function testUserTokens() { // Add a user picture to the account. $image = current($this->drupalGetTestFiles('image')); $edit = array('files[user_picture_0]' => drupal_realpath($image->uri)); $this->drupalPostForm('user/' . $this->account->id() . '/edit', $edit, t('Save')); $storage = \Drupal::entityManager()->getStorage('user'); // Load actual user data from database. $storage->resetCache(); $this->account = $storage->load($this->account->id()); $this->assertTrue(!empty($this->account->user_picture->target_id), 'User picture uploaded.'); $picture = ['#theme' => 'user_picture', '#account' => $this->account]; /** @var \Drupal\Core\Render\RendererInterface $renderer */ $renderer = \Drupal::service('renderer'); $user_tokens = array('picture' => $renderer->render($picture), 'picture:fid' => $this->account->user_picture->target_id, 'picture:size-raw' => 125, 'ip-address' => NULL, 'roles' => implode(', ', $this->account->getRoles())); $this->assertTokens('user', array('user' => $this->account), $user_tokens); // Remove the simpletest-created user role. $roles = $this->account->getRoles(); $this->account->removeRole(end($roles)); $this->account->save(); // Remove the user picture field and reload the user. FieldStorageConfig::loadByName('user', 'user_picture')->delete(); $storage->resetCache(); $this->account = $storage->load($this->account->id()); $user_tokens = array('picture' => NULL, 'picture:fid' => NULL, 'ip-address' => NULL, 'roles' => 'authenticated', 'roles:keys' => (string) DRUPAL_AUTHENTICATED_RID); $this->assertTokens('user', array('user' => $this->account), $user_tokens); // The ip address token should work for the current user token type. $tokens = array('ip-address' => \Drupal::request()->getClientIp()); $this->assertTokens('current-user', array(), $tokens); $anonymous = new AnonymousUserSession(); $tokens = array('roles' => 'anonymous', 'roles:keys' => (string) DRUPAL_ANONYMOUS_RID); $this->assertTokens('user', array('user' => $anonymous), $tokens); }
/** * {@inheritdoc} * * Cached by role, invalidated whenever permissions change. */ public function generate(AccountInterface $account) { // User 1 is the super user, and can always access all permissions. Use a // different, unique identifier for the hash. if ($account->id() == 1) { return $this->hash('is-super-user'); } $sorted_roles = $account->getRoles(); sort($sorted_roles); $role_list = implode(',', $sorted_roles); $cid = "user_permissions_hash:{$role_list}"; if ($static_cache = $this->static->get($cid)) { return $static_cache->data; } else { $tags = Cache::buildTags('config:user.role', $sorted_roles, '.'); if ($cache = $this->cache->get($cid)) { $permissions_hash = $cache->data; } else { $permissions_hash = $this->doGenerate($sorted_roles); $this->cache->set($cid, $permissions_hash, Cache::PERMANENT, $tags); } $this->static->set($cid, $permissions_hash, Cache::PERMANENT, $tags); } return $permissions_hash; }
/** * {@inheritdoc} */ public function collect(Request $request, Response $response, \Exception $exception = NULL) { $this->data['name'] = $this->currentUser->getDisplayName(); $this->data['authenticated'] = $this->currentUser->isAuthenticated(); $this->data['roles'] = []; $storage = $this->entityManager->getStorage('user_role'); foreach ($this->currentUser->getRoles() as $role) { $entity = $storage->load($role); $this->data['roles'][] = $entity->label(); } foreach ($this->providerCollector->getSortedProviders() as $provider_id => $provider) { if ($provider->applies($request)) { $this->data['provider'] = $provider_id; } } $this->data['anonymous'] = $this->configFactory->get('user.settings')->get('anonymous'); }
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { if ($operation == 'submit') { /** @var \Drupal\eform\entity\EFormsubmission $entity */ $roles = $entity->getEFormType()->roles; $eform_roles = $account->getRoles(); return AccessResult::allowed(); } return parent::checkAccess($entity, $operation, $langcode, $account); // TODO: Change the autogenerated stub }
/** * Checks access. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, AccountInterface $account) { // Requirements just allow strings, so this might be a comma separated list. $rid_string = $route->getRequirement('_role'); $explode_and = array_filter(array_map('trim', explode(',', $rid_string))); if (count($explode_and) > 1) { $diff = array_diff($explode_and, $account->getRoles()); if (empty($diff)) { return AccessResult::allowed()->cachePerRole(); } } else { $explode_or = array_filter(array_map('trim', explode('+', $rid_string))); $intersection = array_intersect($explode_or, $account->getRoles()); if (!empty($intersection)) { return AccessResult::allowed()->cachePerRole(); } } // If there is no allowed role, give other access checks a chance. return AccessResult::neutral()->cachePerRole(); }
/** * {@inheritdoc} * * Cached by role, invalidated whenever permissions change. */ public function generate(AccountInterface $account) { $sorted_roles = $account->getRoles(); sort($sorted_roles); $role_list = implode(',', $sorted_roles); if ($cache = $this->cache->get("user_permissions_hash:{$role_list}")) { $permissions_hash = $cache->data; } else { $permissions_hash = $this->doGenerate($sorted_roles); $this->cache->set("user_permissions_hash:{$role_list}", $permissions_hash, Cache::PERMANENT, array('user_role' => $sorted_roles)); } return $permissions_hash; }
/** * {@inheritdoc} * * Cached by role, invalidated whenever permissions change. */ public function generate(AccountInterface $account) { $sorted_roles = $account->getRoles(); sort($sorted_roles); $role_list = implode(',', $sorted_roles); if ($cache = $this->cache->get("user_permissions_hash:{$role_list}")) { $permissions_hash = $cache->data; } else { $permissions_hash = $this->doGenerate($sorted_roles); $tags = Cache::buildTags('config:user.role', $sorted_roles, '.'); $this->cache->set("user_permissions_hash:{$role_list}", $permissions_hash, Cache::PERMANENT, $tags); } return $permissions_hash; }
/** * Alter user access rules when trying to view, edit or delete a node. * * Node access modules establish rules for user access to content. * hook_node_grants() defines permissions for a user to view, edit or delete * nodes by building a $grants array that indicates the permissions assigned to * the user by each node access module. This hook is called to allow modules to * modify the $grants array by reference, so the interaction of multiple node * access modules can be altered or advanced business logic can be applied. * * The resulting grants are then checked against the records stored in the * {node_access} table to determine if the operation may be completed. * * A module may deny all access to a user by setting $grants to an empty array. * * Developers may use this hook to either add additional grants to a user or to * remove existing grants. These rules are typically based on either the * permissions assigned to a user role, or specific attributes of a user * account. * * @param array $grants * The $grants array returned by hook_node_grants(). * @param \Drupal\Core\Session\AccountInterface $account * The account requesting access to content. * @param string $op * The operation being performed, 'view', 'update' or 'delete'. * * @see hook_node_grants() * @see hook_node_access_records() * @see hook_node_access_records_alter() * @ingroup node_access */ function hook_node_grants_alter(&$grants, \Drupal\Core\Session\AccountInterface $account, $op) { // Our sample module never allows certain roles to edit or delete // content. Since some other node access modules might allow this // permission, we expressly remove it by returning an empty $grants // array for roles specified in our variable setting. // Get our list of banned roles. $restricted = \Drupal::config('example.settings')->get('restricted_roles'); if ($op != 'view' && !empty($restricted)) { // Now check the roles for this account against the restrictions. foreach ($account->getRoles() as $rid) { if (in_array($rid, $restricted)) { $grants = array(); } } } }
/** * {@inheritdoc} */ public function access(AccountInterface $account) { return array_intersect(array_filter($this->options['role']), $account->getRoles()); }
/** * Grants given user permission to create content of given type. * * @param \Drupal\Core\Session\AccountInterface $account * User to grant permission to. * @param string $content_type_id * Content type ID. */ protected function grantUserPermissionToCreateContentOfType(AccountInterface $account, $content_type_id) { $role_ids = $account->getRoles(TRUE); /* @var \Drupal\user\RoleInterface $role */ $role_id = reset($role_ids); $role = Role::load($role_id); $role->grantPermission(sprintf('create %s content', $content_type_id)); $role->grantPermission(sprintf('edit any %s content', $content_type_id)); $role->save(); }
/** * {@inheritdoc} */ public function access(AccountInterface $account) { return $account->hasPermission('access all views') || array_intersect(array_filter($this->options['role']), $account->getRoles()); }
/** * Returns the selected Medium Editor id for an account from editor settings. */ public static function getMediumId(Editor $editor, AccountInterface $account) { $settings = $editor->getSettings(); if (!empty($settings['roles_editors'])) { // Filter roles in two steps. May avoid a db hit by filter_get_roles_by_format(). if ($roles_editors = array_intersect_key($settings['roles_editors'], array_flip($account->getRoles()))) { if ($roles_editors = array_intersect_key($roles_editors, filter_get_roles_by_format($editor->getFilterFormat()))) { return reset($roles_editors); } } } return $settings['default_editor']; }