Check group content entity operation access

og.services.yml

@@ -1,14 +1,12 @@
 services:
-  og.access:
-    class: Drupal\og\OgAccess
-    arguments: ['@config.factory', '@current_user', '@module_handler']
-
   access_check.og.user_access_group:
     class: Drupal\og\Access\GroupCheck
     arguments: ['@entity_type.manager', '@og.access']
     tags:
       - { name: access_check, applies_to: _og_user_access_group }
-
+  og.access:
+    class: Drupal\og\OgAccess
+    arguments: ['@config.factory', '@current_user', '@module_handler', '@og.group.manager', '@og.permission_manager']
   og.event_subscriber:
     class: Drupal\og\EventSubscriber\OgEventSubscriber
     arguments: ['@og.permission_manager', '@entity_type.manager', '@entity_type.bundle.info']

src/Entity/OgMembership.php

@@ -200,7 +200,7 @@ public function getRoles() {
   /**
    * {@inheritdoc}
    */
-  public function setRoles(array $roles = array()) {
+  public function setRoles(array $roles = []) {
     $role_ids = array_map(function (OgRole $role) {
       return $role->id();
     }, $roles);
@@ -223,6 +223,11 @@ public function getRolesIds() {
    * {@inheritdoc}
    */
   public function hasPermission($permission) {
+    // Blocked users do not have any permissions.
+    if ($this->getState() === OgMembershipInterface::STATE_BLOCKED) {
+      return FALSE;
+    }
+
     return array_filter($this->getRoles(), function (OgRole $role) use ($permission) {
       return $role->hasPermission($permission);
     });
@@ -263,9 +268,9 @@ public static function baseFieldDefinitions(EntityTypeInterface $entity_type) {
       ->setLabel(t('Group entity id.'))
       ->setDescription(t("The entity ID of the group."));
 
-    $fields['state'] = BaseFieldDefinition::create('integer')
+    $fields['state'] = BaseFieldDefinition::create('string')
       ->setLabel(t('State'))
-      ->setDescription(t("The state of the group content."))
+      ->setDescription(t('The user membership state: active, pending, or blocked.'))
       ->setDefaultValue(OgMembershipInterface::STATE_ACTIVE);
 
     $fields['roles'] = BaseFieldDefinition::create('entity_reference')

src/Entity/OgRole.php

@@ -3,6 +3,7 @@
 namespace Drupal\og\Entity;
 
 use Drupal\Core\Config\ConfigValueException;
+use Drupal\Core\Entity\EntityInterface;
 use Drupal\og\Exception\OgRoleException;
 use Drupal\og\OgRoleInterface;
 use Drupal\user\Entity\Role;
@@ -36,6 +37,16 @@
  */
 class OgRole extends Role implements OgRoleInterface {
 
+  /**
+   * Constructs an OgRole object.
+   *
+   * @param array $values
+   *   An array of values to set, keyed by property name.
+   */
+  public function __construct(array $values) {
+    parent::__construct($values, 'og_role');
+  }
+
   /**
    * Sets the ID of the role.
    *
@@ -198,15 +209,23 @@ public function setName($name) {
     return $this;
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public static function loadByGroupAndName(EntityInterface $group, $name) {
+    $role_id = "{$group->getEntityTypeId()}-{$group->bundle()}-$name";
+    return self::load($role_id);
+  }
+
   /**
    * {@inheritdoc}
    */
   public function save() {
     // The ID of a new OgRole has to consist of the entity type ID, bundle ID
     // and role name, separated by dashes.
     if ($this->isNew() && $this->id()) {
-      list($entity_type_id, $bundle_id, $name) = explode('-', $this->id());
-      if ($entity_type_id !== $this->getGroupType() || $bundle_id !== $this->getGroupBundle() || $name !== $this->getName()) {
+      $pattern = preg_quote("{$this->getGroupType()}-{$this->getGroupBundle()}-{$this->getName()}");
+      if (!preg_match("/$pattern/", $this->id())) {
         throw new ConfigValueException('The ID should consist of the group entity type ID, group bundle ID and role name, separated by dashes.');
       }
     }
@@ -257,6 +276,7 @@ public function set($property_name, $value) {
       'group_type',
       'group_bundle',
     ]);
+
     if (!$is_locked_property || $this->isNew()) {
       return parent::set($property_name, $value);
     }

src/GroupContentOperationPermission.php

@@ -43,7 +43,7 @@ class GroupContentOperationPermission extends Permission {
    *   FALSE if this permission applies to all entities, TRUE if it only applies
    *   to the entities owned by the user.
    */
-  protected $owner = 'any';
+  protected $owner = FALSE;
 
   /**
    * Returns the group content entity type ID to which this permission applies.

src/GroupManager.php

@@ -239,7 +239,7 @@ public function getGroupContentBundleIdsByGroupBundle($group_entity_type_id, $gr
   }
 
   /**
-   * Sets an entity type instance as being an OG group.
+   * Declares a bundle of an entity type as being an OG group.
    *
    * @param string $entity_type_id
    *   The entity type ID of the bundle to declare as being a group.

src/Og.php

@@ -249,15 +249,18 @@ public static function getMemberships(AccountInterface $user, array $states = [O
    *   (optional) Array with the state to return. Defaults to active.
    *
    * @return \Drupal\og\Entity\OgMembership|null
-   *   The OgMembership entity, or NULL if the user is not a member of the
-   *   group.
+   *   The OgMembership entity. NULL will be returned if no membership is
+   *   available that matches the passed in $states.
    */
   public static function getMembership(EntityInterface $group, AccountInterface $user, array $states = [OgMembershipInterface::STATE_ACTIVE]) {
     foreach (static::getMemberships($user, $states) as $membership) {
       if ($membership->getGroupEntityType() === $group->getEntityTypeId() && $membership->getGroupId() === $group->id()) {
         return $membership;
       }
     }
+
+    // No membership matches the request.
+    return NULL;
   }
 
   /**
@@ -696,7 +699,7 @@ protected static function getFieldBaseDefinition($plugin_id) {
    * @param array $options
    *   Overriding the default options of the selection handler.
    *
-   * @return OgSelection
+   * @return \Drupal\og\Plugin\EntityReferenceSelection\OgSelection
    *   Returns the OG selection handler.
    *
    * @throws \Exception

src/OgAccess.php

@@ -10,6 +10,7 @@
 use Drupal\Core\Extension\ModuleHandlerInterface;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\Core\Session\AccountProxyInterface;
+use Drupal\og\Entity\OgRole;
 use Drupal\user\EntityOwnerInterface;
 
 /**
@@ -62,6 +63,22 @@ class OgAccess implements OgAccessInterface {
    */
   protected $moduleHandler;
 
+  /**
+   * The group manager.
+   *
+   * @var \Drupal\og\GroupManager
+   *
+   * @todo This should be GroupManagerInterface.
+   */
+  protected $groupManager;
+
+  /**
+   * The OG permission manager.
+   *
+   * @var \Drupal\og\PermissionManagerInterface
+   */
+  protected $permissionManager;
+
   /**
    * Constructs an OgManager service.
    *
@@ -71,11 +88,17 @@ class OgAccess implements OgAccessInterface {
    *   The service that contains the current active user.
    * @param \Drupal\Core\Extension\ModuleHandlerInterface $module_handler
    *   The module handler.
+   * @param \Drupal\og\GroupManager $group_manager
+   *   The group manager.
+   * @param \Drupal\og\PermissionManagerInterface $permission_manager
+   *   The permission manager.
    */
-  public function __construct(ConfigFactoryInterface $config_factory, AccountProxyInterface $account_proxy, ModuleHandlerInterface $module_handler) {
+  public function __construct(ConfigFactoryInterface $config_factory, AccountProxyInterface $account_proxy, ModuleHandlerInterface $module_handler, GroupManager $group_manager, PermissionManagerInterface $permission_manager) {
     $this->configFactory = $config_factory;
     $this->accountProxy = $account_proxy;
     $this->moduleHandler = $module_handler;
+    $this->groupManager = $group_manager;
+    $this->permissionManager = $permission_manager;
   }
 
   /**
@@ -89,7 +112,7 @@ public function userAccess(EntityInterface $group, $operation, AccountInterface
     $config = $this->configFactory->get('og.settings');
     $cacheable_metadata = (new CacheableMetadata)
         ->addCacheableDependency($config);
-    if (!Og::isGroup($group_type_id, $bundle)) {
+    if (!$this->groupManager->isGroup($group_type_id, $bundle)) {
       // Not a group.
       return AccessResult::neutral()->addCacheableDependency($cacheable_metadata);
     }
@@ -100,6 +123,9 @@ public function userAccess(EntityInterface $group, $operation, AccountInterface
 
     // From this point on, every result also depends on the user so check
     // whether it is the current. See https://www.drupal.org/node/2628870
+    // @todo This doesn't really vary by user but by the user's roles inside of
+    //   the group. We should create a cache context for OgRole entities.
+    // @see https://github.com/amitaibu/og/issues/219
     if ($user->id() == $this->accountProxy->id()) {
       $cacheable_metadata->addCacheContexts(['user']);
     }
@@ -140,22 +166,30 @@ public function userAccess(EntityInterface $group, $operation, AccountInterface
       $permissions = [];
       $user_is_group_admin = FALSE;
 
-      if ($membership = Og::getMembership($group, $user)) {
-        foreach ($membership->getRoles() as $role) {
-          // Check for the is_admin flag.
-          /** @var \Drupal\og\Entity\OgRole $role */
-          if ($role->isAdmin()) {
-            $user_is_group_admin = TRUE;
-            break;
+      $states = [
+        OgMembershipInterface::STATE_ACTIVE,
+        OgMembershipInterface::STATE_PENDING,
+        OgMembershipInterface::STATE_BLOCKED,
+      ];
+      if ($membership = Og::getMembership($group, $user, $states)) {
+        // Blocked users don't have any permissions.
+        if ($membership->getState() !== OgMembershipInterface::STATE_BLOCKED) {
+          foreach ($membership->getRoles() as $role) {
+            // Check for the is_admin flag.
+            /** @var \Drupal\og\Entity\OgRole $role */
+            if ($role->isAdmin()) {
+              $user_is_group_admin = TRUE;
+              break;
+            }
+
+            $permissions = array_merge($permissions, $role->getPermissions());
           }
-
-          $permissions = array_merge($permissions, $role->getPermissions());
         }
       }
       else {
         // User is a non-member.
         /** @var \Drupal\og\Entity\OgRole $role */
-        $role = Og::getRole($group_type_id, $bundle, OgRoleInterface::ANONYMOUS);
+        $role = OgRole::loadByGroupAndName($group, OgRoleInterface::ANONYMOUS);
         $permissions = $role->getPermissions();
       }
 
@@ -198,16 +232,11 @@ public function userAccess(EntityInterface $group, $operation, AccountInterface
   public function userAccessEntity($operation, EntityInterface $entity, AccountInterface $user = NULL) {
     $result = AccessResult::neutral();
 
-    // Entity isn't saved yet.
-    if ($entity->isNew()) {
-      return $result->addCacheableDependency($entity);
-    }
-
     $entity_type = $entity->getEntityType();
     $entity_type_id = $entity_type->id();
     $bundle = $entity->bundle();
 
-    if (Og::isGroup($entity_type_id, $bundle)) {
+    if ($this->groupManager->isGroup($entity_type_id, $bundle)) {
       $user_access = $this->userAccess($entity, $operation, $user);
       if ($user_access->isAllowed()) {
         return $user_access;
@@ -233,6 +262,15 @@ public function userAccessEntity($operation, EntityInterface $entity, AccountInt
       $forbidden = AccessResult::forbidden()->addCacheTags($cache_tags);
       foreach ($groups as $entity_groups) {
         foreach ($entity_groups as $group) {
+          // Check if the operation matches a group content entity operation
+          // such as 'create article content'.
+          $operation_access = $this->userAccessGroupContentEntityOperation($operation, $group, $entity, $user);
+          if ($operation_access->isAllowed()) {
+            return $operation_access->addCacheTags($cache_tags);
+          }
+
+          // Check if the operation matches a group level operation such as
+          // 'subscribe without approval'.
           $user_access = $this->userAccess($group, $operation, $user);
           if ($user_access->isAllowed()) {
             return $user_access->addCacheTags($cache_tags);
@@ -252,6 +290,77 @@ public function userAccessEntity($operation, EntityInterface $entity, AccountInt
     return $result;
   }
 
+  /**
+   * Checks access for entity operations on group content entities.
+   *
+   * This checks if the user has permission to perform the requested operation
+   * on the given group content entity according to the user's membership status
+   * in the given group. There is no formal support for access control on entity
+   * operations in core, so the mapping of permissions to operations is provided
+   * by PermissionManager::getEntityOperationPermissions().
+   *
+   * @param string $operation
+   *   The entity operation.
+   * @param \Drupal\Core\Entity\EntityInterface $group_entity
+   *   The group entity, to retrieve the permissions from.
+   * @param \Drupal\Core\Entity\EntityInterface $group_content_entity
+   *   The group content entity for which access to the entity operation is
+   *   requested.
+   * @param \Drupal\Core\Session\AccountInterface $user
+   *   Optional user for which to check access. If omitted, the currently logged
+   *   in user will be used.
+   *
+   * @return \Drupal\Core\Access\AccessResult
+   *   The access result object.
+   *
+   * @see \Drupal\og\PermissionManager::getEntityOperationPermissions()
+   */
+  public function userAccessGroupContentEntityOperation($operation, EntityInterface $group_entity, EntityInterface $group_content_entity, AccountInterface $user = NULL) {
+    // Default to the current user.
+    $user = $user ?: $this->accountProxy->getAccount();
+
+    // Check if the user owns the entity which is being operated on.
+    $is_owner = $group_content_entity instanceof EntityOwnerInterface && $group_content_entity->getOwnerId() == $user->id();
+
+    // Retrieve the group content entity operation permissions.
+    $group_entity_type_id = $group_entity->getEntityTypeId();
+    $group_bundle_id = $group_entity->bundle();
+    $group_content_bundle_ids = [$group_content_entity->getEntityTypeId() => [$group_content_entity->bundle()]];
+
+    $permissions = $this->permissionManager->getDefaultEntityOperationPermissions($group_entity_type_id, $group_bundle_id, $group_content_bundle_ids);
+
+    // Filter the permissions by operation and ownership.
+    // If the user does not own the group content, only the non-owner permission
+    // is relevant (for example 'edit any article node'). However when the user
+    // _is_ the owner, then both permissions are relevant: an owner will have
+    // access if they either have the 'edit any article node' or the 'edit own
+    // article node' permission.
+    $ownerships = $is_owner ? [FALSE, TRUE] : [FALSE];
+    $permissions = array_filter($permissions, function (GroupContentOperationPermission $permission) use ($operation, $ownerships) {
+      return $permission->getOperation() === $operation && in_array($permission->getOwner(), $ownerships);
+    });
+
+    if ($permissions) {
+      foreach ($permissions as $permission) {
+        $user_access = $this->userAccess($group_entity, $permission->getName(), $user);
+        if ($user_access->isAllowed()) {
+          return $user_access;
+        }
+      }
+    }
+
+    // @todo This doesn't really vary by user but by the user's roles inside of
+    //   the group. We should create a cache context for OgRole entities.
+    // @see https://github.com/amitaibu/og/issues/219
+    $cacheable_metadata = new CacheableMetadata();
+    $cacheable_metadata->addCacheableDependency($group_content_entity);
+    if ($user->id() == $this->accountProxy->id()) {
+      $cacheable_metadata->addCacheContexts(['user']);
+    }
+
+    return AccessResult::neutral()->addCacheableDependency($cacheable_metadata);
+  }
+
   /**
    * Set the permissions in the static cache.
    *