Skip to content

Commit

Permalink
Control site access policy, retain permissions from role. Fixes #521 (#…
Browse files Browse the repository at this point in the history
…522)

* Control site access policy, retain permissions from role. Fixes #521

* Coding standards: unused use statement.
  • Loading branch information
ekes authored Nov 19, 2024
1 parent ea24200 commit 3176693
Showing 1 changed file with 28 additions and 37 deletions.
65 changes: 28 additions & 37 deletions src/Access/ControlSiteAccessPolicy.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
use Drupal\Core\StringTranslation\StringTranslationTrait;
use Drupal\flexible_permissions\CalculatedPermissionsItem;
use Drupal\flexible_permissions\RefinableCalculatedPermissionsInterface;
use Drupal\group\PermissionScopeInterface;
use Drupal\group_sites\Access\GroupSitesNoSiteAccessPolicyInterface;

/**
Expand Down Expand Up @@ -34,43 +33,35 @@ public function getDescription(): string {
* {@inheritdoc}
*/
public function alterPermissions(AccountInterface $account, string $scope, RefinableCalculatedPermissionsInterface $calculated_permissions) {
// User will probably have permissions for groups.
// Eg. as Outsider with Controller role.
// We might even want to switch off admin and replace with specific
// permissions to prevent doing group content on control.
if ($scope === PermissionScopeInterface::INDIVIDUAL_ID) {
$items = $calculated_permissions->getItemsByScope($scope);
foreach ($items as $item) {
$permissions = $item->getPermissions();
// Permissions to maintain on the control site.
// @todo add control site specific permissions.
$keep = [
'administer group domain site settings',
'administer members',
'edit group',
'invite users to group',
'manage microsite enabled module permissions',
'set localgov microsite theme override',
'view any unpublished group',
'view group',
'view group invitations',
'view latest group version',
'view own unpublished group',
];
$permissions = array_intersect($permissions, $keep);
// Remove all permissions other than those we want on the control site from
// user no matter if they come from insider, outsider or individual.
$items = $calculated_permissions->getItemsByScope($scope);
foreach ($items as $item) {
$permissions = $item->getPermissions();
// Permissions to maintain on the control site.
// @todo add control site specific permissions.
$keep = [
'administer group domain site settings',
'administer members',
'edit group',
'invite users to group',
'manage microsite enabled module permissions',
'set localgov microsite theme override',
'view any unpublished group',
'view group',
'view group invitations',
'view latest group version',
'view own unpublished group',
];
$permissions = array_intersect($permissions, $keep);

$control_site_item = new CalculatedPermissionsItem(
$scope,
$item->getIdentifier(),
$permissions,
$item->isAdmin()
);
$calculated_permissions->addItem($control_site_item, TRUE);
}
}
else {
// Neither standard insider nor outside permissions should be required.
$calculated_permissions->removeItemsByScope($scope);
$control_site_item = new CalculatedPermissionsItem(
$scope,
$item->getIdentifier(),
$permissions,
$item->isAdmin()
);
$calculated_permissions->addItem($control_site_item, TRUE);
}
}

Expand Down

0 comments on commit 3176693

Please sign in to comment.