Loading group.install +12 −0 Original line number Diff line number Diff line Loading @@ -72,3 +72,15 @@ function group_update_9201() { ->execute(); } } /** * Remove the 'bypass group access' permission from all roles. */ function group_update_9202() { $config_factory = \Drupal::configFactory(); foreach ($config_factory->listAll('user.role.') as $config_name) { $role = $config_factory->getEditable($config_name); $role->set('permissions', array_values(array_diff($role->get('permissions'), ['bypass group access']))); $role->save(TRUE); } } group.permissions.yml +0 −5 Original line number Diff line number Diff line # @todo Remove god-mode permission in 8.2.0 release. bypass group access: title: 'Bypass group access control' description: 'Gain full control over all groups and group configuration.' restrict access: TRUE administer group: title: 'Administer group settings' description: 'Gain full control over all group configuration.' Loading src/Access/GroupPermissionChecker.php +0 −5 Original line number Diff line number Diff line Loading @@ -31,11 +31,6 @@ class GroupPermissionChecker implements GroupPermissionCheckerInterface { * {@inheritdoc} */ public function hasPermissionInGroup($permission, AccountInterface $account, GroupInterface $group) { // If the account can bypass all group access, return immediately. if ($account->hasPermission('bypass group access')) { return TRUE; } $calculated_permissions = $this->groupPermissionCalculator->calculatePermissions($account); // If the user has member permissions for this group, check those, otherwise Loading src/Entity/Access/GroupAccessControlHandler.php +1 −2 Original line number Diff line number Diff line Loading @@ -132,8 +132,7 @@ class GroupAccessControlHandler extends EntityAccessControlHandler implements En * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { $permissions = ['bypass group access', 'create ' . $entity_bundle . ' group']; return AccessResult::allowedIfHasPermissions($account, $permissions, 'OR'); return AccessResult::allowedIfHasPermission($account, 'create ' . $entity_bundle . ' group'); } } src/Entity/Access/GroupContentQueryAccessHandler.php +1 −8 Original line number Diff line number Diff line Loading @@ -45,15 +45,8 @@ class GroupContentQueryAccessHandler extends QueryAccessHandlerBase { */ protected function buildConditions($operation, AccountInterface $account) { $conditions = new ConditionGroup('OR'); // @todo Remove these lines once we kill the bypass permission. // If the account can bypass group access, we do not alter the query at all. $conditions->addCacheContexts(['user.permissions']); if ($account->hasPermission('bypass group access')) { return $conditions; } $conditions->addCacheContexts(['user.group_permissions']); $calculated_permissions = $this->groupPermissionCalculator->calculatePermissions($account); $group_permissions = $calculated_permissions->getItemsByScope(CGPII::SCOPE_GROUP); Loading Loading
group.install +12 −0 Original line number Diff line number Diff line Loading @@ -72,3 +72,15 @@ function group_update_9201() { ->execute(); } } /** * Remove the 'bypass group access' permission from all roles. */ function group_update_9202() { $config_factory = \Drupal::configFactory(); foreach ($config_factory->listAll('user.role.') as $config_name) { $role = $config_factory->getEditable($config_name); $role->set('permissions', array_values(array_diff($role->get('permissions'), ['bypass group access']))); $role->save(TRUE); } }
group.permissions.yml +0 −5 Original line number Diff line number Diff line # @todo Remove god-mode permission in 8.2.0 release. bypass group access: title: 'Bypass group access control' description: 'Gain full control over all groups and group configuration.' restrict access: TRUE administer group: title: 'Administer group settings' description: 'Gain full control over all group configuration.' Loading
src/Access/GroupPermissionChecker.php +0 −5 Original line number Diff line number Diff line Loading @@ -31,11 +31,6 @@ class GroupPermissionChecker implements GroupPermissionCheckerInterface { * {@inheritdoc} */ public function hasPermissionInGroup($permission, AccountInterface $account, GroupInterface $group) { // If the account can bypass all group access, return immediately. if ($account->hasPermission('bypass group access')) { return TRUE; } $calculated_permissions = $this->groupPermissionCalculator->calculatePermissions($account); // If the user has member permissions for this group, check those, otherwise Loading
src/Entity/Access/GroupAccessControlHandler.php +1 −2 Original line number Diff line number Diff line Loading @@ -132,8 +132,7 @@ class GroupAccessControlHandler extends EntityAccessControlHandler implements En * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { $permissions = ['bypass group access', 'create ' . $entity_bundle . ' group']; return AccessResult::allowedIfHasPermissions($account, $permissions, 'OR'); return AccessResult::allowedIfHasPermission($account, 'create ' . $entity_bundle . ' group'); } }
src/Entity/Access/GroupContentQueryAccessHandler.php +1 −8 Original line number Diff line number Diff line Loading @@ -45,15 +45,8 @@ class GroupContentQueryAccessHandler extends QueryAccessHandlerBase { */ protected function buildConditions($operation, AccountInterface $account) { $conditions = new ConditionGroup('OR'); // @todo Remove these lines once we kill the bypass permission. // If the account can bypass group access, we do not alter the query at all. $conditions->addCacheContexts(['user.permissions']); if ($account->hasPermission('bypass group access')) { return $conditions; } $conditions->addCacheContexts(['user.group_permissions']); $calculated_permissions = $this->groupPermissionCalculator->calculatePermissions($account); $group_permissions = $calculated_permissions->getItemsByScope(CGPII::SCOPE_GROUP); Loading
