From 9f13ea38f0d464a79a953acf99d2fe2edc1f826b Mon Sep 17 00:00:00 2001
From: Vincent Gao <vincent.gao@dpc.vic.gov.au>
Date: Wed, 18 Mar 2026 20:49:09 +1100
Subject: [PATCH] [SD-992] Add "Secure file approver" role

---
 .../user.role.secure_file_approver.yml        | 85 +++++++++++++++++++
 .../tide_media_secure_files.install           | 27 ++++++
 2 files changed, 112 insertions(+)
 create mode 100644 modules/tide_media/modules/tide_media_secure_files/config/install/user.role.secure_file_approver.yml

diff --git a/modules/tide_media/modules/tide_media_secure_files/config/install/user.role.secure_file_approver.yml b/modules/tide_media/modules/tide_media_secure_files/config/install/user.role.secure_file_approver.yml
new file mode 100644
index 000000000..bf0948a23
--- /dev/null
+++ b/modules/tide_media/modules/tide_media_secure_files/config/install/user.role.secure_file_approver.yml
@@ -0,0 +1,85 @@
+langcode: en
+status: true
+dependencies:
+  config:
+    - media.type.secure_file
+    - filter.format.admin_text
+    - filter.format.rich_text
+    - filter.format.summary_text
+  module:
+    - media
+    - block
+    - content_lock
+    - content_moderation
+    - entity_browser
+    - filter
+    - node
+    - path
+    - redirect
+    - scheduled_transitions
+    - system
+    - paragraphs_library
+    - tide_core
+    - toolbar
+id: secure_file_approver
+label: 'Secure File Approver'
+weight: 103
+is_admin: null
+permissions:
+  - 'create field_secure_file'
+  - 'create secure_file media'
+  - 'delete any secure_file media'
+  - 'delete any secure_file media revisions'
+  - 'delete own secure_file media'
+  - 'edit any secure_file media'
+  - 'edit field_secure_file'
+  - 'edit own field_secure_file'
+  - 'edit own secure_file media'
+  - 'revert any secure_file media revisions'
+  - 'view any secure_file media revisions'
+  - 'view field_secure_file'
+  - 'view own field_secure_file'
+  - 'access administration pages'
+  - 'access content overview'
+  - 'access media overview'
+  - 'access toolbar'
+  - 'administer blocks'
+  - 'addrow tablefield'
+  - 'administer menu'
+  - 'administer redirects'
+  - 'administer url aliases'
+  - 'break content lock'
+  - 'create document media'
+  - 'create file media'
+  - 'create image media'
+  - 'create url aliases'
+  - 'create paragraph library item'
+  - 'edit paragraph library item'
+  - 'delete all revisions'
+  - 'delete any media'
+  - 'delete media'
+  - 'edit any audio media'
+  - 'edit any document media'
+  - 'edit any file media'
+  - 'edit any image media'
+  - 'import tablefield'
+  - 'rebuild tablefield'
+  - 'revert all revisions'
+  - 'update media'
+  - 'use editorial transition archive'
+  - 'use editorial transition archived_draft'
+  - 'use editorial transition archived_published'
+  - 'use editorial transition create_new_draft'
+  - 'use editorial transition needs_review'
+  - 'use editorial transition needs_review_draft'
+  - 'use editorial transition publish'
+  - 'use text format admin_text'
+  - 'use text format rich_text'
+  - 'use text format summary_text'
+  - 'view all revisions'
+  - 'view all scheduled transitions'
+  - 'view any unpublished content'
+  - 'view latest version'
+  - 'view own unpublished content'
+  - 'view the administration theme'
+  - 'tide node bulk update'
diff --git a/modules/tide_media/modules/tide_media_secure_files/tide_media_secure_files.install b/modules/tide_media/modules/tide_media_secure_files/tide_media_secure_files.install
index 2164bb2ed..83310e7bc 100644
--- a/modules/tide_media/modules/tide_media_secure_files/tide_media_secure_files.install
+++ b/modules/tide_media/modules/tide_media_secure_files/tide_media_secure_files.install
@@ -172,3 +172,30 @@ function tide_media_secure_files_update_10002() {
     \Drupal::logger('tide_media_secure_files')->error('YAML file does not exist.');
   }
 }
+
+/**
+ * Add secure file approver role.
+ */
+function tide_media_secure_files_update_10003() {
+  \Drupal::moduleHandler()->loadInclude('tide_core', 'inc', 'includes/helpers');
+  $config_location = [\Drupal::service('extension.list.module')->getPath('tide_media_secure_files') . '/config/install'];
+  $config_read = _tide_read_config('user.role.secure_file_approver', $config_location, TRUE);
+  $storage = \Drupal::entityTypeManager()->getStorage('user_role');
+  $id = $storage->getIDFromConfigName('user.role.secure_file_approver', $storage->getEntityType()->getConfigPrefix());
+  if ($storage->load($id) == NULL) {
+    $role = $storage->createFromStorageRecord($config_read);
+    $role->save();
+    // Copy permissions from approver and secure_file_user if they exist.
+    $source_roles = ['approver', 'secure_file_user'];
+    foreach ($source_roles as $source_rid) {
+      $source_role = Role::load($source_rid);
+      if ($source_role) {
+        foreach ($source_role->getPermissions() as $permission) {
+          if (!$role->hasPermission($permission)) {
+            $role->grantPermission($permission);
+          }
+        }
+      }
+    }
+  }
+}