diff --git a/modules/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraAccessControl.php b/modules/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraAccessControl.php index e2574362..95592804 100644 --- a/modules/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraAccessControl.php +++ b/modules/collabora_online_group/src/Plugin/Group/RelationHandler/CollaboraAccessControl.php @@ -16,7 +16,7 @@ class CollaboraAccessControl extends AccessControl { use AccessControlTrait; /** - * Constructs a new GroupAccessControllProvider. + * Constructs a new GroupAccessControl. * * @param \Drupal\group\Plugin\Group\RelationHandler\AccessControlInterface $parent * The default access control. @@ -29,7 +29,7 @@ public function __construct(AccessControlInterface $parent) { * {@inheritdoc} */ public function entityAccess(EntityInterface $entity, $operation, AccountInterface $account, $return_as_object = FALSE) { - // Add support for unpublished vs published for "preview in collabora". + // Add support for unpublished operation: preview in collabora. $check_published = $operation === 'preview in collabora' && $this->implementsPublishedInterface; if ($check_published && !$entity->isPublished()) { diff --git a/modules/collabora_online_group/tests/src/Kernel/AccessTest.php b/modules/collabora_online_group/tests/src/Kernel/AccessTest.php index c2d9e6b2..b4d6e231 100644 --- a/modules/collabora_online_group/tests/src/Kernel/AccessTest.php +++ b/modules/collabora_online_group/tests/src/Kernel/AccessTest.php @@ -105,7 +105,8 @@ protected function getTestScenarios(): array { // The scenario keys contains values used for each scenario: // 'operation:status:scope:global_permission:group_permission'. return [ - 'preview:published:any:::' => [ + // Preview no permissions cases. + 'preview:published:any::' => [ 'result' => FALSE, 'permissions' => [], 'group_permissions' => [], @@ -113,7 +114,17 @@ protected function getTestScenarios(): array { 'status' => 1, 'scope' => 'any', ], - 'preview:published:any:preview::' => [ + 'preview:published:own::' => [ + 'result' => FALSE, + 'permissions' => [], + 'group_permissions' => [], + 'operation' => 'preview in collabora', + 'status' => 1, + 'scope' => 'own', + ], + // The global permissions that would allow to preview, doesn't work + // in a media related to a group. + 'preview:published:any:preview:' => [ 'result' => FALSE, 'permissions' => ['preview document in collabora'], 'group_permissions' => [], @@ -121,6 +132,16 @@ protected function getTestScenarios(): array { 'status' => 1, 'scope' => 'any', ], + 'preview:published:own:preview:' => [ + 'result' => FALSE, + 'permissions' => ['preview document in collabora'], + 'group_permissions' => [], + 'operation' => 'preview in collabora', + 'status' => 1, + 'scope' => 'own', + ], + // User can only see published entities with the group preview + // permission. 'preview:published:any::preview' => [ 'result' => TRUE, 'permissions' => [], @@ -153,7 +174,9 @@ protected function getTestScenarios(): array { 'status' => 0, 'scope' => 'own', ], - 'preview:unpublished:own:preview_own::' => [ + // The global preview unpublished doesn't affect to medias related + // to a group. + 'preview:unpublished:own:preview_own_unpublished:' => [ 'result' => FALSE, 'permissions' => ['preview own unpublished document in collabora'], 'group_permissions' => [], @@ -161,7 +184,25 @@ protected function getTestScenarios(): array { 'status' => 0, 'scope' => 'own', ], - 'preview:unpublished:own::preview_own' => [ + // The group permission to preview own unpublished permission allows + // to see only entities with such properties. + 'preview:published:any::preview_own_unpublished' => [ + 'result' => FALSE, + 'permissions' => [], + 'group_permissions' => ['preview own unpublished group_media:document in collabora'], + 'operation' => 'preview in collabora', + 'status' => 1, + 'scope' => 'any', + ], + 'preview:published:own::preview_own_unpublished' => [ + 'result' => FALSE, + 'permissions' => [], + 'group_permissions' => ['preview own unpublished group_media:document in collabora'], + 'operation' => 'preview in collabora', + 'status' => 1, + 'scope' => 'own', + ], + 'preview:unpublished:own::preview_own_unpublished' => [ 'result' => TRUE, 'permissions' => [], 'group_permissions' => ['preview own unpublished group_media:document in collabora'], @@ -169,15 +210,16 @@ protected function getTestScenarios(): array { 'status' => 0, 'scope' => 'own', ], - 'preview:published:own::preview_own' => [ + 'preview:unpublished:any::preview_own_unpublished' => [ 'result' => FALSE, 'permissions' => [], 'group_permissions' => ['preview own unpublished group_media:document in collabora'], 'operation' => 'preview in collabora', - 'status' => 1, - 'scope' => 'own', + 'status' => 0, + 'scope' => 'any', ], - 'edit:published:any:::' => [ + // Edit no permissions cases. + 'edit:published:any::' => [ 'result' => FALSE, 'permissions' => [], 'group_permissions' => [], @@ -185,7 +227,16 @@ protected function getTestScenarios(): array { 'status' => 1, 'scope' => 'any', ], - 'edit:published:any:edit_any::' => [ + 'edit:published:own::' => [ + 'result' => FALSE, + 'permissions' => [], + 'group_permissions' => [], + 'operation' => 'edit in collabora', + 'status' => 1, + 'scope' => 'own', + ], + // The global permission doesn't grant access to edit in a group. + 'edit:published:any:edit_any:' => [ 'result' => FALSE, 'permissions' => ['edit any document in collabora'], 'group_permissions' => [], @@ -193,6 +244,23 @@ protected function getTestScenarios(): array { 'status' => 1, 'scope' => 'any', ], + 'edit:published:own:edit_any:' => [ + 'result' => FALSE, + 'permissions' => ['edit any document in collabora'], + 'group_permissions' => [], + 'operation' => 'edit in collabora', + 'status' => 1, + 'scope' => 'own', + ], + 'edit:published:own:edit_own:' => [ + 'result' => FALSE, + 'permissions' => ['edit own document in collabora'], + 'group_permissions' => [], + 'operation' => 'edit in collabora', + 'status' => 1, + 'scope' => 'own', + ], + // Only users with edit any permission in a group can edit all. 'edit:published:any::edit_any' => [ 'result' => TRUE, 'permissions' => [], @@ -209,22 +277,23 @@ protected function getTestScenarios(): array { 'status' => 1, 'scope' => 'own', ], - 'edit:published:own::' => [ - 'result' => FALSE, + 'edit:unpublished:any::edit_any' => [ + 'result' => TRUE, 'permissions' => [], - 'group_permissions' => [], + 'group_permissions' => ['edit any group_media:document in collabora'], 'operation' => 'edit in collabora', - 'status' => 1, - 'scope' => 'own', + 'status' => 0, + 'scope' => 'any', ], - 'edit:published:own:edit_own:' => [ - 'result' => FALSE, - 'permissions' => ['edit own document in collabora'], - 'group_permissions' => [], + 'edit:unpublished:own::edit_any' => [ + 'result' => TRUE, + 'permissions' => [], + 'group_permissions' => ['edit any group_media:document in collabora'], 'operation' => 'edit in collabora', - 'status' => 1, + 'status' => 0, 'scope' => 'own', ], + // Or edit own permission for the entities the user owns. 'edit:published:own::edit_own' => [ 'result' => TRUE, 'permissions' => [], @@ -233,6 +302,14 @@ protected function getTestScenarios(): array { 'status' => 1, 'scope' => 'own', ], + 'edit:unpublished:own::edit_own' => [ + 'result' => TRUE, + 'permissions' => [], + 'group_permissions' => ['edit own group_media:document in collabora'], + 'operation' => 'edit in collabora', + 'status' => 0, + 'scope' => 'own', + ], 'edit:published:any::edit_own' => [ 'result' => FALSE, 'permissions' => [], @@ -241,6 +318,14 @@ protected function getTestScenarios(): array { 'status' => 1, 'scope' => 'any', ], + 'edit:unpublished:any::edit_own' => [ + 'result' => FALSE, + 'permissions' => [], + 'group_permissions' => ['edit own group_media:document in collabora'], + 'operation' => 'edit in collabora', + 'status' => 0, + 'scope' => 'any', + ], ]; }