Merge pull request #2116 from EIC-EA/feature/EICNET-2967-sensitive-group

[EICNET-2967]feat: Do not allow access to site_admin content admin for sensitive content
EIC-EA · Jul 10, 2023 · fdfc0a1 · fdfc0a1
2 parents 041ab21 + d02e085
commit fdfc0a1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/lib/modules/eic_groups/src/Access/GroupPageAccessChecker.php b/lib/modules/eic_groups/src/Access/GroupPageAccessChecker.php
@@ -101,7 +101,7 @@ public function accessGroupCommonPages(AccountProxy $account, GroupInterface $gr
       }
     }
     else {
-      $access = AccessResult::allowed();
+      $access = $group->access('view', $account, TRUE);
     }
 
     return $access;
@@ -119,9 +119,9 @@ public function accessGroupCommonPages(AccountProxy $account, GroupInterface $gr
    *   Return the access result.
    */
   public function accessGroupEditFormPage(AccountProxy $account, GroupInterface $group) {
-    $access = AccessResult::allowed();
+    $access = $group->access('update', $account, TRUE);
     // GO/GA users cannot edit the group when being blocked.
-    if (GroupsModerationHelper::isBlocked($group) && !UserHelper::isPowerUser($account)) {
+    if (GroupsModerationHelper::isBlocked($group) && !UserHelper::isPowerUser($account, $group)) {
       $access = AccessResult::forbidden();
     }
 

diff --git a/lib/modules/oec_group_flex/oec_group_flex.module b/lib/modules/oec_group_flex/oec_group_flex.module
@@ -68,14 +68,17 @@ function oec_group_flex_entity_access(EntityInterface $entity, $operation, Accou
             ->addCacheableDependency($entity);
         }
 
-        $admin_roles = \Drupal::configFactory()->get('oec_group_flex.settings')->get('oec_group_flex_admin_roles');
-        // Check if user has access to view the group. The access should should
-        // be allowed if the user is a super.
-        foreach ($account->getRoles(TRUE) as $role) {
-          if (in_array($role, $admin_roles)) {
-            return GroupAccessResult::allowed()
-              ->addCacheableDependency($account)
-              ->addCacheableDependency($entity);
+        // If visibility is sensitive do not take that into account.
+        if (GroupVisibilityType::GROUP_VISIBILITY_SENSITIVE !== $group_visibility_record->getType()) {
+          $admin_roles = \Drupal::configFactory()->get('oec_group_flex.settings')->get('oec_group_flex_admin_roles');
+          // Check if user has access to view the group. The access should should
+          // be allowed if the user is a super.
+          foreach ($account->getRoles(TRUE) as $role) {
+            if (in_array($role, $admin_roles)) {
+              return GroupAccessResult::allowed()
+                ->addCacheableDependency($account)
+                ->addCacheableDependency($entity);
+            }
           }
         }