Issue #27: Replace access checks with entity access operation.

CollaboraOnline · Oct 24, 2024 · 911beab · 911beab
1 parent b95465c
commit 911beab
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/collabora_online.module b/collabora_online.module
@@ -10,7 +10,11 @@
  */
 
 use Drupal\collabora_online\Cool\CoolUtils;
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Access\AccessResultInterface;
 use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\media\MediaInterface;
 
 /**
  * Implements hook_theme().
@@ -112,3 +116,16 @@ function collabora_online_entity_operation(EntityInterface $entity) {
 
     return $entries;
 }
+
+/**
+ * Implements hook_ENTITY_TYPE_access() for 'media'.
+ *
+ * Checks access for the new media operations provided by this module.
+ */
+function collabora_online_media_access(MediaInterface $media, string $operation, AccountInterface $account): AccessResultInterface {
+    $permission = match ($operation) {
+        'preview' => 'preview any media in collabora',
+        'edit' => 'edit any media in collabora',
+    };
+    return AccessResult::allowedIfHasPermission($account, $permission);
+}
diff --git a/src/Controller/ViewerController.php b/src/Controller/ViewerController.php
@@ -53,9 +53,7 @@ public function editor(Media $media, $edit = false) {
             'closebutton' => 'true',
         ];
 
-        $user = \Drupal::currentUser();
-
-        if (!$user->hasPermission('preview media in collabora')) {
+        if (!$media->access('preview in collabora')) {
             $error_msg = 'Authentication failed.';
             \Drupal::logger('cool')->error($error_msg);
             return new Response(
@@ -66,7 +64,7 @@ public function editor(Media $media, $edit = false) {
         }
 
         /* Make sure that the user is a collaborator if edit is true */
-        $edit = $edit && $user->hasPermission('edit any media in collabora');
+        $edit = $edit && $media->access('edit in collabora');
 
         $render_array = CoolUtils::getViewerRender($media, $edit, $options);
 

diff --git a/src/Controller/WopiController.php b/src/Controller/WopiController.php
@@ -41,12 +41,19 @@ function wopiCheckFileInfo(string $id, Request $request) {
             return static::permissionDenied();
         }
 
+        /** @var \Drupal\media\MediaInterface|null $media */
+        $media = \Drupal::entityTypeManager()->getStorage('media')->load($id);
+        if (!$media) {
+            // @todo Use default mechanism for access denied response.
+            return static::permissionDenied();
+        }
+
         $file = CoolUtils::getFileById($id);
         $mtime = date_create_immutable_from_format('U', $file->getChangedTime());
         $user = User::load($jwt_payload->uid);
         $can_write = $jwt_payload->wri;
 
-        if ($can_write && !$user->hasPermission('edit any media in collabora')) {
+        if ($can_write && !$media->access('edit in collabora', $user)) {
             \Drupal::logger('cool')->error('Token and user permissions do not match.');
             return static::permissionDenied();
         }