Update InvoiceAccessControlHandler.php

Closes #3472289

src/InvoiceAccessControlHandler.php

@@ -3,6 +3,7 @@
 namespace Drupal\commerce_invoice;
 
 use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Access\AccessResultNeutral;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\entity\EntityAccessControlHandler;
@@ -19,13 +20,23 @@ class InvoiceAccessControlHandler extends EntityAccessControlHandler {
     $account = $this->prepareUser($account);
 
     /** @var \Drupal\Core\Access\AccessResult $result */
-    $result = parent::checkAccess($entity, $operation, $account);
+    // invoices should not be treated as entities
+    // they are private by default, hence parent checkAccess will be discarded
+    // we'll be using commerce_invoice permissions instead
+    $result = new AccessResultNeutral();
+    if ($account->id() === $entity->getCustomerId()) {
+      // view own commerce invoice
+      $result = AccessResult::allowedIfHasPermissions($account, ['view own commerce_invoice']);
+    }
 
-    /** @var \Drupal\commerce_order\Entity\OrderInterface $entity */
-    if (($operation === 'view') && $result->isNeutral()) {
-      if ($account->isAuthenticated() && $account->id() === $entity->getCustomerId()) {
-        $result = AccessResult::allowedIfHasPermissions($account, ['view own commerce_invoice']);
-        $result = $result->cachePerUser()->addCacheableDependency($entity);
+    // check for other permissions 
+    // only when access to own commerce invoice is not allowed
+    if (!$result->isAllowed()) {
+      // administer all commerce invoices
+      $result = AccessResult::allowedIfHasPermissions($account, ['administer commerce_invoice']);
+      if (!$result->isAllowed()) {
+        // view any commerce invoices
+        $result = AccessResult::allowedIfHasPermissions($account, ['view commerce_invoice']);
       }
     }