/**
* {@inheritdoc}
*/
public function allowed(WorkflowTransition $transition, WorkflowInterface $workflow, EntityInterface $entity)
{
$to_state = $transition->getToState()->getId();
// Disable virtual state.
if ($to_state == self::NON_STATE) {
return FALSE;
}
$from_state = $this->getState($entity);
// Allowed transitions are already filtered so we only need to check
// for the transitions defined in the settings if they include a role the
// user has.
// @see: solution.settings.yml
$allowed_conditions = \Drupal::config('solution.settings')->get('transitions');
if (\Drupal::currentUser()->hasPermission('bypass node access')) {
return TRUE;
}
// Check if the user has one of the allowed system roles.
$authorized_roles = isset($allowed_conditions[$to_state][$from_state]) ? $allowed_conditions[$to_state][$from_state] : [];
$user = $this->workflowUserProvider->getUser();
if (array_intersect($authorized_roles, $user->getRoles())) {
return TRUE;
}
// Check if the user has one of the allowed group roles.
$membership = Og::getMembership($entity, $user);
return $membership && array_intersect($authorized_roles, $membership->getRolesIds());
}
/**
* Handles access to the solution add form through collection pages.
*
* @param \Drupal\rdf_entity\RdfInterface $rdf_entity
* The RDF entity for which the solution is created.
*
* @return \Drupal\Core\Access\AccessResult
* The access result object.
*/
public function createSolutionAccess(RdfInterface $rdf_entity)
{
$user = $this->currentUser();
if (empty($rdf_entity) && !$user->isAnonymous()) {
return AccessResult::neutral();
}
$membership = Og::getMembership($rdf_entity, $user);
return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden();
}
/**
* {@inheritdoc}
*
* We need to override default transitions allowed because this is also
* dependant on the parent's moderation, system roles and organic groups
* user roles. In the following method, the allowed transitions per
* moderation are checked and then if the transition is allowed, the user
* roles by the system and the organic groups are checked.
*/
public function allowed(WorkflowTransition $transition, WorkflowInterface $workflow, EntityInterface $entity)
{
$to_state = $transition->getToState()->getId();
// Disable virtual state.
if ($to_state == self::NON_STATE) {
return FALSE;
}
$from_state = $this->getState($entity);
$parent = $this->getParent($entity);
$is_moderated = self::MODERATED;
if ($parent) {
$is_moderated = $parent->bundle() == 'collection' ? $parent->field_ar_moderation->first()->value : $parent->field_is_moderation->first()->value;
}
$allowed_transitions = \Drupal::config('joinup_news.settings')->get('transitions');
// Some transitions are not allowed per parent's moderation.
// Check for the transitions allowed.
// @see: joinup_news.settings.yml
if (!isset($allowed_transitions[$is_moderated][$to_state][$from_state])) {
return FALSE;
}
// This Guard class's method called whenever the transitions are checked
// even outside the entity CRUD forms. Cases like this is e.g. when trying
// to edit the settings of the field.
// In these cases, there is no parent entity so we need to check for it.
if (empty($parent)) {
return FALSE;
}
// Check if the user has one of the allowed system roles.
$authorized_roles = $allowed_transitions[$is_moderated][$to_state][$from_state];
$user = \Drupal::currentUser();
if (array_intersect($authorized_roles, $user->getRoles())) {
return TRUE;
}
// Check if the user has one of the allowed group roles.
$membership = Og::getMembership($parent, $user->getAccount());
return $membership && array_intersect($authorized_roles, $membership->getRolesIds());
}
/**
* Asserts that a group is owned by a user.
*
* An ownership is defined as having a specific set of roles in that group.
*
* @param AccountInterface $user
* The user to be checked.
* @param RdfInterface $group
* The group entity. In this project, only rdf entities are groups.
* @param array $roles
* An array of roles to be checked. Roles must be passed as simple names
* and not as full IDs. Names will be converted accordingly to IDs.
*
* @throws \Exception
* Throws exception when the user is not a member or is not an owner.
*/
protected function assertOgGroupOwnership(AccountInterface $user, RdfInterface $group, $roles)
{
$membership = Og::getMembership($group, $user);
if (empty($membership)) {
throw new \Exception("User {$user->getAccountName()} is not a member of the {$group->label()} group.");
}
$roles = $this->convertOgRoleNamesToIds($roles, $group);
if (array_intersect($roles, $membership->getRolesIds()) != $roles) {
throw new \Exception("User {$user->getAccountName()} is not the owner of the {$group->label()} group.");
}
}
/**
* {@inheritdoc}
*/
public function submitForm(array &$form, FormStateInterface $form_state)
{
$user = User::load($this->currentUser()->id());
$membership = Og::getMembership($this->collection, $user);
$membership->delete();
drupal_set_message($this->t('You are no longer a member of %collection.', ['%collection' => $this->collection->getName()]));
// @todo: This is a temporary workaround for the lack of og cache
// contexts/tags. Remove this when Og provides proper cache context.
// @see: https://webgate.ec.europa.eu/CITnet/jira/browse/ISAICP-2628
Cache::invalidateTags(['user.roles']);
$form_state->setRedirectUrl($this->getCancelUrl());
}
