From b14310cdd35133ce460c7d3d065620e2d39a63bc Mon Sep 17 00:00:00 2001
From: Liam Morland <lkmorlan@uwaterloo.ca>
Date: Thu, 11 Mar 2021 12:17:50 -0500
Subject: [PATCH] ISTWCMS-4632: Create permission 'administer role expire
 configuration'

---
 src/Access/UwNodeAccessCheck.php            | 5 +++++
 src/Routing/UwNodeAccessRouteSubscriber.php | 2 ++
 uw_cfg_common.permissions.yml               | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/src/Access/UwNodeAccessCheck.php b/src/Access/UwNodeAccessCheck.php
index af8a0b17..da03a673 100644
--- a/src/Access/UwNodeAccessCheck.php
+++ b/src/Access/UwNodeAccessCheck.php
@@ -55,6 +55,11 @@ class UwNodeAccessCheck implements AccessInterface {
       }
     }
 
+    // Role Expire config: admin/config/system/role-expire.
+    if ($route_name === 'role_expire.config') {
+      return $account->hasPermission('administer role expire configuration') ? AccessResult::allowed() : AccessResult::forbidden();
+    }
+
     // Get the node object, which is in the route match variable.
     $node = $route_match->getParameter('node');
 
diff --git a/src/Routing/UwNodeAccessRouteSubscriber.php b/src/Routing/UwNodeAccessRouteSubscriber.php
index 1327c205..1ad413f7 100644
--- a/src/Routing/UwNodeAccessRouteSubscriber.php
+++ b/src/Routing/UwNodeAccessRouteSubscriber.php
@@ -22,6 +22,8 @@ class UwNodeAccessRouteSubscriber extends RouteSubscriberBase {
       'entity.node.delete_form',
       // Menu link edit pages.
       'menu_ui.link_edit',
+      // Role Expire config: admin/config/system/role-expire.
+      'role_expire.config',
     ];
     foreach ($access_route_names as $route_name) {
       if ($route = $collection->get($route_name)) {
diff --git a/uw_cfg_common.permissions.yml b/uw_cfg_common.permissions.yml
index 35b905c1..690230c4 100644
--- a/uw_cfg_common.permissions.yml
+++ b/uw_cfg_common.permissions.yml
@@ -1,6 +1,10 @@
 'access content access form':
   title: 'Access content access form'
   description: 'Allows access to the content access form.'
+'administer role expire configuration':
+  title: 'Administer role expire configuration'
+  description: 'Allows access to admin/config/system/role-expire.'
+  restrict access: true
 'bypass home page protection':
   title: 'Bypass home page protection'
   description: 'Allows taking actions that are not normally allowed for the home page, such as unpublishing.'
-- 
GitLab