private_files_adapter.module

<?php

/**
 * @file
 * Contains private_files_adapter.module.
 */

use Drupal\user\Entity\User;
use Drupal\Core\Routing\RouteMatchInterface;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Access\AccessResultInterface;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\jwt\Transcoder\JwtDecodeException;
use Drupal\group\Entity\GroupRelationship;
use Drupal\media\Entity\Media;

/**
 * Implements hook_help().
 */
function private_files_adapter_help($route_name, RouteMatchInterface $route_match) {
  switch ($route_name) {
    // Main module help for the private_files_adapter module.
    case 'help.page.private_files_adapter':
      $output = '';
      $output .= '<h3>' . t('About') . '</h3>';
      $output .= '<p>' . t('My Awesome Module') . '</p>';
      return $output;

    default:
  }
}

/**
 * Implements hook_theme().
 */
function private_files_adapter_theme() {
  return [
    'private_files_adapter' => [
      'render element' => 'children',
    ],
  ];
}

/**
 * Implements hook_ENTITY_TYPE_access().
 */
function private_files_adapter_file_access(EntityInterface $entity, string $operation, AccountInterface $account): AccessResultInterface {
  $request = \Drupal::request();

  if (strpos($request->server->get('HTTP_USER_AGENT'), "Cantaloupe") !== FALSE
        && !empty($request->server->get('HTTP_AUTHORIZATION'))) {

    // Handles only download operation of private file or image.
    $raw_jwt = str_replace("Bearer ", "", $request->server->get('HTTP_AUTHORIZATION'));
    // Decode JWT and validate signature.
    try {
      $transcoder = \Drupal::service('jwt.transcoder');
      $authed_userid = $transcoder->decode($raw_jwt)->getClaim(['drupal', 'uid']);

      if (empty($authed_userid)) {
        return AccessResult::neutral();
      }
      $service_account = User::load($authed_userid);
      if (isset($service_account)) {
        // Add check the account with access control with Group.
        $operation = "view";

        // Get media from file.
        $media_id = array_keys(\Drupal::service('file.usage')->listUsage($entity)['file']['media'])[0];
        $media = Media::load($media_id);

        /** @var \Drupal\group\Plugin\Group\Relation\GroupRelationTypeManagerInterface $plugin_manager */
        $plugin_manager = \Drupal::service('group_relation_type.manager');

        $plugin_ids = $plugin_manager->getPluginIdsByEntityTypeAccess($media->getEntityTypeId());
        $plugin_cache_tags = [];
        foreach ($plugin_ids as $plugin_id) {
          $plugin_cache_tags[] = "group_content_list:plugin:$plugin_id";
        }

        // Load all of the group content for this entity.
        $group_contents = GroupRelationship::loadByEntity($media);
        if (!empty($group_contents) && count($group_contents) > 0) {
          $access = AccessResult::neutral();
          foreach ($plugin_ids as $plugin_id) {
            /*if (!$plugin_manager->hasHandler($plugin_id, 'access')) {
            continue;
            }*/
            $handler = $plugin_manager->getAccessControlHandler($plugin_id);
            $access = $access->orIf($handler->entityAccess($media, $operation, $service_account, TRUE));
          }
          $access
            ->addCacheTags($plugin_cache_tags)
            ->addCacheContexts(['user.group_permissions']);

          if ($access->isAllowed()) {
            return AccessResult::allowed();
          }
          else {
            return AccessResult::neutral();
          }
        }
        else {
          return AccessResult::neutral();
        }
      }
      else {
        return AccessResult::neutral();
      }
    }
    catch (JwtDecodeException $e) {
      return AccessResult::neutral();
    }
  }
  else {
    return AccessResult::neutral();
  }
}