diff --git a/core/modules/workspace/src/EntityAccess.php b/core/modules/workspace/src/EntityAccess.php index 958c436..98432dc 100644 --- a/core/modules/workspace/src/EntityAccess.php +++ b/core/modules/workspace/src/EntityAccess.php @@ -124,47 +124,8 @@ protected function bypassAccessResult(AccountInterface $account) { // to ALL THE THINGS! That's why this is a dangerous permission. $active_workspace = $this->workspaceManager->getActiveWorkspace(); - return AccessResult::allowedIfHasPermission($account, 'bypass entity access workspace ' . $active_workspace->id())->addCacheableDependency($active_workspace) - ->orIf( - AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())->cachePerUser()->addCacheableDependency($active_workspace) - ->andIf(AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace')) - ); - } - - /** - * Returns an array of workspace-specific permissions. - * - * @return array - * The workspace permissions. - */ - public function workspacePermissions() { - $perms = []; - - foreach ($this->entityTypeManager->getStorage('workspace')->loadMultiple() as $workspace) { - /** @var \Drupal\workspace\WorkspaceInterface $workspace */ - $perms += $this->createWorkspaceBypassPermission($workspace); - } - - return $perms; - } - - /** - * Derives the "bypass entity access" permission for a specific workspace. - * - * @param \Drupal\workspace\WorkspaceInterface $workspace - * The workspace from which to derive the permission. - * - * @return array - * A single-item array with the permission to define. - */ - protected function createWorkspaceBypassPermission(WorkspaceInterface $workspace) { - $perms['bypass entity access workspace ' . $workspace->id()] = [ - 'title' => $this->t('Bypass content entity access in %workspace workspace', ['%workspace' => $workspace->label()]), - 'description' => $this->t('Allow all Edit/Update/Delete permissions for all content in the %workspace workspace', ['%workspace' => $workspace->label()]), - 'restrict access' => TRUE, - ]; - - return $perms; + return AccessResult::allowedIf($active_workspace->getOwnerId() == $account->id())->cachePerUser()->addCacheableDependency($active_workspace) + ->andIf(AccessResult::allowedIfHasPermission($account, 'bypass entity access own workspace')); } } diff --git a/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php b/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php index 37e3fbe..df33399 100644 --- a/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php +++ b/core/modules/workspace/tests/src/Functional/WorkspaceBypassTest.php @@ -21,63 +21,6 @@ class WorkspaceBypassTest extends BrowserTestBase { public static $modules = ['node', 'user', 'block', 'workspace']; /** - * Verifies that a user can edit anything in a workspace with a specific perm. - */ - public function testBypassSpecificWorkspace() { - $permissions = [ - 'create workspace', - 'edit own workspace', - 'view own workspace', - ]; - - $this->createContentType(['type' => 'test', 'label' => 'Test']); - $this->setupWorkspaceSwitcherBlock(); - - $ditka = $this->drupalCreateUser(array_merge($permissions, ['create test content'])); - - // Login as a limited-access user and create a workspace. - $this->drupalLogin($ditka); - - $this->createNodeThroughUi('Vanilla node', 'test'); - - $bears = $this->createWorkspaceThroughUi('Bears', 'bears'); - $this->switchToWorkspace($bears); - - // Now create a node in the Bears workspace, as the owner of that workspace. - $ditka_bears_node = $this->createNodeThroughUi('Ditka Bears node', 'test'); - $ditka_bears_node_id = $ditka_bears_node->id(); - - // Create a new user that should be able to edit anything in the Bears - // workspace. - $lombardi = $this->drupalCreateUser(array_merge($permissions, ['view any workspace', 'bypass entity access workspace ' . $bears->id()])); - $this->drupalLogin($lombardi); - $this->switchToWorkspace($bears); - - // Because Lombardi has the bypass permission, he should be able to create - // and edit any node. - $this->drupalGet('/node/' . $ditka_bears_node_id . '/edit'); - $this->assertSession()->statusCodeEquals(200); - - $lombardi_bears_node = $this->createNodeThroughUi('Lombardi Bears node', 'test'); - $lombardi_bears_node_id = $lombardi_bears_node->id(); - - $this->drupalLogin($ditka); - $this->switchToWorkspace($bears); - - $this->drupalGet('/node/' . $lombardi_bears_node_id . '/edit'); - $this->assertSession()->statusCodeEquals(403); - - // Create a new user that should NOT be able to edit anything in the Bears - // workspace. - $belichick = $this->drupalCreateUser(array_merge($permissions, ['view any workspace'])); - $this->drupalLogin($belichick); - $this->switchToWorkspace($bears); - - $this->drupalGet('/node/' . $ditka_bears_node_id . '/edit'); - $this->assertSession()->statusCodeEquals(403); - } - - /** * Verifies that a user can edit anything in a workspace they own. */ public function testBypassOwnWorkspace() { diff --git a/core/modules/workspace/workspace.permissions.yml b/core/modules/workspace/workspace.permissions.yml index 569957b..4856449 100644 --- a/core/modules/workspace/workspace.permissions.yml +++ b/core/modules/workspace/workspace.permissions.yml @@ -26,9 +26,3 @@ bypass entity access own workspace: title: Bypass content entity access in own workspace description: Allow all Edit/Update/Delete permissions for all content entities in a workspace owned by the user. restrict access: TRUE - -update any workspace from its target: - title: Update any workspace from its target - -permission_callbacks: - - Drupal\workspace\EntityAccess::workspacePermissions