Merge pull request #85 from ubc-web-services/private_file

Add private_file access permissions

Author: occupant

ubc_media_entities/src/MediaAccessControlHandler.php

@@ -0,0 +1,45 @@
+<?php
+
+namespace Drupal\ubc_media_entities;
+
+use Drupal\media\MediaAccessControlHandler as CoreMediaAccessControlHandler;
+use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Access\AccessResult;
+
+/**
+ * Access control handler for media entities.
+ */
+class MediaAccessControlHandler extends CoreMediaAccessControlHandler
+{
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
+ {
+ // Check if the operation is 'view'.
+ if ($operation === 'view') {
+ // Example: Restrict 'view' based on media type and a custom permission.
+ $media_type = $entity->bundle();
+ if ($account->hasPermission("view $media_type media")) {
+ return AccessResult::allowed();
+ }
+ else {
+ return AccessResult::forbidden();
+ }
+ }
+
+ // For other operations, fall back to the parent handler.
+ return parent::checkAccess($entity, $operation, $account);
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = null)
+ {
+ // Allow creation of media if the user has a specific permission.
+ return AccessResult::allowedIfHasPermission($account, "create $entity_bundle media");
+ }
+}

ubc_media_entities/ubc_media_entities.module

@@ -1,5 +1,6 @@
 <?php
 
+use Drupal\Core\Entity\EntityTypeInterface;
 use Drupal\Core\StreamWrapper\StreamWrapperManager;
 use Drupal\user\Entity\Role;
 
@@ -24,6 +25,15 @@ function ubc_media_entities_file_download($uri) {
  return NULL;
 }
 
+/**
+ * Implements hook_entity_type_alter().
+ */
+function ubc_media_entities_entity_type_alter(array &$entity_types) {
+ if (isset($entity_types['media'])) {
+ $entity_types['media']->setHandlerClass('access', 'Drupal\ubc_media_entities\MediaAccessControlHandler');
+ }
+}
+
 /**
  * Implements hook_post_update_()
  * Add permission to view private files
@@ -33,3 +43,14 @@ function ubc_media_entities_post_update_grant_private_file_permission() {
  $role_object->grantPermission('access private files');
  $role_object->save();
 }
+
+
+/**
+ * Implements hook_post_update_()
+ * Add permission to view private_file media
+ */
+function ubc_media_entities_post_update_grant_private_media_permission() {
+ $role_object = Role::load('authenticated');
+ $role_object->grantPermission('view private_file media');
+ $role_object->save();
+}

ubc_media_entities/ubc_media_entities.permissions.yml

@@ -2,3 +2,8 @@ access private files:
  title: 'Access private files'
  description: 'View privately stored files from their direct URL path'
  restrict access: TRUE
+
+view private_file media:
+ title: 'View private file media'
+ description: 'View private file media items'
+ restrict access: TRUE