($authorized_roles, $membership->getRolesIds()); }
/** * Handles access to the solution add form through collection pages. * * @param \Drupal\rdf_entity\RdfInterface $rdf_entity * The RDF entity for which the solution is created. * * @return \Drupal\Core\Access\AccessResult * The access result object. */ public function createSolutionAccess(RdfInterface $rdf_entity) { $user = $this->currentUser(); if (empty($rdf_entity) && !$user->isAnonymous()) { return AccessResult::neutral(); } $membership = Og::getMembership($rdf_entity, $user); return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden(); }
/** * {@inheritdoc} * * We need to override default transitions allowed because this is also * dependant on the parent's moderation, system roles and organic groups * user roles. In the following method, the allowed transitions per * moderation are checked and then if the transition is allowed, the user * roles by the system and the organic groups are checked. */ public function allowed(WorkflowTransition $transition, WorkflowInterface $workflow, EntityInterface $entity) { $to_state = $transition->getToState()->getId(); // Disable virtual state. if ($to_state == self::NON_STATE) { return FALSE; } $from_state = $this->getState($entity); $parent = $this->getParent($entity); $is_moderated = self::MODERATED; if ($parent) { $is_moderated = $parent->bundle() == 'collection' ? $parent->field_ar_moderation->first()->value : $parent->field_is_moderation->first()->value; } $allowed_transitions = \Drupal::config('joinup_news.settings')->get('transitions'); // Some transitions are not allowed per parent's moderation. // Check for the transitions allowed. // @see: joinup_news.settings.yml if (!isset($allowed_transitions[$is_moderated][$to_state][$from_state])) { return FALSE; } // This Guard class's method called whenever the transitions are checked // even outside the entity CRUD forms. Cases like this is e.g. when trying // to edit the settings of the field. // In these cases, there is no parent entity so we need to check for it. if (empty($parent)) { return FALSE; } // Check if the user has one of the allowed system roles. $authorized_roles = $allowed_transitions[$is_moderated][$to_state][$from_state]; $user = \Drupal::currentUser(); if (array_intersect($authorized_roles, $user->getRoles())) { return TRUE; } // Check if the user has one of the allowed group roles. $membership = Og::getMembership($parent, $user->getAccount()); return $membership && array_intersect($authorized_roles, $membership->getRolesIds()); }
/** * Asserts that a group is owned by a user. * * An ownership is defined as having a specific set of roles in that group. * * @param AccountInterface $user * The user to be checked. * @param RdfInterface $group * The group entity. In this project, only rdf entities are groups. * @param array $roles * An array of roles to be checked. Roles must be passed as simple names * and not as full IDs. Names will be converted accordingly to IDs. * * @throws \Exception * Throws exception when the user is not a member or is not an owner. */ protected function assertOgGroupOwnership(AccountInterface $user, RdfInterface $group, $roles) { $membership = Og::getMembership($group, $user); if (empty($membership)) { throw new \Exception("User {$user->getAccountName()} is not a member of the {$group->label()} group."); } $roles = $this->convertOgRoleNamesToIds($roles, $group); if (array_intersect($roles, $membership->getRolesIds()) != $roles) { throw new \Exception("User {$user->getAccountName()} is not the owner of the {$group->label()} group."); } }
/** * {@inheritdoc} */ public function submitForm(array &$form, FormStateInterface $form_state) { $user = User::load($this->currentUser()->id()); $membership = Og::getMembership($this->collection, $user); $membership->delete(); drupal_set_message($this->t('You are no longer a member of %collection.', ['%collection' => $this->collection->getName()])); // @todo: This is a temporary workaround for the lack of og cache // contexts/tags. Remove this when Og provides proper cache context. // @see: https://webgate.ec.europa.eu/CITnet/jira/browse/ISAICP-2628 Cache::invalidateTags(['user.roles']); $form_state->setRedirectUrl($this->getCancelUrl()); }