/**
* {@inheritdoc}
*
* When the $operation is 'add' then the $entity is of type 'profile_type',
* otherwise $entity is of type 'profile'.
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
$account = $this->prepareUser($account);
$user_page = \Drupal::request()->attributes->get('user');
// Some times, operation edit is called update.
// Use edit in any case.
if ($operation == 'update') {
$operation = 'edit';
}
// Check that if profile type has require roles, the user the profile is
// being added to has any of the required roles.
if ($entity->getEntityTypeId() == 'profile') {
$profile_roles = ProfileType::load($entity->bundle())->getRoles();
$user_roles = $entity->getOwner()->getRoles(TRUE);
if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) {
return AccessResult::forbidden();
}
} elseif ($entity->getEntityTypeId() == 'profile_type') {
$profile_roles = $entity->getRoles();
$user_roles = User::load($user_page->id())->getRoles(TRUE);
if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) {
return AccessResult::forbidden();
}
}
if ($account->hasPermission('bypass profile access')) {
return AccessResult::allowed()->cachePerPermissions();
} elseif ($operation == 'add' && ($user_page->id() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->id() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->id() . ' profile')) || $operation != 'add' && ($entity->getOwnerId() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->getType() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->getType() . ' profile'))) {
return AccessResult::allowed()->cachePerPermissions();
} else {
return AccessResult::forbidden()->cachePerPermissions();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
/** @var \Drupal\file\FileInterface $entity */
if ($operation == 'download' || $operation == 'view') {
if (\Drupal::service('file_system')->uriScheme($entity->getFileUri()) === 'public') {
// Always allow access to file in public file system.
return AccessResult::allowed();
} elseif ($references = $this->getFileReferences($entity)) {
foreach ($references as $field_name => $entity_map) {
foreach ($entity_map as $referencing_entity_type => $referencing_entities) {
/** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */
foreach ($referencing_entities as $referencing_entity) {
$entity_and_field_access = $referencing_entity->access('view', $account, TRUE)->andIf($referencing_entity->{$field_name}->access('view', $account, TRUE));
if ($entity_and_field_access->isAllowed()) {
return $entity_and_field_access;
}
}
}
}
} elseif ($entity->getOwnerId() == $account->id()) {
// This case handles new nodes, or detached files. The user who uploaded
// the file can always access if it's not yet used.
return AccessResult::allowed();
}
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function blockAccess(AccountInterface $account)
{
if ($account->hasPermission('search content')) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
// There is no direct viewing of a menu link, but still for purposes of
// content_translation we need a generic way to check access.
return AccessResult::allowedIfHasPermission($account, 'administer menu');
case 'update':
if (!$account->hasPermission('administer menu')) {
return AccessResult::neutral()->cachePerPermissions();
} else {
// If there is a URL, this is an external link so always accessible.
$access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
/** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */
// We allow access, but only if the link is accessible as well.
if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
$link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE);
$access = $access->andIf($link_access);
}
return $access;
}
case 'delete':
return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity);
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($account->hasPermission('administer tmgmt')) {
// Administrators can do everything.
return AccessResult::allowed()->cachePerPermissions();
}
switch ($operation) {
case 'view':
case 'update':
return AccessResult::allowedIfHasPermission($account, 'create translation jobs')->orIf(AccessResult::allowedIfHasPermission($account, 'accept translation jobs'));
break;
case 'delete':
// Only administrators can delete jobs.
return AccessResult::forbidden();
break;
// Custom operations.
// Custom operations.
case 'submit':
return AccessResult::allowedIfHasPermission($account, 'submit translation jobs');
break;
case 'accept':
return AccessResult::allowedIfHasPermission($account, 'accept translation jobs');
break;
case 'abort':
case 'resubmit':
return AccessResult::allowedIfHasPermission($account, 'submit translation jobs');
break;
}
}
/**
* Checks access to the translation overview for the entity and bundle.
*
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parametrized route.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param string $entity_type_id
* The entity type ID.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(RouteMatchInterface $route_match, AccountInterface $account, $entity_type_id)
{
/* @var \Drupal\Core\Entity\ContentEntityInterface $entity */
$entity = $route_match->getParameter($entity_type_id);
if ($entity && $entity->isTranslatable()) {
// Get entity base info.
$bundle = $entity->bundle();
// Get entity access callback.
$definition = $this->entityManager->getDefinition($entity_type_id);
$translation = $definition->get('translation');
$access_callback = $translation['content_translation']['access_callback'];
$access = call_user_func($access_callback, $entity);
if ($access->isAllowed()) {
return $access;
}
// Check "translate any entity" permission.
if ($account->hasPermission('translate any entity')) {
return AccessResult::allowed()->cachePerPermissions()->inheritCacheability($access);
}
// Check per entity permission.
$permission = "translate {$entity_type_id}";
if ($definition->getPermissionGranularity() == 'bundle') {
$permission = "translate {$bundle} {$entity_type_id}";
}
return AccessResult::allowedIfHasPermission($account, $permission)->inheritCacheability($access);
}
// No opinion.
return AccessResult::neutral();
}
/**
* Checks that there is a forward revision available.
*
* This checker assumes the presence of an '_entity_access' requirement key
* in the same form as used by EntityAccessCheck.
*
* @see EntityAccessCheck.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parametrized route
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, RouteMatchInterface $route_match)
{
// This tab should not show up period unless there's a reason to show it.
// @todo Do we need any extra cache tags here?
$entity = $this->loadEntity($route, $route_match);
return $this->moderationInfo->hasForwardRevision($entity) ? AccessResult::allowed()->addCacheableDependency($entity) : AccessResult::forbidden()->addCacheableDependency($entity);
}
/**
* {@inheritdoc}
*/
public function defaultAccess($operation = 'view', AccountInterface $account = NULL)
{
if ($operation == 'view') {
return AccessResult::allowed();
}
return AccessResult::allowedIfHasPermissions($account, ['create url aliases', 'administer url aliases'], 'OR')->cachePerPermissions();
}
/**
* {@inheritdoc}
*/
public function setUp()
{
parent::setUp();
$cache_contexts_manager = $this->prophesize(CacheContextsManager::class);
$cache_contexts_manager->assertValidTokens()->willReturn(TRUE);
$cache_contexts_manager->reveal();
$container = new Container();
$container->set('cache_contexts_manager', $cache_contexts_manager);
\Drupal::setContainer($container);
$this->viewer = $this->getMock('\\Drupal\\Core\\Session\\AccountInterface');
$this->viewer->expects($this->any())->method('hasPermission')->will($this->returnValue(FALSE));
$this->viewer->expects($this->any())->method('id')->will($this->returnValue(1));
$this->owner = $this->getMock('\\Drupal\\Core\\Session\\AccountInterface');
$this->owner->expects($this->any())->method('hasPermission')->will($this->returnValueMap(array(array('administer users', FALSE), array('change own username', TRUE))));
$this->owner->expects($this->any())->method('id')->will($this->returnValue(2));
$this->admin = $this->getMock('\\Drupal\\Core\\Session\\AccountInterface');
$this->admin->expects($this->any())->method('hasPermission')->will($this->returnValue(TRUE));
$entity_type = $this->getMock('Drupal\\Core\\Entity\\EntityTypeInterface');
$this->accessControlHandler = new UserAccessControlHandler($entity_type);
$module_handler = $this->getMock('Drupal\\Core\\Extension\\ModuleHandlerInterface');
$module_handler->expects($this->any())->method('getImplementations')->will($this->returnValue(array()));
$this->accessControlHandler->setModuleHandler($module_handler);
$this->items = $this->getMockBuilder('Drupal\\Core\\Field\\FieldItemList')->disableOriginalConstructor()->getMock();
$this->items->expects($this->any())->method('defaultAccess')->will($this->returnValue(AccessResult::allowed()));
}
/**
* Checks configuration permission.
*
* @param AccountInterface $account
* (optional) The user for which to check access, or NULL to check access
* for the current user. Defaults to NULL.
* @param bool $return_as_object
* (optional) Defaults to FALSE.
*
* @return bool|\Drupal\Core\Access\AccessResultInterface
* The access result. Returns a boolean if $return_as_object is FALSE (this
* is the default) and otherwise an AccessResultInterface object.
* When a boolean is returned, the result of AccessInterface::isAllowed() is
* returned, i.e. TRUE means access is explicitly allowed, FALSE means
* access is either explicitly forbidden or "no opinion".
*/
public function checkConfigurationAccess(AccountInterface $account = NULL, $return_as_object = FALSE)
{
if (!$account) {
$account = \Drupal::currentUser();
}
// We treat these as our "super-user" accesses. We let the reaction
// rule and component permissions control the main admin UI.
$admin_perms = ['administer rules', 'bypass rules access'];
$access = FALSE;
foreach ($admin_perms as $perm) {
if ($account->hasPermission($perm)) {
$access = TRUE;
break;
}
}
if (!$access) {
// See if the plugin has a configuration_access annotation.
$definition = $this->getPluginDefinition();
if (!empty($definition['configure_permissions']) && is_array($definition['configure_permissions'])) {
foreach ($definition['configure_permissions'] as $perm) {
if ($account->hasPermission($perm)) {
$access = TRUE;
break;
}
}
}
}
if ($return_as_object) {
return $access ? AccessResult::allowed() : AccessResult::neutral();
}
return $access;
}
/**
* Provides test data for testAccess.
*
* @return array
*/
public function providerTestAccess()
{
$no_access = AccessResult::neutral()->cachePerPermissions();
$access = AccessResult::allowed()->cachePerPermissions();
$no_access_due_to_errors = AccessResult::neutral();
return array(array('', 'entity_test', $no_access, $no_access), array('', 'entity_test', $access, $access), array('test_entity', 'entity_test:test_entity', $access, $access), array('test_entity', 'entity_test:test_entity', $no_access, $no_access), array('test_entity', 'entity_test:{bundle_argument}', $access, $access), array('test_entity', 'entity_test:{bundle_argument}', $no_access, $no_access), array('', 'entity_test:{bundle_argument}', $no_access, $no_access_due_to_errors), array('', 'entity_test:{bundle_argument}', $access, $no_access_due_to_errors));
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account)
{
/** @var \Drupal\filter\FilterFormatInterface $filter_format */
// All users are allowed to use the fallback filter.
if ($operation == 'use') {
if ($filter_format->isFallbackFormat()) {
return AccessResult::allowed();
} else {
return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName());
}
}
// The fallback format may not be disabled.
if ($operation == 'disable' && $filter_format->isFallbackFormat()) {
return AccessResult::forbidden();
}
// We do not allow filter formats to be deleted through the UI, because that
// would render any content that uses them unusable.
if ($operation == 'delete') {
return AccessResult::forbidden();
}
if (in_array($operation, array('disable', 'update'))) {
return parent::checkAccess($filter_format, $operation, $langcode, $account);
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($operation === 'view') {
return AccessResult::allowed();
}
return parent::checkAccess($entity, $operation, $account);
}
/**
* Limit access to the Library between 9:00 and 18:30.
*
* @param \Drupal\Core\Session\AccountInterface $account
*/
public function accessLibrary(AccountInterface $account)
{
if (time() >= strtotime('today 9:00') && time() <= strtotime('today 18:30')) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
/** @var \Drupal\crm_core_contact\Entity\ContactType $entity */
// First check permission.
if (parent::checkAccess($entity, $operation, $account)->isForbidden()) {
return AccessResult::forbidden();
}
switch ($operation) {
case 'enable':
// Only disabled contact type can be enabled.
return AccessResult::allowedIf(!$entity->status());
case 'disable':
return AccessResult::allowedIf($entity->status());
case 'delete':
// If contact instance of this contact type exist, you can't delete it.
$results = \Drupal::entityQuery('crm_core_contact')->condition('type', $entity->id())->execute();
return AccessResult::allowedIf(empty($results));
// @todo Which is it?
// @todo Which is it?
case 'edit':
case 'update':
// If the contact type is locked, you can't edit it.
return AccessResult::allowed();
}
}
public function access(AccountInterface $account)
{
if (!$account->id() == 1) {
return AccessResult::forbidden();
}
return AccessResult::allowed();
}
/**
* {@inheritdoc}
*/
public function access(Route $route, AccountInterface $account, NodeInterface $node = NULL)
{
if ($node->bundle() && \Drupal::config('webform.settings')->get('node_' . $node->bundle())) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
/**
* Grants access only to UID 1.
*
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(AccountInterface $account)
{
if ($account->id() == 1) {
return AccessResult::allowed()->addCacheContexts(['user']);
}
return AccessResult::forbidden()->addCacheContexts(['user']);
}
/**
* Checks translation access for the entity and operation on the given route.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parametrized route.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param string $source
* (optional) For a create operation, the language code of the source.
* @param string $target
* (optional) For a create operation, the language code of the translation.
* @param string $language
* (optional) For an update or delete operation, the language code of the
* translation being updated or deleted.
* @param string $entity_type_id
* (optional) The entity type ID.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account, $source = NULL, $target = NULL, $language = NULL, $entity_type_id = NULL)
{
/* @var \Drupal\Core\Entity\ContentEntityInterface $entity */
if ($entity = $route_match->getParameter($entity_type_id)) {
if ($account->hasPermission('translate any entity')) {
return AccessResult::allowed()->cachePerRole();
}
$operation = $route->getRequirement('_access_content_translation_manage');
/* @var \Drupal\content_translation\ContentTranslationHandlerInterface $handler */
$handler = $this->entityManager->getHandler($entity->getEntityTypeId(), 'translation');
// Load translation.
$translations = $entity->getTranslationLanguages();
$languages = $this->languageManager->getLanguages();
switch ($operation) {
case 'create':
$source_language = $this->languageManager->getLanguage($source) ?: $entity->language();
$target_language = $this->languageManager->getLanguage($target) ?: $this->languageManager->getCurrentLanguage(LanguageInterface::TYPE_CONTENT);
$is_new_translation = $source_language->getId() != $target_language->getId() && isset($languages[$source_language->getId()]) && isset($languages[$target_language->getId()]) && !isset($translations[$target_language->getId()]);
return AccessResult::allowedIf($is_new_translation)->cachePerRole()->cacheUntilEntityChanges($entity)->andIf($handler->getTranslationAccess($entity, $operation));
case 'update':
case 'delete':
$language = $this->languageManager->getLanguage($language) ?: $this->languageManager->getCurrentLanguage(LanguageInterface::TYPE_CONTENT);
$has_translation = isset($languages[$language->getId()]) && $language->getId() != $entity->getUntranslated()->language()->getId() && isset($translations[$language->getId()]);
return AccessResult::allowedIf($has_translation)->cachePerRole()->cacheUntilEntityChanges($entity)->andIf($handler->getTranslationAccess($entity, $operation));
}
}
// No opinion.
return AccessResult::neutral();
}
/**
* Tests the method for checking access to routes.
*
* @dataProvider providerTestAccess
*/
public function testAccess($entity_bundle, $requirement, $access, $expected, $expect_permission_context = TRUE)
{
// Set up the access result objects for allowing or denying access.
$access_result = $access ? AccessResult::allowed()->cachePerPermissions() : AccessResult::neutral()->cachePerPermissions();
$expected_access_result = $expected ? AccessResult::allowed() : AccessResult::neutral();
if ($expect_permission_context) {
$expected_access_result->cachePerPermissions();
}
$entity_manager = $this->getMock('Drupal\\Core\\Entity\\EntityManagerInterface');
// Don't expect a call to the access control handler when we have a bundle
// argument requirement but no bundle is provided.
if ($entity_bundle || strpos($requirement, '{') === FALSE) {
$access_control_handler = $this->getMock('Drupal\\Core\\Entity\\EntityAccessControlHandlerInterface');
$access_control_handler->expects($this->once())->method('createAccess')->with($entity_bundle)->will($this->returnValue($access_result));
$entity_manager->expects($this->any())->method('getAccessControlHandler')->will($this->returnValue($access_control_handler));
}
$applies_check = new EntityCreateAccessCheck($entity_manager);
$route = $this->getMockBuilder('Symfony\\Component\\Routing\\Route')->disableOriginalConstructor()->getMock();
$route->expects($this->any())->method('getRequirement')->with('_entity_create_access')->will($this->returnValue($requirement));
$raw_variables = new ParameterBag();
if ($entity_bundle) {
$raw_variables->set('bundle_argument', $entity_bundle);
}
$route_match = $this->getMock('Drupal\\Core\\Routing\\RouteMatchInterface');
$route_match->expects($this->any())->method('getRawParameters')->will($this->returnValue($raw_variables));
$account = $this->getMock('Drupal\\Core\\Session\\AccountInterface');
$this->assertEquals($expected_access_result, $applies_check->access($route, $route_match, $account));
}
/**
* {@inheritdoc}
*/
public function access(Route $route) {
if (\Drupal::moduleHandler()->moduleExists('contextual') && \Drupal::moduleHandler()->moduleExists('field_ui')) {
return AccessResult::allowed();
}
else {
return AccessResult::forbidden();
}
}
/**
* Check if the filter is used for the given filter.
*
* @param \Drupal\Core\Routing\RouteMatchInterface $route
* The route.
*
* @return \Drupal\Core\Access\AccessResult
* An access result.
*/
public function access(RouteMatchInterface $route)
{
$filter = $route->getParameter('filter_format');
if (!$filter || empty($filter->filters()->get('video_embed_wysiwyg')->getConfiguration()['status'])) {
return AccessResult::forbidden()->addCacheableDependency($filter);
}
return AccessResult::allowed()->addCacheableDependency($filter);
}
/**
* {@inheritdoc}
*/
protected function blockAccess(AccountInterface $account)
{
$route_name = $this->routeMatch->getRouteName();
if ($account->isAnonymous() && !in_array($route_name, array('user.login', 'user.logout'))) {
return AccessResult::allowed()->addCacheContexts(['route.name', 'user.roles:anonymous']);
}
return AccessResult::forbidden();
}
/**
* {@inheritdoc}
*/
public function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
if ($operation == 'view') {
return AccessResult::allowed();
} else {
return parent::checkAccess($entity, $operation, $langcode, $account);
}
}
/**
* Tests the access() method with a valid token.
*/
public function testAccessTokenPass()
{
$this->csrfToken->expects($this->once())->method('validate')->with('test_query', 'test-path/42')->will($this->returnValue(TRUE));
$this->routeMatch->expects($this->once())->method('getRawParameters')->will($this->returnValue(array('node' => 42)));
$route = new Route('/test-path/{node}', array(), array('_csrf_token' => 'TRUE'));
$request = Request::create('/test-path/42?token=test_query');
$this->assertEquals(AccessResult::allowed()->setCacheable(FALSE), $this->accessCheck->access($route, $request, $this->routeMatch));
}
/**
* Provides test data for testAccess().
*
* @see \Drupal\Tests\edit\Unit\quickedit\Access\EditEntityFieldAccessCheckTest::testAccess()
*/
public function providerTestAccess()
{
$data = array();
$data[] = array(TRUE, TRUE, AccessResult::allowed());
$data[] = array(FALSE, TRUE, AccessResult::neutral());
$data[] = array(TRUE, FALSE, AccessResult::neutral());
$data[] = array(FALSE, FALSE, AccessResult::neutral());
return $data;
}
/**
* Check to see if user accessed this page.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access()
{
if (!isset($_SESSION['menu_test'])) {
$result = AccessResult::allowed();
} else {
$result = AccessResult::allowedIf($_SESSION['menu_test'] < 2);
}
return $result->setCacheMaxAge(0);
}
/**
* Handles access to the solution add form through collection pages.
*
* @param \Drupal\rdf_entity\RdfInterface $rdf_entity
* The RDF entity for which the solution is created.
*
* @return \Drupal\Core\Access\AccessResult
* The access result object.
*/
public function createSolutionAccess(RdfInterface $rdf_entity)
{
$user = $this->currentUser();
if (empty($rdf_entity) && !$user->isAnonymous()) {
return AccessResult::neutral();
}
$membership = Og::getMembership($rdf_entity, $user);
return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden();
}
/**
* Check to see if user has any permissions to masquerade.
*
* @param \Drupal\Core\Session\AccountInterface $account
* Run access checks for this account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(AccountInterface $account)
{
// Uid 1 may masquerade as anyone.
if ($account->id() == 1) {
return AccessResult::allowed()->cachePerUser();
}
$permissions = $this->masquerade->getPermissions();
return AccessResult::allowedIfHasPermissions($account, $permissions, 'OR');
}
/**
* Access control for the subscription settings user page.
*
* The user is checked for both global permissions and permissions to edit
* his own subscriptions.
*
* @param \Drupal\Core\Entity\EntityInterface $user
* The user object from the route.
*
* @return \Drupal\Core\Access\AccessResult
* An access result object carrying the result of the check.
*/
public function access(EntityInterface $user)
{
if ($this->currentUser->hasPermission('manage all subscriptions')) {
return AccessResult::allowed();
} elseif (!$this->currentUser->isAnonymous() && $this->currentUser->id() == $user->id() && $this->currentUser->hasPermission('manage own subscriptions')) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
