Add a setting for allowing Account Admins to assign Account Admin role.

2023-09-01 11:32:51 -04:00 · 2023-09-01 11:32:51 -04:00 · e4b656af74
parent 05a3b374bb
commit e4b656af74
6 changed files with 123 additions and 2 deletions
--- a/modules/core/role/modules/account_admin/config/schema/farm_role_account_admin.schema.yml
+++ b/modules/core/role/modules/account_admin/config/schema/farm_role_account_admin.schema.yml
@ -0,0 +1,7 @@
+farm_role_account_admin.settings:
+  type: config_object
+  label: 'farmOS Account Admin Role settings'
+  mapping:
+    allow_peer_role_assignment:
+      type: boolean
+      label: 'Allow users with the Account Admin role to assign/revoke the Account Admin role.'
--- a/modules/core/role/modules/account_admin/farm_role_account_admin.links.task.yml
+++ b/modules/core/role/modules/account_admin/farm_role_account_admin.links.task.yml
@ -0,0 +1,5 @@
+farm_role_account_admin.settings:
+  base_route: farm_settings.settings_page
+  route_name: farm_role_account_admin.settings
+  title: 'Account Admin'
+  weight: 5
--- a/modules/core/role/modules/account_admin/farm_role_account_admin.routing.yml
+++ b/modules/core/role/modules/account_admin/farm_role_account_admin.routing.yml
@ -0,0 +1,7 @@
+farm_role_account_admin.settings:
+  path: 'farm/settings/account-admin'
+  defaults:
+    _form: '\Drupal\farm_role_account_admin\Form\AccountAdminSettingsForm'
+    _title: 'Account Admin Role settings'
+  requirements:
+    _permission: 'administer farm settings'
--- a/modules/core/role/modules/account_admin/src/AccountAdminPermissions.php
+++ b/modules/core/role/modules/account_admin/src/AccountAdminPermissions.php
@ -2,6 +2,7 @@

 namespace Drupal\farm_role_account_admin;

+use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
 use Drupal\farm_role\ManagedRolePermissionsManagerInterface;
 use Drupal\user\RoleInterface;
@ -19,14 +20,24 @@ class AccountAdminPermissions implements ContainerInjectionInterface {
   */
  protected $managedRolePermissionsManager;

+  /**
+   * The config factory service.
+   *
+   * @var \Drupal\Core\Config\ConfigFactoryInterface
+   */
+  protected $configFactory;
+
  /**
   * Constructs an AccountAdminPermissions object.
   *
   * @param \Drupal\farm_role\ManagedRolePermissionsManagerInterface $managed_role_permissions_manager
   *   The managed role permissions manager.
+   * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
+   *   The config factory service.
   */
-  public function __construct(ManagedRolePermissionsManagerInterface $managed_role_permissions_manager) {
+  public function __construct(ManagedRolePermissionsManagerInterface $managed_role_permissions_manager, ConfigFactoryInterface $config_factory) {
    $this->managedRolePermissionsManager = $managed_role_permissions_manager;
+    $this->configFactory = $config_factory;
  }

  /**
@ -35,6 +46,7 @@ class AccountAdminPermissions implements ContainerInjectionInterface {
  public static function create(ContainerInterface $container) {
    return new static(
      $container->get('plugin.manager.managed_role_permissions'),
+      $container->get('config.factory'),
    );
  }

@ -53,9 +65,20 @@ class AccountAdminPermissions implements ContainerInjectionInterface {
    // Add permissions to the farm_account_admin role.
    if ($role->id() == 'farm_account_admin') {

+      // Load the module settings.
+      $settings = $this->configFactory->get('farm_role_account_admin.settings');
+
      // Grant the ability to assign managed farmOS roles.
      $roles = $this->managedRolePermissionsManager->getMangedRoles();
      foreach ($roles as $role) {
+
+        // Do not allow assigning the "Account Admin" role if
+        // allow_peer_role_assignment is disabled.
+        if ($role->id() == 'farm_account_admin' && !$settings->get('allow_peer_role_assignment', FALSE)) {
+          continue;
+        }
+
+        // Add permission to assign the role.
        $perms[] = 'assign ' . $role->id() . ' role';
      }
    }
--- a/modules/core/role/modules/account_admin/src/Form/AccountAdminSettingsForm.php
+++ b/modules/core/role/modules/account_admin/src/Form/AccountAdminSettingsForm.php
@ -0,0 +1,63 @@
+<?php
+
+namespace Drupal\farm_role_account_admin\Form;
+
+use Drupal\Core\Form\ConfigFormBase;
+use Drupal\Core\Form\FormStateInterface;
+
+/**
+ * Provides a settings form for the Account Admin Role module.
+ */
+class AccountAdminSettingsForm extends ConfigFormbase {
+
+  /**
+   * Config settings.
+   *
+   * @var string
+   */
+  const SETTINGS = 'farm_role_account_admin.settings';
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getFormId() {
+    return 'farm_role_account_admin_settings';
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function getEditableConfigNames() {
+    return [
+      static::SETTINGS,
+    ];
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function buildForm(array $form, FormStateinterface $form_state) {
+    $config = $this->config(static::SETTINGS);
+
+    $form['allow_peer_role_assignment'] = [
+      '#type' => 'checkbox',
+      '#title' => $this->t('Allow peer role assignment'),
+      '#description' => $this->t('Allow users with the Account Admin role to assign/revoke the Account Admin role.'),
+      '#default_value' => $config->get('allow_peer_role_assignment'),
+    ];
+
+    return parent::buildForm($form, $form_state);
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function submitForm(array &$form, FormStateInterface $form_state) {
+    $this->configFactory->getEditable(static::SETTINGS)
+      ->set('allow_peer_role_assignment', $form_state->getValue('allow_peer_role_assignment'))
+      ->save();
+
+    parent::submitForm($form, $form_state);
+  }
+
+}
--- a/modules/core/role/modules/account_admin/tests/src/Kernel/AccountAdminPermissionsTest.php
+++ b/modules/core/role/modules/account_admin/tests/src/Kernel/AccountAdminPermissionsTest.php
@ -49,7 +49,6 @@ class AccountAdminPermissionsTest extends KernelTestBase {
    $account_admin_permissions = [
      'administer farm settings',
      'administer users',
-      'assign farm_account_admin role',
      'assign farm_manager role',
      'assign farm_worker role',
      'assign farm_viewer role',
@ -67,6 +66,23 @@ class AccountAdminPermissionsTest extends KernelTestBase {
    foreach ($account_admin_permissions as $permission) {
      $this->assertTrue($user->hasPermission($permission));
    }
+
+    // Ensure the user does not have the "assign farm_account_admin role"
+    // permission.
+    $this->assertFalse($user->hasPermission('assign farm_account_admin role'));
+
+    // Enable the allow_peer_role_assignment setting.
+    $settings = \Drupal::configFactory()->getEditable('farm_role_account_admin.settings');
+    $settings->set('allow_peer_role_assignment', TRUE);
+    $settings->save();
+
+    // Rebuild the container so the configuration change takes effect.
+    $kernel = \Drupal::service('kernel');
+    $kernel->invalidateContainer();
+    $kernel->rebuildContainer();
+
+    // Ensure the user has the "assign farm_account_admin role" permission.
+    $this->assertTrue($user->hasPermission('assign farm_account_admin role'));
  }

 }