Issue #2499645 by bojanz: Start using the entity query access API on orders, products and stores

    "require": {

        "drupal/core": "^8.6",

        "drupal/address": "^1.4",

        "drupal/entity": "^1.0-beta4",

        "drupal/entity": "^1.0-rc1",

        "drupal/entity_reference_revisions": "~1.0",

        "drupal/inline_entity_form": "^1.0-rc1",

        "drupal/profile": "~1.0",

    arguments: ['@commerce_cart.cart_provider']

    tags:

      - { name: event_subscriber }

  commerce_cart.query_access_subscriber:

    class: Drupal\commerce_cart\EventSubscriber\QueryAccessSubscriber

    arguments: ['@commerce_cart.cart_provider', '@commerce_cart.cart_session']

    tags:

    - { name: event_subscriber, priority: 100 }

        ->condition('state', 'draft')

        ->condition('cart', TRUE)

        ->condition('uid', $account->id())

        ->sort('order_id', 'DESC');

        ->sort('order_id', 'DESC')

        ->accessCheck(FALSE);

      $cart_ids = $query->execute();

    }

    else {

<?php

namespace Drupal\commerce_cart\EventSubscriber;

use Drupal\commerce_cart\CartProviderInterface;

use Drupal\commerce_cart\CartSessionInterface;

use Drupal\entity\QueryAccess\QueryAccessEvent;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;

class QueryAccessSubscriber implements EventSubscriberInterface {

  /**

   * The cart provider.

   *

   * @var \Drupal\commerce_cart\CartProviderInterface

   */

  protected $cartProvider;

  /**

   * The cart session.

   *

   * @var \Drupal\commerce_cart\CartSessionInterface

   */

  protected $cartSession;

  /**

   * Constructs a new QueryAccessSubscriber object.

   *

   * @param \Drupal\commerce_cart\CartProviderInterface $cart_provider

   *   The cart provider.

   * @param \Drupal\commerce_cart\CartSessionInterface $cart_session

   *   The cart session.

   */

  public function __construct(CartProviderInterface $cart_provider, CartSessionInterface $cart_session) {

    $this->cartProvider = $cart_provider;

    $this->cartSession = $cart_session;

  }

  /**

   * {@inheritdoc}

   */

  public static function getSubscribedEvents() {

    return [

      'entity.query_access.commerce_order' => 'onQueryAccess',

    ];

  }

  /**

   * Modifies the access conditions for cart orders.

   *

   * @param \Drupal\entity\QueryAccess\QueryAccessEvent $event

   *   The event.

   */

  public function onQueryAccess(QueryAccessEvent $event) {

    if ($event->getOperation() != 'view') {

      return;

    }

    $conditions = $event->getConditions();

    // The user already has full access due to a "administer commerce_order"

    // or "view commerce_order" permission.

    if (!$conditions->count() && !$conditions->alwaysFalse()) {

      return;

    }

    $account = $event->getAccount();

    // Any user can view their own active carts, regardless of any permissions.

    // Authenticated users can also see their own completed carts.

    $cart_ids = $this->cartProvider->getCartIds($account);

    if ($account->isAuthenticated()) {

      $completed_cart_ids = $this->cartSession->getCartIds(CartSessionInterface::COMPLETED);

      $cart_ids = array_merge($cart_ids, $completed_cart_ids);

    }

    if (!empty($cart_ids)) {

      $conditions->addCondition('order_id', $cart_ids);

      $conditions->alwaysFalse(FALSE);

    }

  }

}

    // Find the newly created anonymous cart.

    $query = \Drupal::entityQuery('commerce_order')

      ->condition('cart', TRUE)

      ->condition('uid', 0);

      ->condition('uid', 0)

      ->accessCheck(FALSE);

    $result = $query->execute();

    $cart_id = reset($result);

    $cart = Order::load($cart_id);