Merge pull request #10751 from xini/patch-7

make Group use tri-state can* extension hooks, fixes #9580

src/Security/Group.php

@@ -583,12 +583,10 @@ class Group extends DataObject
             $member = Security::getCurrentUser();
         }
 
-        // extended access checks
+        // check for extensions, we do this first as they can overrule everything
-        $results = $this->extend('canEdit', $member);
+        $extended = $this->extendedCan(__FUNCTION__, $member);
-        if ($results && is_array($results)) {
+        if ($extended !== null) {
-            if (!min($results)) {
+            return $extended;
-                return false;
-            }
         }
 
         if (// either we have an ADMIN
@@ -619,12 +617,10 @@ class Group extends DataObject
             $member = Security::getCurrentUser();
         }
 
-        // extended access checks
+        // check for extensions, we do this first as they can overrule everything
-        $results = $this->extend('canView', $member);
+        $extended = $this->extendedCan(__FUNCTION__, $member);
-        if ($results && is_array($results)) {
+        if ($extended !== null) {
-            if (!min($results)) {
+            return $extended;
-                return false;
-            }
         }
 
         // user needs access to CMS_ACCESS_SecurityAdmin
@@ -646,12 +642,10 @@ class Group extends DataObject
             $member = Security::getCurrentUser();
         }
 
-        // extended access checks
+        // check for extensions, we do this first as they can overrule everything
-        $results = $this->extend('canDelete', $member);
+        $extended = $this->extendedCan(__FUNCTION__, $member);
-        if ($results && is_array($results)) {
+        if ($extended !== null) {
-            if (!min($results)) {
+            return $extended;
-                return false;
-            }
         }
 
         return $this->canEdit($member);