Issue 52: Add access control to set preview operation for unpublished…

… entities.
donquixote · Nov 21, 2024 · 012031f · 012031f
1 parent 6a5d240
commit 012031f
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 9 deletions.
diff --git a/modules/collabora_online_group/collabora_online_group.services.yml b/modules/collabora_online_group/collabora_online_group.services.yml
@@ -2,4 +2,8 @@ services:
   group.relation_handler.permission_provider.collabora_group_media:
     class: 'Drupal\collabora_online_group\Plugin\Group\RelationHandler\CollaboraPermissionProvider'
     decorates: group.relation_handler.permission_provider.group_media
-    arguments: [ '@group.relation_handler.permission_provider.collabora_group_media.inner' ]
+    arguments: ["@group.relation_handler.permission_provider.collabora_group_media.inner"]
+
+  group.relation_handler.access_control.group_media:
+    class: 'Drupal\collabora_online_group\Plugin\Group\RelationHandler\CollaboraAccessControl'
+    arguments: ["@group.relation_handler.access_control"]
diff --git a/modules/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraAccessControl.php b/modules/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraAccessControl.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Drupal\collabora_online_group\Plugin\Group\RelationHandler;
+
+use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\group\Plugin\Group\RelationHandler\AccessControlInterface;
+use Drupal\group\Plugin\Group\RelationHandler\AccessControlTrait;
+use Drupal\group\Plugin\Group\RelationHandlerDefault\AccessControl;
+
+/**
+ * Provides access control for group relations.
+ */
+class CollaboraAccessControl extends AccessControl {
+
+  use AccessControlTrait;
+
+  /**
+   * Constructs a new GroupMediaPermissionProvider.
+   *
+   * @param \Drupal\group\Plugin\Group\RelationHandler\AccessControlInterface $parent
+   *   The default access control.
+   */
+  public function __construct(AccessControlInterface $parent) {
+    $this->parent = $parent;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function entityAccess(EntityInterface $entity, $operation, AccountInterface $account, $return_as_object = FALSE) {
+    // Add support for unpublished vs published for "preview in collabora".
+    $check_published = $operation === 'preview in collabora' && $this->implementsPublishedInterface;
+
+    if (!$check_published) {
+      return $this->parent->entityAccess($entity, $operation, $account, $return_as_object);
+    }
+
+    if (!$entity->isPublished()) {
+      $operation .= ' unpublished';
+    }
+
+    return $this->parent->entityAccess($entity, $operation, $account, $return_as_object);
+  }
+
+}
diff --git a/...s/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraPermissionProvider.php b/...s/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraPermissionProvider.php
@@ -25,7 +25,7 @@ public function buildPermissions(): array {
     if ($name = $provider_chain->getPermission('preview in collabora', 'entity')) {
       $permissions[$name] = $this->buildPermission("$prefix Preview published %entity_type in collabora");
     }
-    if ($name = $provider_chain->getPermission('preview in collabora', 'entity', 'own')) {
+    if ($name = $provider_chain->getPermission('preview in collabora unpublished', 'entity', 'own')) {
       $permissions[$name] = $this->buildPermission("$prefix Preview own unpublished %entity_type in collabora");
     }
     if ($name = $provider_chain->getPermission('edit in collabora', 'entity')) {
@@ -49,12 +49,13 @@ public function getPermission($operation, $target, $scope = 'any'): bool|string
     ) {
       switch ($operation) {
         case 'preview in collabora':
+          if ($scope === 'any') {
+            return "preview $this->pluginId in collabora";
+          }
+        case 'preview in collabora unpublished':
           if ($scope === 'own') {
             return "preview $scope unpublished $this->pluginId in collabora";
           }
-
-          return "preview $this->pluginId in collabora";
-
         case 'edit in collabora':
           return "edit $scope $this->pluginId in collabora";
       }

diff --git a/modules/collabora_online_group/tests/src/Kernel/AccessTest.php b/modules/collabora_online_group/tests/src/Kernel/AccessTest.php
@@ -137,15 +137,15 @@ protected function getTestScenarios(): array {
                 'status' => 1,
                 'scope' => 'own',
             ],
-            'FAIL preview:unpublished:any::preview' => [
+            'preview:unpublished:any::preview' => [
                 'result' => FALSE,
                 'permissions' => [],
                 'group_permissions' => ['preview group_media:document in collabora'],
                 'operation' => 'preview in collabora',
                 'status' => 0,
                 'scope' => 'any',
             ],
-            'FAIL preview:unpublished:own::preview' => [
+            'preview:unpublished:own::preview' => [
                 'result' => FALSE,
                 'permissions' => [],
                 'group_permissions' => ['preview group_media:document in collabora'],
@@ -169,8 +169,9 @@ protected function getTestScenarios(): array {
                 'status' => 0,
                 'scope' => 'own',
             ],
-            'FAIL preview:published:own::preview_own' => [
-                'result' => FALSE,
+            // To check: owner get access allowed on entities they own.
+            'preview:published:own::preview_own' => [
+                'result' => TRUE,
                 'permissions' => [],
                 'group_permissions' => ['preview own unpublished group_media:document in collabora'],
                 'operation' => 'preview in collabora',