From 5e2da7ffb39867f4532ab7b209c36d90b2e16913 Mon Sep 17 00:00:00 2001
From: Chris Novak <chrisnovak@google.com>
Date: Tue, 31 Mar 2020 15:59:16 -0700
Subject: [PATCH] Fixes #392 (#394) Visibility attribute for API product not
 enforced correctly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Apigee M10n module’s hook_ENTITY_TYPE_access uses the Apigee Monetization API to determine an API Product ‘assign’ access by calling `/developers/{developer}/eligible-products`, which returns AccessResult::allowed for all API products.

This API returns all API Products
1. That are able to be assigned to an App because the developer purchased a Rate plan that contains the API product
2. All API products that are not monetized.

Due to #2, the Apigee Edge module hook_ENTITY_TYPE_access needs to return AccessResult::forbidden when the operation is ‘assign’ and the user does not have the correct role to assign an API product to an app.
---
 apigee_edge.module                                | 15 ++++++++-------
 .../FunctionalJavascript/ApiProductAccessTest.php |  2 +-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/apigee_edge.module b/apigee_edge.module
index 3cde1bbc0..db03e6cd9 100644
--- a/apigee_edge.module
+++ b/apigee_edge.module
@@ -365,8 +365,9 @@ function apigee_edge_entity_view(array &$build, EntityInterface $entity, EntityV
  * for the API Product (entity) if the API product's access attribute value is
  * either one of the selected access attribute values OR if a developer
  * app is in association with the selected API product.
- * - If operation is "assign" then second part of the previous sentence does
- * not apply only access attribute's value matters.
+ * - If operation is "assign" then disallow access if the role is configured
+ * in the "Access by visibility" settings at the route
+ * apigee_edge.settings.developer.api_product_access.
  */
 function apigee_edge_api_product_access(EntityInterface $entity, $operation, AccountInterface $account) {
   /** @var \Drupal\apigee_edge\Entity\ApiProductInterface $entity */
@@ -386,12 +387,12 @@ function apigee_edge_api_product_access(EntityInterface $entity, $operation, Acc
     // access setting but we should still grant view access
     // if they have a developer app in association with this API product.
     if (empty(array_intersect($visible_to_roles, $account->getRoles()))) {
-      // We should not return allowed if the operation is "assign"
-      // just because a user has an app with the API product.
-      // Displaying these API products to a user should be solved on the
-      // form level always.
+
       if ($operation === 'assign') {
-        $result = AccessResult::neutral();
+        // If the apigee_edge.settings.developer.api_product_access settings
+        // limits access to this API product, do not allow user to assign it
+        // to an application.
+        $result = AccessResult::forbidden("User {$account->getEmail()} is does not have permissions to see API Product with visibility {$product_visibility}.");
       }
       else {
         $result = _apigee_edge_user_has_an_app_with_product($entity->id(), $account, TRUE);
diff --git a/tests/src/FunctionalJavascript/ApiProductAccessTest.php b/tests/src/FunctionalJavascript/ApiProductAccessTest.php
index b764dfc98..843be3b4d 100644
--- a/tests/src/FunctionalJavascript/ApiProductAccessTest.php
+++ b/tests/src/FunctionalJavascript/ApiProductAccessTest.php
@@ -179,7 +179,7 @@ protected function entityAccessTest() {
         ];
         $this->saveAccessSettings($settings);
         // We have to clear entity access control handler's static cache because
-        // otherwise access results comes from there instead of gets
+        // otherwise access results comes from there instead of getting
         // recalculated.
         $this->accessControlHandler->resetCache();
         foreach ($this->users as $userRole => $user) {