commerce_entity_access

  1. commerce
    1. 7
Versions
7 commerce_entity_access($op, $entity, $account, $entity_type)

Generic access control for Drupal Commerce entities.

Parameters

$op The operation being performed. One of 'view', 'update', 'create' or 'delete'.

$entity Optionally an entity to check access for. If no entity is given, it will be determined whether access is allowed for all entities of the given type.

$account The user to check for. Leave it to NULL to check for the global user.

$entity_type The entity type of the entity to check for.

See also

entity_access()

▾ 3 functions call commerce_entity_access()

commerce_customer_profile_access in modules/customer/commerce_customer.module
Checks customer profile access for various operations.
commerce_order_access in modules/order/commerce_order.module
Checks order access for various operations.
commerce_product_access in modules/product/commerce_product.module
Checks product access for various operations.

Code

./commerce.module, line 841

<?php
function commerce_entity_access($op, $entity, $account, $entity_type) {
  global $user;
  $account = isset($account) ? $account : $user;

  $entity_info = entity_get_info($entity_type);

  if ($op == 'view') {
    if (isset($entity)) {
      // When trying to figure out access to an entity, query the base table using
      // our access control tag.
      if (!empty($entity_info['access arguments']['access tag']) && module_implements('query_' . $entity_info['access arguments']['access tag'] . '_alter')) {
        $query = db_select($entity_info['base table']);
        $query->addExpression('1');
        return (bool) $query
          ->addTag($entity_info['access arguments']['access tag'])
          ->addMetaData('account', $account)
          ->condition($entity_info['entity keys']['id'], $entity->{$entity_info['entity keys']['id']})
          ->range(0, 1)
          ->execute()
          ->fetchField();
      }
      else {
        return TRUE;
      }
    }
    else {
      return user_access('view any ' . $entity_type . ' entity', $account);
    }
  }
  else {
    // First grant access to the entity for the specified operation if no other
    // module denies it and at least one other module says to grant access.
    $access_results = module_invoke_all('commerce_entity_access', $op, $entity, $account, $entity_type);

    if (in_array(FALSE, $access_results, TRUE)) {
      return FALSE;
    }
    elseif (in_array(TRUE, $access_results, TRUE)) {
      return TRUE;
    }

    // Grant generic administrator level access.
    if (user_access('administer ' . $entity_type . ' entities', $account)) {
      return TRUE;
    }

    // Grant access based on entity type and bundle specific permissions with
    // special handling for the create operation since the entity passed in will
    // be initialized without ownership.
    if ($op == 'create') {
      // Assuming an entity was passed in and we know its bundle key, perform
      // the entity type and bundle-level access checks.
      if (isset($entity) && !empty($entity_info['entity keys']['bundle'])) {
        return user_access('create ' . $entity_type . ' entities', $account) || user_access('create ' . $entity_type . ' entities of bundle ' . $entity->{$entity_info['entity keys']['bundle']}, $account);
      }
      else {
        // Otherwise perform an entity type-level access check.
        return user_access('create ' . $entity_type . ' entities', $account);
      }
    }
    else {
      // Next perform checks for the edit and delete operations. Begin by
      // extracting the bundle name from the entity if available.
      $bundle_name = '';

      if (isset($entity) && !empty($entity_info['entity keys']['bundle'])) {
        $bundle_name = $entity->{$entity_info['entity keys']['bundle']};
      }

      // For the edit and delete operations, first perform the entity type and
      // bundle-level access check for any entity.
      if (user_access('edit any ' . $entity_type . ' entity', $account) || 
        user_access('edit any ' . $entity_type . ' entity of bundle ' . $bundle_name, $account)) {
        return TRUE;
      }

      // Then check an authenticated user's access to edit his own entities.
      if ($account->uid && !empty($entity_info['access arguments']['user key']) && isset($entity->{$entity_info['access arguments']['user key']}) && $entity->{$entity_info['access arguments']['user key']} == $account->uid) {
        if (user_access('edit own ' . $entity_type . ' entities', $account) || 
          user_access('edit own ' . $entity_type . ' entities of bundle ' . $bundle_name, $account)) {
          return TRUE;
        }
      }
    }
  }

  return FALSE;
}
?>