Merge pull request #12 from donquixote/issue-49-preview-own-unpublished

Issue CollaboraOnline#49: Preview own unpublished permission
donquixote · Nov 25, 2024 · 340b3b4 · 340b3b4
2 parents 2dc8e3d + cb0c399
commit 340b3b4
Show file tree

Hide file tree

Showing 6 changed files with 411 additions and 272 deletions.
diff --git a/README.md b/README.md
@@ -197,24 +197,27 @@ Collabora is used within Drupal.  Most of the time this permission is
 not needed, if the Collabora instance is configured from outside of
 Drupal.
 
-For each media type, the module introduces two permissions:
-- (media type): Edit any media file in Collabora Users with this
-  permission are allowed to edit documents attached to a media entity
-  of the given type, using the Collabora Online editor.
-- (media type): Preview media file in Collabora Users with this
-  permission are allowed to preview documents attached to a media
-  entity of the given type, using the Collabora Online editor in
-  preview/readonly mode.
-
-In the current version, preview and edit access with the Collabora
-Online editor are checked independently of the publishing status of
-the respective media, and independently of the regular view or edit
-access on that media entity.
-
-For a consistent experience, it is recommended that a role with the
-edit permission should also be granted the preview permission, and
-that a user with any of the Collabora media permissions should also be
-granted permissions to view the respective media entity in Drupal.
+For each media type, the module introduces four permissions:
+- "(media type): Edit any media file in Collabora"  
+  Users with this permission are allowed to edit documents attached
+  to a media entity of the given type, using the Collabora Online
+  editor.
+- "(media type): Edit own media file in Collabora"  
+  Users with this permission are allowed to edit documents attached
+  to a media entity of the given type, using the Collabora Online
+  editor, if they are the owner/author of that media entity.
+- "(media type): Preview published media file in Collabora"  
+  Users with this permission are allowed to preview documents attached
+  to a published media entity of the given type, using the Collabora
+  Online editor in preview/readonly mode.
+- "(media type): Preview own unpublished media file in Collabora"  
+  Users with this permission are allowed to preview documents attached
+  to an unpublished media entity of the given type, using the Collabora Online
+  editor in preview/readonly mode.
+
+In the current version of this module, the 'administer media' permission
+from Drupal core grants access to all media operations, including the use
+of the Collabora Online editor for preview and edit.
 
 Developers can use entity access hooks to alter which users may edit
 or preview media files in Collabora. This would allow to grant access

diff --git a/collabora_online.module b/collabora_online.module
@@ -126,21 +126,51 @@ function collabora_online_media_access(MediaInterface $media, string $operation,
     $type = $media->bundle();
     switch ($operation) {
         case 'preview in collabora':
-            return AccessResult::allowedIfHasPermission($account, "preview $type in collabora");
+            if ($media->isPublished()) {
+                return AccessResult::allowedIfHasPermission($account, "preview $type in collabora")
+                    ->addCacheableDependency($media);
+            }
+            $preview_own_permission = "preview own unpublished $type in collabora";
+            $access_result = AccessResult::allowedIfHasPermission($account, $preview_own_permission)
+                ->addCacheableDependency($media);
+            if (!$access_result->isAllowed()) {
+                return $access_result;
+            }
+            // Use '==' because Drupal sometimes loads integers as strings.
+            $is_owner = ($account->id() && $account->id() == $media->getOwnerId());
+            if ($is_owner) {
+                $access_result = AccessResult::allowed();
+            }
+            else {
+                $access_result = AccessResult::neutral()
+                    ->setReason("The user has the '$preview_own_permission' permission, but is not the owner of the media item.");
+            }
+            return $access_result
+                ->cachePerUser()
+                ->addCacheableDependency($media);
 
         case 'edit in collabora':
             if ($account->hasPermission("edit any $type in collabora")) {
-                return AccessResult::allowed()->cachePerPermissions();
+                return AccessResult::allowed()
+                    ->cachePerPermissions();
             }
-            if ($account->hasPermission("edit own $type in collabora")) {
-                // Use '==' because Drupal sometimes loads integers as strings.
-                $is_owner = ($account->id() && $account->id() == $media->getOwnerId());
-                return AccessResult::allowedIf($is_owner)
-                    ->cachePerPermissions()
-                    ->cachePerUser()
-                    ->addCacheableDependency($media);
+            $edit_own_permission = "edit own $type in collabora";
+            $access_result = AccessResult::allowedIfHasPermission($account, $edit_own_permission);
+            if (!$access_result->isAllowed()) {
+                return $access_result;
+            }
+            // Use '==' because Drupal sometimes loads integers as strings.
+            $is_owner = ($account->id() && $account->id() == $media->getOwnerId());
+            if (!$is_owner) {
+                $access_result = AccessResult::neutral()
+                    ->setReason("The user has the '$edit_own_permission' permission, but is not the owner of the media item.");
+            }
+            else {
+                $access_result = AccessResult::allowed();
             }
-            return AccessResult::neutral()->cachePerPermissions();
+            return $access_result
+                ->cachePerUser()
+                ->addCacheableDependency($media);
 
         default:
             return AccessResult::neutral();

diff --git a/src/CollaboraMediaPermissions.php b/src/CollaboraMediaPermissions.php
@@ -77,7 +77,10 @@ protected function buildPermissions(MediaTypeInterface $type) {
 
         return [
             "preview $type_id in collabora" => [
-                'title' => $this->t('%type_name: Preview media file in Collabora', $type_params),
+                'title' => $this->t('%type_name: Preview published media file in Collabora', $type_params),
+            ],
+            "preview own unpublished $type_id in collabora" => [
+                'title' => $this->t('%type_name: Preview own unpublished media file in Collabora', $type_params),
             ],
             "edit own $type_id in collabora" => [
                 'title' => $this->t('%type_name: Edit own media file in Collabora', $type_params),

diff --git a/tests/src/Functional/AccessTest.php b/tests/src/Functional/AccessTest.php