From 1a611e7d4cc9c9190ab245b56e0baaa40f7f50a9 Mon Sep 17 00:00:00 2001
From: Peter Lindstrom <peter@liquidcms.ca>
Date: Fri, 12 Apr 2019 11:05:12 -0400
Subject: [PATCH] fix edit/delete any/own on reservation entity:
 https://www.drupal.org/project/reserve/issues/3047518

---
 reserve.permissions.yml                       | 14 +++++++++----
 ...ReserveReservationAccessControlHandler.php | 21 +++++++++++++------
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/reserve.permissions.yml b/reserve.permissions.yml
index 3b1fb95..6446c9a 100644
--- a/reserve.permissions.yml
+++ b/reserve.permissions.yml
@@ -16,11 +16,17 @@ add reservations:
 add reservations extended:
   title: 'Create new Reservations (extended)'
 
-edit reservations:
-  title: 'Edit Reservations'
+edit any reservation:
+  title: 'Edit Any Reservation'
 
-delete reservations:
-  title: 'Delete Reservations'
+edit own reservation:
+  title: 'Edit Own Reservation'
+
+delete any reservation:
+  title: 'Delete Any Reservation'
+
+delete own reservation:
+  title: 'Delete Own Reservation'
 
 view published reservations:
   title: 'View published Reservations'
diff --git a/src/ReserveReservationAccessControlHandler.php b/src/ReserveReservationAccessControlHandler.php
index a72db2d..7aab60e 100644
--- a/src/ReserveReservationAccessControlHandler.php
+++ b/src/ReserveReservationAccessControlHandler.php
@@ -22,19 +22,28 @@ class ReserveReservationAccessControlHandler extends EntityAccessControlHandler
     switch ($operation) {
       case 'view':
         if (!$entity->isPublished()) {
-          return AccessResult::allowedIfHasPermission($account, 'view unpublished reservations');
+          $access = AccessResult::allowedIfHasPermission($account, 'view unpublished reservations');
         }
-        return AccessResult::allowedIfHasPermission($account, 'view published reservations');
+        $access = AccessResult::allowedIfHasPermission($account, 'view published reservations');
+        break;
 
       case 'update':
-        return AccessResult::allowedIfHasPermission($account, 'edit reservations');
+        $access = AccessResult::allowedIfHasPermission($account, 'edit any reservation');
+        if (!$access->isAllowed() && $account->hasPermission('edit own reservation')) {
+          $access = $access->orIf(AccessResult::allowedIf($account->id() == $entity->getOwnerId())->cachePerUser()->addCacheableDependency($entity));
+        }
+        break;
 
       case 'delete':
-        return AccessResult::allowedIfHasPermission($account, 'delete reservations');
+        $access =  AccessResult::allowedIfHasPermission($account, 'delete any reservation');
+        break;
+
+      // Unknown operation, no opinion.
+      default:
+        $access = AccessResult::neutral();
     }
 
-    // Unknown operation, no opinion.
-    return AccessResult::neutral();
+    return $access;
   }
 
   /**