diff --git a/entity_js.module b/entity_js.module index 80c55a3..87747ce 100644 --- a/entity_js.module +++ b/entity_js.module @@ -10,27 +10,39 @@ function entity_js_permission() { $entity_info = entity_get_info(); $permissions = array(); - foreach ($entity_info as $entity_type => $value) { + foreach ($entity_info as $entity_type => $entity) { $permissions[$entity_type . ' entity js create'] = array( - 'title' => t('Create \'' . $entity_type . '\' entities using JavaScript'), - 'description' => t('Use JavasScript to create ' . $entity_type . ' entities.'), + 'title' => t($entity['label'] . ': Create entities using JavaScript'), ); $permissions[$entity_type . ' entity js read'] = array( - 'title' => t('Read \'' . $entity_type . '\' entities using JavaScript'), - 'description' => t('Use JavasScript to read ' . $entity_type . ' entities.'), + 'title' => t($entity['label'] . ': Read entities using JavaScript'), ); $permissions[$entity_type . ' entity js update'] = array( - 'title' => t('Update \'' . $entity_type . '\' entities using JavaScript'), - 'description' => t('Use JavasScript to update ' . $entity_type . ' entities.'), + 'title' => t($entity['label'] . ': Update entities using JavaScript'), ); $permissions[$entity_type . ' entity js delete'] = array( - 'title' => t('Delete \'' . $entity_type . '\' entities using JavaScript'), - 'description' => t('Use JavasScript to delete ' . $entity_type . ' entities.'), + 'title' => t($entity['label'] . ': Delete entities using JavaScript'), ); + if(!isset($entity['bundles'][$entity_type])) { + foreach ($entity['bundles'] as $bundle_type => $bundle) { + $permissions[$entity_type . ' entity js create ' . $bundle_type] = array( + 'title' => t($entity['label'] . ':' . $bundle['label'] .': Create entities using JavaScript'), + ); + $permissions[$entity_type . ' entity js read ' . $bundle_type] = array( + 'title' => t($entity['label'] . ':' . $bundle['label'] .': Read entities using JavaScript'), + ); + $permissions[$entity_type . ' entity js update ' . $bundle_type] = array( + 'title' => t($entity['label'] . ':' . $bundle['label'] .': Update entities using JavaScript'), + ); + $permissions[$entity_type . ' entity js delete ' . $bundle_type] = array( + 'title' => t($entity['label'] . ':' . $bundle['label'] .': Delete entities using JavaScript'), + ); + } + } } $permissions['access efq javascript callbacks'] = array( - 'title' => t('Use EntityFieldQuery in JavaScript'), - 'description' => t('Allow access to EFQ using JavaScript. Requires "read" access for the requested entity_type.'), + 'title' => t('EntityFieldQuery: Use EFQ in JavaScript'), + 'description' => t('Allow access to EFQ using JavaScript. Requires "read" access for the requested entity bundle.'), ); return $permissions; } @@ -93,8 +105,14 @@ function entity_js_access($entity_type, $action) { * Create Entity success/fail response as JSON. */ function entity_js_create_entity($entity_type) { - //Create an Entity object. if (isset($_POST['values'])) { + //Check for bundle level Create access. + if (isset($_POST['values']['type'])) { + if (!user_access($entity_type . ' entity js create ' . $_POST['values']['type'])) { + return drupal_access_denied(); + } + } + //Attempt to Create entity using POST values try { $entity = entity_create($entity_type, $_POST['values']); entity_save($entity_type, $entity); @@ -110,24 +128,26 @@ function entity_js_create_entity($entity_type) { return drupal_json_output($response); } - /** * Update Entity success/fail response as JSON. */ function entity_js_update_entity($entity_type, $entity_id) { if (isset($_POST['values'])) { - try { - if ($entity = entity_load_single($entity_type, $entity_id)) { + if ($entity = entity_load_single($entity_type, $entity_id)) { + if ($entity->type !== $entity_type && !user_access($entity_type . ' entity js update ' . $entity->type)) { + return drupal_access_denied(); + } + try { $entity = (object) array_merge((array) $entity, $_POST['values']); entity_save($entity_type, $entity); $response = 'Success'; } - else { - $response = 'Failure: Entity does not exist'; + catch (Exception $e) { + $response = 'Failure: ' . $e->getMessage(); } } - catch (Exception $e) { - $response = 'Failure: ' . $e->getMessage(); + else { + $response = 'Failure: Entity does not exist'; } } else { @@ -141,6 +161,9 @@ function entity_js_update_entity($entity_type, $entity_id) { */ function entity_js_delete_entity($entity_type, $entity_id) { if ($entity = entity_load_single($entity_type, $entity_id)) { + if ($entity->type !== $entity_type && !user_access($entity_type . ' entity js delete ' . $entity->type)) { + return drupal_access_denied(); + } entity_delete($entity_type, $entity_id); $response = 'Success'; } else { @@ -154,6 +177,9 @@ function entity_js_delete_entity($entity_type, $entity_id) { */ function entity_js_drupal_render_entity_view($entity_type, $entity_id, $view_mode = 'default') { if ($entity = entity_load_single($entity_type, $entity_id)) { + if ($entity->type !== $entity_type && !user_access($entity_type . ' entity js read ' . $entity->type)) { + return drupal_access_denied(); + } print drupal_render(entity_view($entity_type, array($entity), $view_mode)); } exit(); @@ -163,7 +189,12 @@ function entity_js_drupal_render_entity_view($entity_type, $entity_id, $view_mod * Entity as JSON function for JavaScript callbacks. */ function entity_js_load_single_json($entity_type, $entity_id) { - return drupal_json_output(entity_load_single($entity_type, $entity_id)); + if ($entity = entity_load_single($entity_type, $entity_id)) { + if ($entity->type !== $entity_type && !user_access($entity_type . ' entity js read ' . $entity->type)) { + return drupal_access_denied(); + } + return drupal_json_output($entity); + } } /** @@ -176,6 +207,15 @@ function entity_js_efq_json() { if ($condition[0] == 'entity_type' && !user_access($condition[1] . ' entity js read')) { return FALSE; } + if ($condition[0] == 'entity_type' && user_access($condition[1] . ' entity js read')) { + $entity_type = $condition[1]; + } + if ($condition[0] == 'bundle' && !isset($entity_type)) { + return FALSE; + } + if ($condition[0] == 'bundle' && !user_access($entity_type . ' entity js read ' . $condition[1])) { + return FALSE; + } } return TRUE; }