Skip to content
Snippets Groups Projects
Commit 73596daa authored by Philip Curley's avatar Philip Curley Committed by Nikolay Lobachev
Browse files

Issue #3393973 by ikphilip, LOBsTerr: User Accept/Decline invitation access denied

parent 6f1430b8
No related branches found
No related tags found
No related merge requests found
ginvite.invitation.accept:
path: '/ginvite/{group_relationship}/accept'
path: '/ginvite/{group_content}/accept'
defaults:
_controller: '\Drupal\ginvite\Controller\InvitationOperations::accept'
_title: 'Accept invitation and join group'
requirements:
_group_installed_content: 'group_invitation'
_custom_access: '\Drupal\ginvite\Controller\InvitationOperations::checkAccess'
options:
parameters:
group_relationship:
group_content:
type: entity:group_content
ginvite.invitation.decline:
path: '/ginvite/{group_relationship}/decline'
path: '/ginvite/{group_content}/decline'
defaults:
_controller: '\Drupal\ginvite\Controller\InvitationOperations::decline'
_title: 'Decline invitation'
requirements:
_group_installed_content: 'group_invitation'
_custom_access: '\Drupal\ginvite\Controller\InvitationOperations::checkAccess'
options:
parameters:
group_relationship:
group_content:
type: entity:group_content
ginvite.invitation.bulk:
......
......@@ -2,6 +2,7 @@
namespace Drupal\ginvite\Controller;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Entity\EntityFormBuilderInterface;
use Drupal\Core\Messenger\MessengerInterface;
......@@ -73,14 +74,14 @@ class InvitationOperations extends ControllerBase {
*
* @param \Symfony\Component\HttpFoundation\Request $request
* HTTP request.
* @param \Drupal\group\Entity\GroupRelationshipInterface $group_relationship
* @param \Drupal\group\Entity\GroupRelationshipInterface $group_content
* Invitation entity.
*
* @return array
* The processed form for the given entity and operation.
*/
public function accept(Request $request, GroupRelationshipInterface $group_relationship) {
$group = $group_relationship->getGroup();
public function accept(Request $request, GroupRelationshipInterface $group_content) {
$group = $group_content->getGroup();
$group_id = $group->id();
$group_type = $group->getGroupType();
......@@ -94,11 +95,11 @@ class InvitationOperations extends ControllerBase {
// Pre-populate a group membership with the current user.
$group_membership = GroupRelationship::create([
'type' => $relation_type_id,
'entity_id' => $group_relationship->getEntityId(),
'entity_id' => $group_content->getEntityId(),
'content_plugin' => 'group_membership',
'gid' => $group_id,
'uid' => $group_relationship->getOwnerId(),
'group_roles' => $group_relationship->get('group_roles')->getValue(),
'uid' => $group_content->getOwnerId(),
'group_roles' => $group_content->get('group_roles')->getValue(),
]);
if (!empty($invitation_plugin_configuration['invitation_bypass_form']) && $invitation_plugin_configuration['invitation_bypass_form'] === TRUE) {
......@@ -135,7 +136,7 @@ class InvitationOperations extends ControllerBase {
*
* @param \Symfony\Component\HttpFoundation\Request $request
* HTTP request.
* @param \Drupal\group\Entity\GroupRelationshipInterface $group_relationship
* @param \Drupal\group\Entity\GroupRelationshipInterface $group_content
* Invitation entity.
*
* @return \Symfony\Component\HttpFoundation\RedirectResponse
......@@ -143,9 +144,9 @@ class InvitationOperations extends ControllerBase {
*
* @throws \Drupal\Core\Entity\EntityStorageException
*/
public function decline(Request $request, GroupRelationshipInterface $group_relationship) {
$group_relationship->set('invitation_status', GroupInvitation::INVITATION_REJECTED)->save();
$group_bundle = $group_relationship->getGroup()->getGroupType()->label();
public function decline(Request $request, GroupRelationshipInterface $group_content) {
$group_content->set('invitation_status', GroupInvitation::INVITATION_REJECTED)->save();
$group_bundle = $group_content->getGroup()->getGroupType()->label();
$this->messenger->addMessage($this->t('You have declined the @group_bundle invitation.', ['@group_bundle' => $group_bundle]));
if ($request->query->has('destination')) {
......@@ -181,4 +182,33 @@ class InvitationOperations extends ControllerBase {
return $title;
}
/**
* Checks if this current has access to update invitation.
*
* @param \Drupal\group\Entity\GroupRelationshipInterface $group_content
* Invitation entity.
*
* @return \Drupal\Core\Access\AccessResult
* Access check result.
*/
public function checkAccess(GroupRelationshipInterface $group_content) {
$invited_user_id = $group_content->getEntityId();
$group = $group_content->getGroup();
// Plugin is not installed.
if (!$group->getGroupType()->hasPlugin('group_invitation')) {
return AccessResult::forbidden();
}
$membership = $this->membershipLoader->load($group, $this->currentUser());
$current_state = $group_content->get('invitation_status')->value;
// Only allow user accept/decline own invitations.
if ($invited_user_id == $this->currentUser()->id() && !$membership && (int) $current_state === GroupInvitation::INVITATION_PENDING) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment