fix edit/delete any/own on reservation entity: https://www.drupal.org/project/reserve/issues/3047518

6 years ago · 1a611e7d4c
2 changed files with 25 additions and 10 deletions
--- a/reserve.permissions.yml
+++ b/reserve.permissions.yml
@ -16,11 +16,17 @@ add reservations:
 add reservations extended:
  title: 'Create new Reservations (extended)'

-edit reservations:
-  title: 'Edit Reservations'
+edit any reservation:
+  title: 'Edit Any Reservation'

-delete reservations:
-  title: 'Delete Reservations'
+edit own reservation:
+  title: 'Edit Own Reservation'
+
+delete any reservation:
+  title: 'Delete Any Reservation'
+
+delete own reservation:
+  title: 'Delete Own Reservation'

 view published reservations:
  title: 'View published Reservations'
--- a/src/ReserveReservationAccessControlHandler.php
+++ b/src/ReserveReservationAccessControlHandler.php
@ -22,19 +22,28 @@ class ReserveReservationAccessControlHandler extends EntityAccessControlHandler
    switch ($operation) {
      case 'view':
        if (!$entity->isPublished()) {
-          return AccessResult::allowedIfHasPermission($account, 'view unpublished reservations');
+          $access = AccessResult::allowedIfHasPermission($account, 'view unpublished reservations');
        }
-        return AccessResult::allowedIfHasPermission($account, 'view published reservations');
+        $access = AccessResult::allowedIfHasPermission($account, 'view published reservations');
+        break;

      case 'update':
-        return AccessResult::allowedIfHasPermission($account, 'edit reservations');
+        $access = AccessResult::allowedIfHasPermission($account, 'edit any reservation');
+        if (!$access->isAllowed() && $account->hasPermission('edit own reservation')) {
+          $access = $access->orIf(AccessResult::allowedIf($account->id() == $entity->getOwnerId())->cachePerUser()->addCacheableDependency($entity));
+        }
+        break;

      case 'delete':
-        return AccessResult::allowedIfHasPermission($account, 'delete reservations');
+        $access =  AccessResult::allowedIfHasPermission($account, 'delete any reservation');
+        break;
+
+      // Unknown operation, no opinion.
+      default:
+        $access = AccessResult::neutral();
    }

-    // Unknown operation, no opinion.
-    return AccessResult::neutral();
+    return $access;
  }

  /**