Skip to content
Snippets Groups Projects
Commit 2a2920e2 authored by baldwinlouie's avatar baldwinlouie
Browse files

Issue #2999543 by baldwinlouie: Add support for cloud config based permissions

parent b672ad3e
No related branches found
No related tags found
No related merge requests found
Showing
with 268 additions and 256 deletions
......@@ -6,6 +6,8 @@
* Provides common functionality for cloud management.
*/
use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\views\ViewExecutable;
use Drupal\Core\Access\AccessResult;
/**
* Implements hook_help().
......@@ -53,3 +55,26 @@ function cloud_theme_suggestions_cloud_config(array $variables) {
$suggestions[] = 'cloud_config__' . $entity->id() . '__' . $sanitized_view_mode;
return $suggestions;
}
/**
* Implements hook_views_pre_render().
*
* This is a workaround to implement row level access control,
* until this issue is resolved: https://www.drupal.org/project/entity/issues/2909970
* Loop through the results, and call hasPermissions() with the entity's cloud_context.
* Unset the entity if the user does not have permissions.
*
* @param \Drupal\views\ViewExecutable $view
*/
function cloud_views_pre_render(ViewExecutable $view) {
$account = \Drupal::currentUser();
if ($view->id() == 'cloud_listing' || $view->id() == 'server_template_listing') {
foreach ($view->result as $key => $result) {
/* @var \Drupal\cloud\Entity\CloudConfigInterface $cloud */
$cloud = $result->_entity;
if (!$account->hasPermission('view ' . $cloud->cloud_context())) {
unset($view->result[$key]);
}
}
}
}
\ No newline at end of file
# Setup permissions based on cloud context
permission_callbacks:
- Drupal\cloud\CloudPermissions::configPermissions
access dashboard:
title: 'Access cloud dashboard'
description: 'Allow access to cloud dashboard'
......@@ -16,9 +20,6 @@ delete cloud config entities:
edit cloud config entities:
title: 'Edit Cloud config entities'
view published cloud config entities:
title: 'View published Cloud config entities'
view unpublished cloud config entities:
title: 'View unpublished Cloud config entities'
......
# updated by yas 2016/05/25
# updated by yas 2016/05/23
add cloud server template:
title: 'Add server template'
description: 'Allow to add server template'
list cloud server template:
title: 'List server template'
description: 'Allow access to list server template'
view cloud server template:
title: 'View server template'
description: 'Allow access to view server template'
edit cloud server template:
title: 'Edit server template'
description: 'Allow to edit server template'
delete cloud server template:
title: 'Delete server template'
description: 'Allow to delete server template'
add cloud server template entities:
title: 'Create new Cloud Server Template entities'
......
......@@ -2,13 +2,20 @@
# Cloud Server Template entity view route
entity.cloud_server_template.canonical:
path: '/clouds/design/server_template/{cloud_server_template}'
path: '/clouds/design/server_template/{cloud_context}/{cloud_server_template}'
defaults:
_entity_view: 'cloud_server_template'
_title: 'Server Template Content'
requirements:
_entity_access: 'cloud_server_template.view'
_permission: 'view cloud server template'
entity.cloud_server_template.collection:
path: '/clouds/design/server_template/list'
defaults:
_entity_list: 'cloud_server_template'
_title: 'Server Template List'
requirements:
_permission: 'list cloud server template'
entity.cloud_server_template.collection.list_all:
path: '/clouds/design/server_template/list'
......@@ -25,7 +32,11 @@ entity.cloud_server_template.collection.list_all.context:
_entity_list: 'cloud_server_template'
_title: 'Server Template List'
requirements:
_permission: 'list cloud server template'
# Use custom access that will check for cloud_context and the desired permission.
# Desired permission is passed as an option in the "perm" variable
_custom_access: '\Drupal\cloud\Controller\CloudConfigController::access'
options:
perm: 'list cloud server template'
# Cloud Server Template Type Form
entity.cloud_server_template.add_form:
......@@ -36,22 +47,25 @@ entity.cloud_server_template.add_form:
_title_callback: 'Drupal\Core\Entity\Controller\EntityController::addBundleTitle'
bundle_parameter: 'cloud_server_template_type'
requirements:
_entity_create_access: 'cloud_server_template:{cloud_server_template_type}'
# Use custom access that will check for cloud_context and the desired permission.
# Desired permission is passed as an option in the "perm" variable
_custom_access: '\Drupal\cloud\Controller\CloudConfigController::access'
options:
parameters:
cloud_server_template_type:
type: 'entity:cloud_server_template_type'
converter: 'paramconverter.entity'
perm: 'add cloud server template entities'
parameters:
cloud_server_template_type:
type: 'entity:cloud_server_template_type'
converter: 'paramconverter.entity'
entity.cloud_server_template.launch:
path: '/clouds/design/server_template/{cloud_server_template}/launch'
path: '/clouds/design/server_template/{cloud_context}/{cloud_server_template}/launch'
defaults:
# _controller: '\Drupal\cloud_server_template\Controller\CloudServerTemplateController::launch'
_entity_form: cloud_server_template.launch
# entity_type_id: 'cloud_server_template'
_title: 'Launch'
entity_id: 'cloud_server_template'
requirements:
_permission: 'launch server template'
# Use custom access that will check for cloud_context and the desired permission.
# Desired permission is passed as an option in the "perm" variable
_custom_access: '\Drupal\cloud\Controller\CloudConfigController::access'
options:
perm: 'launch server template'
......@@ -22,15 +22,15 @@ class CloudServerTemplateAccessControlHandler extends EntityAccessControlHandler
switch ($operation) {
case 'view':
if (!$entity->isPublished()) {
return AccessResult::allowedIfHasPermission($account, 'view unpublished cloud server template entities');
return AccessResult::allowedIfHasPermissions($account, ['view unpublished cloud server template entities', 'view ' . $entity->cloud_context()]);
}
return AccessResult::allowedIfHasPermission($account, 'view published cloud server template entities');
return AccessResult::allowedIfHasPermissions($account, ['view published cloud server template entities', 'view ' . $entity->cloud_context()]);
case 'update':
return AccessResult::allowedIfHasPermission($account, 'edit cloud server template entities');
return AccessResult::allowedIfHasPermissions($account, ['edit cloud server template entities', 'view ' . $entity->cloud_context()]);
case 'delete':
return AccessResult::allowedIfHasPermission($account, 'delete cloud server template entities');
return AccessResult::allowedIfHasPermissions($account, ['delete cloud server template entities', 'view ' . $entity->cloud_context()]);
}
// Unknown operation, no opinion.
......
......@@ -39,13 +39,19 @@ class CloudServerTemplateListBuilder extends CloudContentListBuilder {
*/
public function buildRow(EntityInterface $entity) {
$row['name'] = Link::createFromRoute(
$entity->label(),
'entity.cloud_server_template.canonical',
['cloud_server_template' => $entity->id()]
);
return $row + parent::buildRow($entity);
$account = \Drupal::currentUser();
if ($account->hasPermission('view ' . $entity->cloud_context())) {
$row['name'] = Link::createFromRoute(
$entity->label(),
'entity.cloud_server_template.canonical',
[
'cloud_server_template' => $entity->id(),
'cloud_context' => $entity->cloud_context()
]
);
return $row + parent::buildRow($entity);
}
}
}
......@@ -55,7 +55,7 @@ use Drupal\user\UserInterface;
* "status" = "status",
* },
* links = {
* "canonical" = "/clouds/design/server_template/{cloud_server_template}",
* "canonical" = "/clouds/design/server_template/{cloud_context}/{cloud_server_template}",
* "add-form" = "/clouds/design/server_template/add/{cloud_context}/{cloud_server_template_type}",
* "edit-form" = "/clouds/design/server_template/edit/{cloud_context}/{cloud_server_template}",
* "delete-form" = "/clouds/design/server_template/delete/{cloud_context}/{cloud_server_template}",
......@@ -65,7 +65,7 @@ use Drupal\user\UserInterface;
* "revision_delete" = "/clouds/design/server_template/{cloud_server_template}/revisions/{cloud_server_template_revision}/delete",
* "translation_revert" = "/clouds/design/server_template/{cloud_server_template}/revisions/{cloud_server_template_revision}/revert/{langcode}",
* "collection" = "/clouds/design/server_template/list",
* "launch" = "/clouds/design/server_template/{cloud_server_template}/launch",
* "launch" = "/clouds/design/server_template/{cloud_context}/{cloud_server_template}/launch",
* },
* bundle_entity_type = "cloud_server_template_type",
* field_ui_base_route = "entity.cloud_server_template_type.edit_form"
......
......@@ -110,7 +110,7 @@ class CloudServerTemplateRevisionDeleteForm extends ConfirmFormBase {
drupal_set_message(t('Revision from %revision-date of Cloud Server Template %title has been deleted.', ['%revision-date' => format_date($this->revision->getRevisionCreationTime()), '%title' => $this->revision->label()]));
$form_state->setRedirect(
'entity.cloud_server_template.canonical',
['cloud_server_template' => $this->revision->id()]
['cloud_server_template' => $this->revision->id(), 'cloud_context' => $this->revision->cloud_context()]
);
if ($this->connection->query('SELECT COUNT(DISTINCT vid) FROM {cloud_server_template_field_revision} WHERE id = :id', [':id' => $this->revision->id()])->fetchField() > 1) {
$form_state->setRedirect(
......
......@@ -21,7 +21,7 @@ define('CLOUD_SERVER_TEMPLATES_REPEAT_COUNT', 3);
* @group Cloud
*/
class CloudServerTemplateTest extends WebTestBase {
/* @FIXME extends AwsCloudTestCase { */
// @FIXME extends AwsCloudTestCase {
/**
* Modules to enable.
......
......@@ -3,6 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- cloud
- user
id: aws_cloud_key_pairs
label: 'AWS Cloud Key Pairs'
......@@ -20,9 +21,9 @@ display:
position: 0
display_options:
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'add cloud server template'
perm: 'list aws cloud key pair'
cache:
type: tag
options: { }
......@@ -416,6 +417,11 @@ display:
plugin_id: field
defaults:
fields: false
access: false
access:
type: perm
options:
perm: 'add cloud server template entities'
cache_metadata:
max-age: -1
contexts:
......
......@@ -3,7 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- user
- cloud
id: aws_elastic_ip
label: 'AWS Cloud Elastic Ip'
module: views
......@@ -20,9 +20,9 @@ display:
position: 0
display_options:
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'add aws cloud elastic ip'
perm: 'list aws cloud elastic ip'
cache:
type: tag
options: { }
......
......@@ -3,6 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- cloud
- user
id: aws_images
label: 'AWS Cloud Images'
......@@ -37,7 +38,7 @@ display:
type: basic
options:
submit_button: Apply
reset_button: false
reset_button: true
reset_button_label: Reset
exposed_sorts_label: 'Sort by'
expose_sort_order: true
......@@ -539,6 +540,10 @@ display:
plugin_id: string
display_extenders: { }
use_ajax: false
filter_groups:
operator: AND
groups:
1: AND
cache_metadata:
max-age: -1
contexts:
......@@ -686,7 +691,7 @@ display:
access:
type: perm
options:
perm: 'add cloud server template'
perm: 'add cloud server template entities'
cache_metadata:
max-age: -1
contexts:
......@@ -704,7 +709,7 @@ display:
display_extenders: { }
path: clouds/aws_cloud/%cloud_context/image
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'list aws cloud image'
defaults:
......
......@@ -3,7 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- user
- cloud
id: aws_instances
label: 'AWS Cloud Instances'
module: views
......@@ -20,7 +20,7 @@ display:
position: 0
display_options:
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'list aws cloud instance'
cache:
......@@ -643,6 +643,11 @@ display:
entity_field: cloud_context
plugin_id: string
display_extenders: { }
filter_groups:
operator: AND
groups:
1: AND
use_ajax: false
cache_metadata:
max-age: -1
contexts:
......
......@@ -3,6 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- cloud
- user
id: aws_network_interfaces
label: 'AWS Cloud Network Interfaces'
......@@ -22,7 +23,7 @@ display:
access:
type: perm
options:
perm: 'add cloud server template'
perm: 'add cloud server template entities'
cache:
type: tag
options: { }
......@@ -390,8 +391,7 @@ display:
filters: { }
filter_groups:
operator: AND
groups:
1: AND
groups: { }
arguments:
cloud_context:
id: cloud_context
......@@ -944,7 +944,7 @@ display:
entity_type: aws_cloud_network_interface
plugin_id: entity_operations
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'list aws cloud network interface'
cache_metadata:
......
......@@ -3,6 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- cloud
- user
id: aws_security_group
label: 'AWS Cloud Security Group'
......@@ -498,6 +499,7 @@ display:
defaults:
fields: false
arguments: false
access: false
arguments:
cloud_context:
id: cloud_context
......@@ -541,12 +543,17 @@ display:
entity_type: aws_cloud_security_group
entity_field: cloud_context
plugin_id: string
access:
type: perm
options:
perm: 'add cloud server template entities'
cache_metadata:
max-age: -1
contexts:
- 'languages:language_content'
- 'languages:language_interface'
- url
- user.permissions
tags: { }
page_1:
display_plugin: page
......@@ -557,7 +564,7 @@ display:
display_extenders: { }
path: clouds/aws_cloud/%cloud_context/security_group
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'list aws cloud security group'
defaults:
......
......@@ -3,7 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- user
- cloud
id: aws_snapshot
label: 'AWS Cloud Snapshot'
module: views
......@@ -20,7 +20,7 @@ display:
position: 0
display_options:
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'list aws cloud snapshot'
cache:
......@@ -438,6 +438,9 @@ display:
entity_field: cloud_context
plugin_id: string
display_extenders: { }
filter_groups:
operator: AND
groups: { }
cache_metadata:
max-age: -1
contexts:
......
......@@ -3,7 +3,7 @@ status: true
dependencies:
module:
- aws_cloud
- user
- cloud
id: aws_volume
label: 'Aws Cloud Volume'
module: views
......@@ -20,7 +20,7 @@ display:
position: 0
display_options:
access:
type: perm
type: ViewsCloudContextAccess
options:
perm: 'list aws cloud volume'
cache:
......@@ -703,6 +703,9 @@ display:
entity_field: cloud_context
plugin_id: string
display_extenders: { }
filter_groups:
operator: AND
groups: { }
cache_metadata:
max-age: -1
contexts:
......
......@@ -142,7 +142,7 @@ class ApiController extends ControllerBase implements ApiControllerInterface {
$this->messageUser($this->t('Unable to update elastic ips.'));
}
return $this->redirect('entity.aws_cloud_elastic_ip.collection', [
return $this->redirect('view.aws_elastic_ip.page_1', [
'cloud_context' => $cloud_context,
]);
}
......
......@@ -24,20 +24,20 @@ class ElasticIpAccessControlHandler extends EntityAccessControlHandler {
switch ($operation) {
case 'view':
return AccessResult::allowedIfHasPermission($account, 'view aws cloud elastic ip');
return AccessResult::allowedIfHasPermissions($account, ['view aws cloud elastic ip', 'view ' . $entity->cloud_context()]);
case 'update':
case 'edit':
return AccessResult::allowedIfHasPermission($account, 'edit aws cloud elastic ip');
return AccessResult::allowedIfHasPermissions($account, ['edit aws cloud elastic ip', 'view ' . $entity->cloud_context()]);
case 'delete':
return AccessResult::allowedIfHasPermission($account, 'delete aws cloud elastic ip');
return AccessResult::allowedIfHasPermissions($account, ['delete aws cloud elastic ip', 'view ' . $entity->cloud_context()]);
}
return AccessResult::allowed();
// Unknown operation, no opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
* Not being used anymore. Access check is performed in \Drupal\cloud\Controller\CloudConfigController::access
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
return AccessResult::allowedIfHasPermission($account, 'add aws cloud elastic ip');
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment