Restrict comment posting/editing to managed roles with "update all" access.

2024-02-13 12:07:02 -05:00 · 2024-02-13 12:07:02 -05:00 · 20729c5389
parent 0156ff23bf
commit 20729c5389
2 changed files with 47 additions and 5 deletions
--- a/modules/core/comment/farm_comment.managed_role_permissions.yml
+++ b/modules/core/comment/farm_comment.managed_role_permissions.yml
@ -1,6 +1,3 @@
 farm_comment:
-  default_permissions:
-    - access comments
-    - post comments
-    - skip comment approval
-    - edit own comments
+  permission_callbacks:
+    - Drupal\farm_comment\CommentPermissions::permissions
--- a/modules/core/comment/src/CommentPermissions.php
+++ b/modules/core/comment/src/CommentPermissions.php
@ -0,0 +1,45 @@
+<?php
+
+namespace Drupal\farm_comment;
+
+use Drupal\user\RoleInterface;
+
+/**
+ * Add comment permissions to managed farmOS roles.
+ */
+class CommentPermissions {
+
+  /**
+   * Add permissions to role.
+   *
+   * @param \Drupal\user\RoleInterface $role
+   *   The role to add permissions to.
+   *
+   * @return array
+   *   An array of permission strings.
+   */
+  public function permissions(RoleInterface $role) {
+    $perms = [];
+
+    // Load farm_role access rules from third-party settings. Bail if empty.
+    $access = $role->getThirdPartySetting('farm_role', 'access');
+    if (empty($access)) {
+      return $perms;
+    }
+
+    // If the role has "view all" access, allow viewing comments.
+    if (!empty($access['entity']['view all'])) {
+      $perms[] = 'access comments';
+    }
+
+    // If the role has "edit all" access, allow posting/editing comments.
+    if (!empty($access['entity']['update all'])) {
+      $perms[] = 'post comments';
+      $perms[] = 'skip comment approval';
+      $perms[] = 'edit own comments';
+    }
+
+    return $perms;
+  }
+
+}