/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
// There is no direct viewing of a menu link, but still for purposes of
// content_translation we need a generic way to check access.
return AccessResult::allowedIfHasPermission($account, 'administer menu');
case 'update':
if (!$account->hasPermission('administer menu')) {
return AccessResult::neutral()->cachePerPermissions();
} else {
// If there is a URL, this is an external link so always accessible.
$access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
/** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */
// We allow access, but only if the link is accessible as well.
if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
$link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE);
$access = $access->andIf($link_access);
}
return $access;
}
case 'delete':
return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity);
}
}
/**
* {@inheritdoc}
*/
public function access(Route $route, AccountInterface $account, Request $request)
{
$_entity_revision = $request->attributes->get('_entity_revision');
$operation = $route->getRequirement('_entity_access_revision');
list(, $operation) = explode('.', $operation, 2);
return AccessResult::allowedIf($_entity_revision && $this->checkAccess($_entity_revision, $account, $operation))->cachePerPermissions();
}
/**
* Handles access to the rdf_entity proposal form.
*
* @param \Drupal\rdf_entity\RdfEntityTypeInterface $rdf_type
* The RDF entity type for which the proposal form is built.
*
* @return \Drupal\Core\Access\AccessResult
* The access result object.
*/
public function createAssetReleaseAccess(RdfEntityTypeInterface $rdf_type)
{
if (!in_array($rdf_type->id(), ['collection', 'solution'])) {
return AccessResult::forbidden();
}
return AccessResult::allowedIf($this->currentUser()->hasPermission("propose {$rdf_type->id()} rdf entity"));
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
/** @var \Drupal\user\UserInterface $entity*/
// The anonymous user's profile can neither be viewed, updated nor deleted.
if ($entity->isAnonymous()) {
return AccessResult::forbidden();
}
// Administrators can view/update/delete all user profiles.
if ($account->hasPermission('administer users')) {
return AccessResult::allowed()->cachePerRole();
}
switch ($operation) {
case 'view':
// Only allow view access if the account is active.
if ($account->hasPermission('access user profiles') && $entity->isActive()) {
return AccessResult::allowed()->cachePerRole()->cacheUntilEntityChanges($entity);
} else {
if ($account->id() == $entity->id()) {
return AccessResult::allowed()->cachePerUser();
}
}
break;
case 'update':
// Users can always edit their own account.
return AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser();
case 'delete':
// Users with 'cancel account' permission can cancel their own account.
return AccessResult::allowedIf($account->id() == $entity->id() && $account->hasPermission('cancel account'))->cachePerRole()->cachePerUser();
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
public function access(Route $route, AccountInterface $account, RdfInterface $rdf_entity, $operation = 'view')
{
$graph = $route->getOption('graph_name');
$entity_type_id = $route->getOption('entity_type_id');
$storage = $this->entityManager->getStorage($entity_type_id);
if (!$storage instanceof RdfEntitySparqlStorage) {
throw new \Exception('Storage not supported.');
}
// The active graph is the published graph. It is handled by the default
// operation handler.
// @todo: getActiveGraph is not the default. We should load from settings.
$default_graph = $storage->getBundleGraphUri($rdf_entity->bundle(), 'default');
$requested_graph = $storage->getBundleGraphUri($rdf_entity->bundle(), $graph);
if ($requested_graph == $default_graph) {
return AccessResult::neutral();
}
$active_graph_type = $storage->getRequestGraphs($rdf_entity->id());
// Check if there is an entity saved in the passed graph.
$storage->setRequestGraphs($rdf_entity->id(), [$graph]);
$entity = $storage->load($rdf_entity->id());
// Restore active graph.
$storage->setRequestGraphs($rdf_entity->id(), $active_graph_type);
// @todo: When the requested graph is the only one and it is not the
// default, it is loaded in the default view, so maybe there is no need
// to also show a separate tab.
return AccessResult::allowedIf($entity && $this->checkAccess($rdf_entity, $route, $account, $operation, $graph))->cachePerPermissions()->addCacheableDependency($rdf_entity);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
/** @var \Drupal\crm_core_contact\Entity\ContactType $entity */
// First check permission.
if (parent::checkAccess($entity, $operation, $account)->isForbidden()) {
return AccessResult::forbidden();
}
switch ($operation) {
case 'enable':
// Only disabled contact type can be enabled.
return AccessResult::allowedIf(!$entity->status());
case 'disable':
return AccessResult::allowedIf($entity->status());
case 'delete':
// If contact instance of this contact type exist, you can't delete it.
$results = \Drupal::entityQuery('crm_core_contact')->condition('type', $entity->id())->execute();
return AccessResult::allowedIf(empty($results));
// @todo Which is it?
// @todo Which is it?
case 'edit':
case 'update':
// If the contact type is locked, you can't edit it.
return AccessResult::allowed();
}
}
/**
* Checks routing access for the support_ticket revision.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param int $support_ticket_revision
* (optional) The support_ticket revision ID. If not specified, but
* $support_ticket is, access is checked for that object's revision.
* @param \Drupal\support_ticket\SupportTicketInterface $support_ticket
* (optional) A support_ticket object. Used for checking access to a
* support_ticket's default revision when $support_ticket_revision is
* unspecified. Ignored when $support_ticket_revision is specified. If neither
* $support_ticket_revision nor $support_ticket are specified, then access is
* denied.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, AccountInterface $account, $support_ticket_revision = NULL, SupportTicketInterface $support_ticket = NULL)
{
if ($support_ticket_revision) {
$support_ticket = $this->supportTicketStorage->loadRevision($support_ticket_revision);
}
$operation = $route->getRequirement('_access_support_ticket_revision');
return AccessResult::allowedIf($support_ticket && $this->checkAccess($support_ticket, $account, $operation))->cachePerPermissions();
}
/**
* Checks routing access for the node revision.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param int $node_revision
* (optional) The node revision ID. If not specified, but $node is, access
* is checked for that object's revision.
* @param \Drupal\node\NodeInterface $node
* (optional) A node object. Used for checking access to a node's default
* revision when $node_revision is unspecified. Ignored when $node_revision
* is specified. If neither $node_revision nor $node are specified, then
* access is denied.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, AccountInterface $account, $node_revision = NULL, NodeInterface $node = NULL)
{
if ($node_revision) {
$node = $this->nodeStorage->loadRevision($node_revision);
}
$operation = $route->getRequirement('_access_node_revision');
return AccessResult::allowedIf($node && $this->checkAccess($node, $account, $operation))->cachePerPermissions();
}
/**
* Tests the access check method.
*
* @dataProvider providerTestAccess
* @covers ::access
*/
public function testAccess($requirements, $access, array $contexts = [])
{
$access_result = AccessResult::allowedIf($access)->addCacheContexts($contexts);
$user = $this->getMock('Drupal\\Core\\Session\\AccountInterface');
$user->expects($this->any())->method('hasPermission')->will($this->returnValueMap([['allowed', TRUE], ['denied', FALSE], ['other', FALSE]]));
$route = new Route('', [], $requirements);
$this->assertEquals($access_result, $this->accessCheck->access($route, $user));
}
/**
* Check to see if user accessed this page.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access()
{
if (!isset($_SESSION['menu_test'])) {
$result = AccessResult::allowed();
} else {
$result = AccessResult::allowedIf($_SESSION['menu_test'] < 2);
}
return $result->setCacheMaxAge(0);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
switch ($operation) {
case 'delete':
return AccessResult::allowedIf($account->hasPermission('administer feeds') && !$entity->isLocked());
default:
return AccessResult::allowedIfHasPermission($account, 'administer feeds');
}
}
/**
* Access callback; check if the module is configured.
*
* This function does not actually check whether Mollom keys are valid for the
* site, but just if the keys have been entered.
*
* @param $permission
* An optional permission string to check with \Drupal::currentUser()->hasPermission().
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
function access($permission = FALSE)
{
$configured = \Drupal::config('mollom.settings')->get('keys.public') && \Drupal::config('mollom.settings')->get('keys.private');
if ($configured && $permission) {
return AccessResult::allowedIfHasPermission($permission, \Drupal::currentUser());
} else {
return AccessResult::allowedIf($configured);
}
}
/**
* Checks that an entity is an event type.
*/
public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account)
{
if ($event = $route->getDefault('event')) {
$event = $route_match->getParameter($event);
if ($event instanceof EntityInterface) {
return AccessResult::allowedIf($this->eventManager->isEvent($event));
}
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
public function access(Route $route, AccountInterface $account, RouteMatchInterface $route_match, $entity_revision = NULL, $_entity_revision = NULL)
{
$entity = $_entity_revision ?: $this->extractEntityFromRouteMatch($route_match);
if ($entity_revision) {
$entity = $this->entityManager->getStorage($entity->getEntityTypeId())->loadRevision($entity_revision);
}
$operation = $route->getRequirement('_entity_access_revision');
list(, $operation) = explode('.', $operation, 2);
return AccessResult::allowedIf($entity && $this->checkAccess($entity, $account, $operation))->cachePerPermissions();
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
$access_result = AccessResult::allowedIfHasPermissions($account, ["create {$entity_bundle} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR');
if ($entity_bundle) {
$queue = EntityQueue::load($entity_bundle);
$access_result = AccessResult::allowedIf(!$queue->getHandlerPlugin()->hasAutomatedSubqueues());
}
return $access_result;
}
/**
* {@inheritdoc}
*/
public function access(NodeInterface $node, $operation, AccountInterface $account)
{
// Grants only support these operations.
if (!in_array($operation, ['view', 'update', 'delete'])) {
return AccessResult::neutral();
}
// If no module implements the hook or the node does not have an id there is
// no point in querying the database for access grants.
if (!$this->moduleHandler->getImplementations('node_grants') || !$node->id()) {
// Return the equivalent of the default grant, defined by
// self::writeDefault().
if ($operation === 'view') {
return AccessResult::allowedIf($node->isPublished())->addCacheableDependency($node);
} else {
return AccessResult::neutral();
}
}
// Check the database for potential access grants.
$query = $this->database->select('node_access');
$query->addExpression('1');
// Only interested for granting in the current operation.
$query->condition('grant_' . $operation, 1, '>=');
// Check for grants for this node and the correct langcode.
$nids = $query->andConditionGroup()->condition('nid', $node->id())->condition('langcode', $node->language()->getId());
// If the node is published, also take the default grant into account. The
// default is saved with a node ID of 0.
$status = $node->isPublished();
if ($status) {
$nids = $query->orConditionGroup()->condition($nids)->condition('nid', 0);
}
$query->condition($nids);
$query->range(0, 1);
$grants = static::buildGrantsQueryCondition(node_access_grants($operation, $account));
if (count($grants) > 0) {
$query->condition($grants);
}
// Only the 'view' node grant can currently be cached; the others currently
// don't have any cacheability metadata. Hopefully, we can add that in the
// future, which would allow this access check result to be cacheable in all
// cases. For now, this must remain marked as uncacheable, even when it is
// theoretically cacheable, because we don't have the necessary metadata to
// know it for a fact.
$set_cacheability = function (AccessResult $access_result) use($operation) {
$access_result->addCacheContexts(['user.node_grants:' . $operation]);
if ($operation !== 'view') {
$access_result->setCacheMaxAge(0);
}
return $access_result;
};
if ($query->execute()->fetchField()) {
return $set_cacheability(AccessResult::allowed());
} else {
return $set_cacheability(AccessResult::neutral());
}
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL)
{
$contact_type_is_active = empty($entity_bundle);
// Load the contact type entity.
if (!empty($entity_bundle)) {
/* @var \Drupal\crm_core_contact\Entity\ContactType $contact_type_entity */
$contact_type_entity = ContactType::load($entity_bundle);
$contact_type_is_active = $contact_type_entity->status();
}
return AccessResult::allowedIf($contact_type_is_active)->andIf(AccessResult::allowedIfHasPermissions($account, ['administer crm_core_contact entities', 'create crm_core_contact entities', 'create crm_core_contact entities of bundle ' . $entity_bundle], 'OR'));
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
// Check for status and set 'published' or 'unpublished'.
$status = $entity->status->value ? 'published' : 'unpublished';
return AccessResult::allowedIf($account->hasPermission('access content') && $account->hasPermission('view ' . $status . ' terms in ' . $entity->bundle()));
default:
return parent::checkAccess($entity, $operation, $account);
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($operation == 'view' || $operation == 'update') {
if ($account->hasPermission('administer tmgmt') || $account->hasPermission('administer translation tasks')) {
// Administrators can do everything.
return AccessResult::allowed()->cachePerPermissions();
}
return AccessResult::allowedIf($entity->getTask()->tuid->target_id == $account->id() && $account->hasPermission('provide translation services'));
}
return $entity->getTask()->access($operation, $account, TRUE);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($operation == 'view') {
// Do not allow access personal form via site-wide route.
return AccessResult::allowedIf($account->hasPermission('access site-wide contact form') && $entity->id() !== 'personal')->cachePerPermissions();
} elseif ($operation == 'delete' || $operation == 'update') {
// Do not allow the 'personal' form to be deleted, as it's used for
// the personal contact form.
return AccessResult::allowedIf($account->hasPermission('administer contact forms') && $entity->id() !== 'personal')->cachePerPermissions();
}
return parent::checkAccess($entity, $operation, $account);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'update':
return AccessResult::allowedIf($account->hasPermission('administer grade letters'))->cachePerPermissions()->cacheUntilEntityChanges($entity);
case 'delete':
return AccessResult::allowedIf($account->hasPermission('administer grade letters') && $entity->getGradeLetterSet() != 'default')->cachePerPermissions();
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
public function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
switch ($operation) {
case 'update':
case 'delete':
/* @var \Drupal\Core\Language\LanguageInterface $entity */
return AccessResult::allowedIf(!$entity->isLocked())->cacheUntilEntityChanges($entity)->andIf(parent::checkAccess($entity, $operation, $langcode, $account));
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* Checks access to the overview based on permissions and translatability.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, AccountInterface $account)
{
/** @var \Drupal\config_translation\ConfigMapperInterface $mapper */
$mapper = $this->configMapperManager->createInstance($route->getDefault('plugin_id'));
$this->sourceLanguage = $this->languageManager->getLanguage($mapper->getLangcode());
// Allow access to the translation overview if the proper permission is
// granted, the configuration has translatable pieces, and the source
// language is not locked if it is present.
$source_language_access = is_null($this->sourceLanguage) || !$this->sourceLanguage->isLocked();
$access = $account->hasPermission('translate configuration') && $mapper->hasSchema() && $mapper->hasTranslatable() && $source_language_access;
return AccessResult::allowedIf($access)->cachePerRole();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $paragraph, $operation, AccountInterface $account)
{
// Allowed when the operation is not view or the status is true.
/** @var \Drupal\paragraphs\Entity\Paragraph $paragraph */
if ($paragraph->getParentEntity() != NULL) {
// Delete permission on the paragraph, should just depend on 'update'
// access permissions on the parent.
$operation = $operation == 'delete' ? 'update' : $operation;
$parent_access = $paragraph->getParentEntity()->access($operation, $account, TRUE);
return AccessResult::allowedIf($operation != 'view' || $paragraph->status->value)->andIf($parent_access);
}
return AccessResult::allowedIf($operation != 'view' || $paragraph->status->value);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $payment_method_configuration, $operation, AccountInterface $account)
{
/** @var \Drupal\payment\Entity\PaymentMethodConfigurationInterface $payment_method_configuration */
if ($operation == 'enable') {
return AccessResult::allowedIf(!$payment_method_configuration->status())->andIf($this->access($payment_method_configuration, 'update', $account, TRUE))->cacheUntilEntityChanges($payment_method_configuration);
} elseif ($operation == 'disable') {
return AccessResult::allowedIf($payment_method_configuration->status())->andIf($this->access($payment_method_configuration, 'update', $account, TRUE))->cacheUntilEntityChanges($payment_method_configuration);
} elseif ($operation == 'duplicate') {
return $this->createAccess($payment_method_configuration->bundle(), $account, [], TRUE)->andIf($this->access($payment_method_configuration, 'view', $account, TRUE));
} else {
$permission_prefix = 'payment.payment_method_configuration.' . $operation;
return AccessResult::allowedIfHasPermission($account, $permission_prefix . '.any')->orIf(AccessResult::allowedIfHasPermission($account, $permission_prefix . '.own')->andIf(AccessResult::allowedIf($account->id() == $payment_method_configuration->getOwnerId())->addCacheableDependency($payment_method_configuration)));
}
}
/**
* {@inheritdoc}
*/
public function getTranslationAccess(EntityInterface $entity, $op)
{
// @todo Move this logic into a translation access control handler checking also
// the translation language and the given account.
$entity_type = $entity->getEntityType();
$translate_permission = TRUE;
// If no permission granularity is defined this entity type does not need an
// explicit translate permission.
$current_user = \Drupal::currentUser();
if (!$current_user->hasPermission('translate any entity') && ($permission_granularity = $entity_type->getPermissionGranularity())) {
$translate_permission = $current_user->hasPermission($permission_granularity == 'bundle' ? "translate {$entity->bundle()} {$entity->getEntityTypeId()}" : "translate {$entity->getEntityTypeId()}");
}
return AccessResult::allowedIf($translate_permission && $current_user->hasPermission("{$op} content translations"))->cachePerRole();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'update':
/* @var \Drupal\Core\Language\LanguageInterface $entity */
return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(parent::checkAccess($entity, $operation, $account));
case 'delete':
/* @var \Drupal\Core\Language\LanguageInterface $entity */
return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(AccessResult::allowedIf(!$entity->isDefault())->addCacheableDependency($entity))->andIf(parent::checkAccess($entity, $operation, $account));
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($operation === 'delete') {
return AccessResult::allowedIf($entity->isInactive());
} else {
if ($operation == 'abort') {
return AccessResult::allowedIf($entity->isActive() || $entity->isNeedsReview());
} else {
if ($entity->getJob()) {
return $entity->getJob()->access($operation, $account, TRUE);
}
}
}
}
/**
* {@inheritdoc}
*/
public function access(Route $route, AccountInterface $account, Request $request = NULL)
{
if (empty($request)) {
$request = $this->requestStack->getCurrentRequest();
}
$operation = $route->getRequirement('_entity_access_revision');
list(, $operation) = explode('.', $operation, 2);
if ($operation === 'list') {
$_entity = $request->attributes->get('_entity', $request->attributes->get($route->getOption('entity_type_id')));
return AccessResult::allowedIf($this->checkAccess($_entity, $account, $operation))->cachePerPermissions();
} else {
$_entity_revision = $request->attributes->get('_entity_revision');
return AccessResult::allowedIf($_entity_revision && $this->checkAccess($_entity_revision, $account, $operation))->cachePerPermissions();
}
}
/**
* Tests the method for checking access to routes.
*
* @param bool $entity_is_editable
* Whether the subject entity is editable.
* @param bool $field_storage_is_accessible
* Whether the user has access to the field storage entity.
* @param \Drupal\Core\Access\AccessResult $expected_result
* The expected result of the access call.
*
* @dataProvider providerTestAccess
*/
public function testAccess($entity_is_editable, $field_storage_is_accessible, AccessResult $expected_result)
{
$entity = $this->createMockEntity();
$entity->expects($this->any())->method('access')->willReturn(AccessResult::allowedIf($entity_is_editable)->cachePerPermissions());
$field_storage = $this->getMock('Drupal\\field\\FieldStorageConfigInterface');
$field_storage->expects($this->any())->method('access')->willReturn(AccessResult::allowedIf($field_storage_is_accessible));
$expected_result->cachePerPermissions();
$field_name = 'valid';
$entity_with_field = clone $entity;
$entity_with_field->expects($this->any())->method('get')->with($field_name)->will($this->returnValue($field_storage));
$entity_with_field->expects($this->once())->method('hasTranslation')->with(LanguageInterface::LANGCODE_NOT_SPECIFIED)->will($this->returnValue(TRUE));
$account = $this->getMock('Drupal\\Core\\Session\\AccountInterface');
$access = $this->editAccessCheck->access($entity_with_field, $field_name, LanguageInterface::LANGCODE_NOT_SPECIFIED, $account);
$this->assertEquals($expected_result, $access);
}
