[#499] Use ManageTeamMembersAccess::access for team invitations (#506)

* Remove team_manage_members permission * [#499] Update admin_permission for TeamInvitation entity * [#499] Update permissions for TeamInvitationAccessControlHandler * [#499] Add an update hook to remove the team_permission access Co-authored-by: Arlina Espinoza <[email protected]>
apigee · Oct 25, 2020 · 8b5e0a6 · 8b5e0a6
1 parent d46f255
commit 8b5e0a6
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 5 deletions.
diff --git a/apigee_edge.install b/apigee_edge.install
@@ -27,6 +27,7 @@ use Drupal\apigee_edge\OauthTokenFileStorage;
 use Drupal\Core\Installer\InstallerKernel;
 use Drupal\Core\Url;
 use Drupal\user\RoleInterface;
+use Drupal\views\Views;
 
 /**
  * Implements hook_requirements().
@@ -298,3 +299,22 @@ function apigee_edge_update_8104() {
     ])->save();
   }
 }
+
+/**
+ * Remove the "Manage team members and invitations" access for the Team invitations view.
+ */
+function apigee_edge_update_8105() {
+  /** @var \Drupal\views\ViewExecutable $view */
+  $view = Views::getView('team_invitations');
+  $view->setDisplay('team');
+  $access = $view->getDisplay()->getOption('access');
+  if (empty($access['type']) || $access['type'] !== "team_permission") {
+    return;
+  }
+
+  $view->getDisplay()->setOption('access', [
+    'type' => 'none',
+    'options' => [],
+  ]);
+  $view->save();
+}
diff --git a/modules/apigee_edge_teams/config/optional/views.view.team_invitations.yml b/modules/apigee_edge_teams/config/optional/views.view.team_invitations.yml
@@ -721,9 +721,8 @@ display:
         empty: false
         access: false
       access:
-        type: team_permission
-        options:
-          permission: team_manage_members
+        type: none
+        options: {  }
     cache_metadata:
       max-age: -1
       contexts:

diff --git a/modules/apigee_edge_teams/src/Entity/TeamInvitation.php b/modules/apigee_edge_teams/src/Entity/TeamInvitation.php
@@ -60,7 +60,7 @@
  *   },
  *   base_table = "team_invitation",
  *   data_table = "team_invitation_field_data",
- *   admin_permission = "administer team invitations",
+ *   admin_permission = "manage team members",
  *   entity_keys = {
  *     "id" = "uuid",
  *     "label" = "label",

diff --git a/modules/apigee_edge_teams/src/Entity/TeamInvitationAccessControlHandler.php b/modules/apigee_edge_teams/src/Entity/TeamInvitationAccessControlHandler.php
@@ -94,7 +94,7 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
     // Note: This is handled at team level permissions.
     if ($operation === 'delete' || $operation === "resend") {
       return AccessResult::allowedIf(in_array('team_manage_members', $this->teamPermissionHandler->getDeveloperPermissionsByTeam($entity->getTeam(), $account)))
-        ->orIf(AccessResult::allowedIfHasPermission($account, 'administer team invitations'))
+        ->orIf(AccessResult::allowedIfHasPermissions($account, ['administer team', 'manage team members'], 'OR'))
         ->addCacheableDependency($entity)
         ->cachePerUser();
     }