Skip to content
Snippets Groups Projects

Update InvoiceAccessControlHandler.php

1 file
+ 17
6
Compare changes
  • Side-by-side
  • Inline
@@ -3,6 +3,7 @@
namespace Drupal\commerce_invoice;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Access\AccessResultNeutral;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\entity\EntityAccessControlHandler;
@@ -19,13 +20,23 @@ class InvoiceAccessControlHandler extends EntityAccessControlHandler {
$account = $this->prepareUser($account);
/** @var \Drupal\Core\Access\AccessResult $result */
$result = parent::checkAccess($entity, $operation, $account);
// invoices should not be treated as entities
// they are private by default, hence parent checkAccess will be discarded
// we'll be using commerce_invoice permissions instead
$result = new AccessResultNeutral();
if ($account->id() === $entity->getCustomerId()) {
// view own commerce invoice
$result = AccessResult::allowedIfHasPermissions($account, ['view own commerce_invoice']);
}
/** @var \Drupal\commerce_order\Entity\OrderInterface $entity */
if (($operation === 'view') && $result->isNeutral()) {
if ($account->isAuthenticated() && $account->id() === $entity->getCustomerId()) {
$result = AccessResult::allowedIfHasPermissions($account, ['view own commerce_invoice']);
$result = $result->cachePerUser()->addCacheableDependency($entity);
// check for other permissions
// only when access to own commerce invoice is not allowed
if (!$result->isAllowed()) {
// administer all commerce invoices
$result = AccessResult::allowedIfHasPermissions($account, ['administer commerce_invoice']);
if (!$result->isAllowed()) {
// view any commerce invoices
$result = AccessResult::allowedIfHasPermissions($account, ['view commerce_invoice']);
}
}
Loading