OI-74: Restrict access of author to remove himself from a group.

istolar · Jul 23, 2020 · ea6a2fe · ea6a2fe
1 parent 9428ae4
commit ea6a2fe
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/modules/openideal_idea/openideal_idea.module b/modules/openideal_idea/openideal_idea.module
@@ -16,6 +16,7 @@ use Drupal\Core\Url;
 use Drupal\node\NodeInterface;
 use Drupal\openideal_idea\ComputedNumberList;
 use Drupal\openideal_idea\Form\OpenidealBaseRatingForm;
+use Drupal\openideal_idea\Plugin\OpenidealGroupContentAccessControlHandler as GroupContentAccessHandle;
 
 /**
  * Implements hook_form_alter().
@@ -267,3 +268,11 @@ function openideal_idea_entity_type_build(array &$entity_types) {
   // To add "un-like" ability to the Idea bundle.
   $entity_types['vote']->setFormClass('votingapi_openideal_useful', OpenidealBaseRatingForm::class);
 }
+
+/**
+ * Implements hook_group_content_info_alter().
+ */
+function openideal_idea_group_content_info_alter(&$info) {
+  // Alter the content enabler plugin definitions to use our class.
+  $info['group_membership']['handlers']['access'] = GroupContentAccessHandle::class;
+}
diff --git a/modules/openideal_idea/src/Plugin/OpenidealGroupContentAccessControlHandler.php b/modules/openideal_idea/src/Plugin/OpenidealGroupContentAccessControlHandler.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace Drupal\openideal_idea\Plugin;
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\group\Entity\GroupContentInterface;
+use Drupal\group\Plugin\GroupContentAccessControlHandler;
+use Drupal\group\Plugin\GroupContentAccessControlHandlerInterface;
+
+/**
+ * Provides custom access control for GroupMembership entities.
+ */
+class OpenidealGroupContentAccessControlHandler extends GroupContentAccessControlHandler implements GroupContentAccessControlHandlerInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function relationAccess(GroupContentInterface $group_content, $operation, AccountInterface $account, $return_as_object = FALSE) {
+    // Check if the account is the owner and an restrict delete access.
+    $is_owner = $group_content->getOwnerId() === $account->id();
+    if ($is_owner && $operation == 'delete') {
+      return AccessResult::forbidden();
+    }
+
+    return parent::relationAccess($group_content, $operation, $account, $return_as_object);
+  }
+
+}