/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
// There is no direct viewing of a menu link, but still for purposes of
// content_translation we need a generic way to check access.
return AccessResult::allowedIfHasPermission($account, 'administer menu');
case 'update':
if (!$account->hasPermission('administer menu')) {
return AccessResult::neutral()->cachePerPermissions();
} else {
// If there is a URL, this is an external link so always accessible.
$access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
/** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */
// We allow access, but only if the link is accessible as well.
if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
$link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE);
$access = $access->andIf($link_access);
}
return $access;
}
case 'delete':
return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity);
}
}
/**
* Checks access to the translation overview for the entity and bundle.
*
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parametrized route.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param string $entity_type_id
* The entity type ID.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(RouteMatchInterface $route_match, AccountInterface $account, $entity_type_id)
{
/* @var \Drupal\Core\Entity\ContentEntityInterface $entity */
$entity = $route_match->getParameter($entity_type_id);
if ($entity && $entity->isTranslatable()) {
// Get entity base info.
$bundle = $entity->bundle();
// Get entity access callback.
$definition = $this->entityManager->getDefinition($entity_type_id);
$translation = $definition->get('translation');
$access_callback = $translation['content_translation']['access_callback'];
$access = call_user_func($access_callback, $entity);
if ($access->isAllowed()) {
return $access;
}
// Check "translate any entity" permission.
if ($account->hasPermission('translate any entity')) {
return AccessResult::allowed()->cachePerPermissions()->inheritCacheability($access);
}
// Check per entity permission.
$permission = "translate {$entity_type_id}";
if ($definition->getPermissionGranularity() == 'bundle') {
$permission = "translate {$bundle} {$entity_type_id}";
}
return AccessResult::allowedIfHasPermission($account, $permission)->inheritCacheability($access);
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($entity->getOwnerId() == $account->id()) {
return AccessResult::allowedIfHasPermission($account, $operation . ' own ' . $entity->bundle() . ' entity');
}
return AccessResult::allowedIfHasPermission($account, $operation . ' any ' . $entity->bundle() . ' entity');
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\entityqueue\EntitySubqueueInterface $entity */
switch ($operation) {
case 'view':
return AccessResult::allowedIfHasPermission($account, 'access content');
break;
case 'update':
return AccessResult::allowedIfHasPermissions($account, ["update {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR');
break;
case 'delete':
$can_delete_subqueue = AccessResult::allowedIf(!$entity->getQueue()->getHandlerPlugin()->hasAutomatedSubqueues());
$access_result = AccessResult
::allowedIfHasPermissions($account, ["delete {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR')
->andIf($can_delete_subqueue);
return $access_result;
break;
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($operation === 'view') {
return AccessResult::allowedIfHasPermission($account, 'access content');
}
return parent::checkAccess($entity, $operation, $account);
}
/**
* {@inheritdoc}
*
* Separate from the checkAccess because the entity does not yet exist, it
* will be created during the 'add' process.
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL)
{
if ($entity_bundle) {
return AccessResult::allowedIfHasPermission($account, 'create ' . $entity_bundle . ' rdf entity');
}
return AccessResult::allowedIfHasPermission($account, 'add rdf entity');
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account)
{
/** @var \Drupal\filter\FilterFormatInterface $filter_format */
// All users are allowed to use the fallback filter.
if ($operation == 'use') {
if ($filter_format->isFallbackFormat()) {
return AccessResult::allowed();
} else {
return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName());
}
}
// The fallback format may not be disabled.
if ($operation == 'disable' && $filter_format->isFallbackFormat()) {
return AccessResult::forbidden();
}
// We do not allow filter formats to be deleted through the UI, because that
// would render any content that uses them unusable.
if ($operation == 'delete') {
return AccessResult::forbidden();
}
if (in_array($operation, array('disable', 'update'))) {
return parent::checkAccess($filter_format, $operation, $langcode, $account);
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
public function access($node, AccountInterface $account = NULL, $return_as_object = FALSE)
{
if ($node->hasField('simplenews_issue') && $node->simplenews_issue->target_id != NULL) {
return AccessResult::allowedIfHasPermission($account, 'administer newsletters')->orIf(AccessResult::allowedIfHasPermission($account, 'send newsletter'));
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL)
{
$installed_translators = $this->translatorManager->getLabels();
if (empty($installed_translators)) {
return AccessResult::forbidden();
}
return AccessResult::allowedIfHasPermission($account, 'administer tmgmt');
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
$access = parent::checkAccess($entity, $operation, $account);
if ($operation === 'view') {
$access = $access->orIf(AccessResult::allowedIfHasPermission($account, 'access ' . $entity->getEntityTypeId()));
}
return $access;
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
switch ($operation) {
case 'delete':
return AccessResult::allowedIf($account->hasPermission('administer feeds') && !$entity->isLocked());
default:
return AccessResult::allowedIfHasPermission($account, 'administer feeds');
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
$admin_access = parent::checkAccess($entity, $operation, $account);
// Allow view with other permission.
if ($operation === 'view') {
return AccessResult::allowedIfHasPermission($account, 'view moderation states')->orIf($admin_access);
}
return $admin_access;
}
/**
* Access callback; check if the module is configured.
*
* This function does not actually check whether Mollom keys are valid for the
* site, but just if the keys have been entered.
*
* @param $permission
* An optional permission string to check with \Drupal::currentUser()->hasPermission().
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
function access($permission = FALSE)
{
$configured = \Drupal::config('mollom.settings')->get('keys.public') && \Drupal::config('mollom.settings')->get('keys.private');
if ($configured && $permission) {
return AccessResult::allowedIfHasPermission($permission, \Drupal::currentUser());
} else {
return AccessResult::allowedIf($configured);
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
switch ($operation) {
case 'view':
case 'update':
case 'delete':
return AccessResult::allowedIfHasPermission($account, 'administer pdfs');
default:
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
return AccessResult::allowedIfHasPermission($account, 'access content');
break;
default:
return parent::checkAccess($entity, $operation, $account);
break;
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
if ($operation == 'delete') {
$field_storage_entity = $entity->getFieldStorageDefinition();
if ($field_storage_entity->isLocked()) {
return AccessResult::forbidden()->cacheUntilEntityChanges($field_storage_entity);
} else {
return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->entity_type . ' fields')->cacheUntilEntityChanges($field_storage_entity);
}
}
return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->entity_type . ' fields');
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($operation == 'delete') {
$field_storage_entity = $entity->getFieldStorageDefinition();
if ($field_storage_entity->isLocked()) {
return AccessResult::forbidden()->addCacheableDependency($field_storage_entity);
} else {
return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->getTargetEntityTypeId() . ' fields')->addCacheableDependency($field_storage_entity);
}
}
return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->getTargetEntityTypeId() . ' fields');
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
return AccessResult::allowedIfHasPermission($account, 'view scheduled update entities');
break;
case 'delete':
return parent::checkAccess($entity, $operation, $account)->cacheUntilEntityChanges($entity);
break;
default:
return parent::checkAccess($entity, $operation, $account);
break;
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'create':
case 'update':
return AccessResult::allowedIfHasPermission($account, 'administer site configuration');
case 'delete':
if ($entity->isLocked()) {
return AccessResult::forbidden();
}
return AccessResult::allowedIfHasPermission($account, 'administer site configuration');
}
return parent::checkAccess($entity, $operation, $account);
}
/**
* {@inheritdoc}
*/
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL)
{
if ($operation == 'edit') {
// Only users with the "administer comments" permission can edit
// administrative fields.
$administrative_fields = array('uid', 'status', 'created', 'date');
if (in_array($field_definition->getName(), $administrative_fields, TRUE)) {
return AccessResult::allowedIfHasPermission($account, 'administer comments');
}
// No user can change read-only fields.
$read_only_fields = array('hostname', 'uuid', 'cid', 'thread', 'comment_type', 'pid', 'entity_id', 'entity_type', 'field_name');
if (in_array($field_definition->getName(), $read_only_fields, TRUE)) {
return AccessResult::forbidden();
}
// If the field is configured to accept anonymous contact details - admins
// can edit name, homepage and mail. Anonymous users can also fill in the
// fields on comment creation.
if (in_array($field_definition->getName(), ['name', 'mail', 'homepage'], TRUE)) {
if (!$items) {
// We cannot make a decision about access to edit these fields if we
// don't have any items and therefore cannot determine the Comment
// entity. In this case we err on the side of caution and prevent edit
// access.
return AccessResult::forbidden();
}
/** @var \Drupal\comment\CommentInterface $entity */
$entity = $items->getEntity();
$commented_entity = $entity->getCommentedEntity();
$anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous');
$admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
$anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT && $account->hasPermission('post comments'))->cachePerPermissions()->cacheUntilEntityChanges($entity)->cacheUntilEntityChanges($field_definition->getConfig($commented_entity->bundle()))->cacheUntilEntityChanges($commented_entity);
return $admin_access->orIf($anonymous_access);
}
}
if ($operation == 'view') {
$entity = $items ? $items->getEntity() : NULL;
// Admins can view any fields except hostname, other users need both the
// "access comments" permission and for the comment to be published. The
// mail field is hidden from non-admins.
$admin_access = AccessResult::allowedIf($account->hasPermission('administer comments') && $field_definition->getName() != 'hostname')->cachePerPermissions();
$anonymous_access = AccessResult::allowedIf($account->hasPermission('access comments') && (!$entity || $entity->isPublished()) && !in_array($field_definition->getName(), array('mail', 'hostname'), TRUE))->cachePerPermissions();
if ($entity) {
$anonymous_access->cacheUntilEntityChanges($entity);
}
return $admin_access->orIf($anonymous_access);
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
switch ($operation) {
case 'view':
$url_string = $entity->context->value;
$decoded_url = rawurldecode($url_string);
return $this->accessHelper->canGeneratePdfFromUrlString($decoded_url, $account);
case 'update':
return AccessResult::forbidden();
case 'delete':
return AccessResult::allowedIfHasPermission($account, 'administer pdfs');
}
return AccessResult::allowed();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
return AccessResult::allowedIfHasPermission($account, 'access content');
case 'delete':
if ($entity->isLocked()) {
return AccessResult::forbidden()->addCacheableDependency($entity);
} else {
return parent::checkAccess($entity, $operation, $account)->addCacheableDependency($entity);
}
break;
default:
return parent::checkAccess($entity, $operation, $account);
}
}
/**
* {@inheritdoc}
*/
protected function blockAccess(AccountInterface $account)
{
$access = AccessResult::allowedIfHasPermission($account, 'access content');
if ($account->hasPermission('access content')) {
$daytop = $this->configuration['top_day_num'];
if (!$daytop || !($result = statistics_title_list('daycount', $daytop)) || !($this->day_list = node_title_list($result, $this->t("Today's:")))) {
return AccessResult::forbidden()->inheritCacheability($access);
}
$alltimetop = $this->configuration['top_all_num'];
if (!$alltimetop || !($result = statistics_title_list('totalcount', $alltimetop)) || !($this->all_time_list = node_title_list($result, $this->t('All time:')))) {
return AccessResult::forbidden()->inheritCacheability($access);
}
$lasttop = $this->configuration['top_last_num'];
if (!$lasttop || !($result = statistics_title_list('timestamp', $lasttop)) || !($this->last_list = node_title_list($result, $this->t('Last viewed:')))) {
return AccessResult::forbidden()->inheritCacheability($access);
}
return $access;
}
return AccessResult::forbidden()->inheritCacheability($access);
}
/**
* {@inheritdoc}
*/
public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE)
{
if ($operation === 'edit') {
// Only users with administer comments permission can edit the comment
// status field.
$result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'administer comments');
return $return_as_object ? $result : $result->isAllowed();
}
if ($operation === 'view') {
// Only users with either post comments or access comments permisison can
// view the field value. The formatter,
// Drupal\comment\Plugin\Field\FieldFormatter\CommentDefaultFormatter,
// takes care of showing the thread and form based on individual
// permissions, so if a user only has ‘post comments’ access, only the
// form will be shown and not the comments.
$result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'access comments')->orIf(AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'post comments'));
return $return_as_object ? $result : $result->isAllowed();
}
return parent::access($operation, $account, $return_as_object);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
/** @var \Drupal\entity_test\Entity\EntityTest $entity */
// Always forbid access to entities with the label 'forbid_access', used for
// \Drupal\system\Tests\Entity\EntityAccessHControlandlerTest::testDefaultEntityAccess().
if ($entity->label() == 'forbid_access') {
return AccessResult::forbidden();
}
if ($operation === 'view label' && $entity instanceof EntityTestLabel) {
// Viewing the label of the 'entity_test_label' entity type is allowed.
return AccessResult::allowed();
} elseif (in_array($operation, array('view', 'view label'))) {
if (!$entity->isDefaultTranslation()) {
return AccessResult::allowedIfHasPermission($account, 'view test entity translations');
}
return AccessResult::allowedIfHasPermission($account, 'view test entity');
} elseif (in_array($operation, array('update', 'delete'))) {
return AccessResult::allowedIfHasPermission($account, 'administer entity_test content');
}
// No opinion.
return AccessResult::neutral();
}
/**
* Controls access to a support ticket.
*
* Modules may implement this hook if they want to have a say in whether or not
* a given user has access to perform a given operation on a support ticket.
*
* Note that not all modules will want to influence access on all support ticket
* types. If your module does not want to explicitly allow or forbid access,
* return an AccessResultInterface object with neither isAllowed() nor
* isForbidden() equaling TRUE. Blindly returning an object with isForbidden()
* equaling TRUE will break other support ticket access modules.
*
* @param \Drupal\support_ticket\SupportTicketInterface|string $support_ticket
* Either a support ticket entity or the machine name of the content type on
* which to perform the access check.
* @param string $op
* The operation to be performed. Possible values:
* - "create"
* - "delete"
* - "update"
* - "view"
* @param \Drupal\Core\Session\AccountInterface $account
* The user object to perform the access check operation on.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*
* @ingroup support_ticket_access
*/
function hook_support_ticket_access(\Drupal\support_ticket\SupportTicketInterface $support_ticket, $op, \Drupal\Core\Session\AccountInterface $account)
{
$type = $support_ticket->bundle();
switch ($op) {
case 'create':
return AccessResult::allowedIfHasPermission($account, 'create ' . $type . ' ticket');
case 'update':
if ($account->hasPermission('edit any ' . $type . ' ticket')) {
return AccessResult::allowed()->cachePerPermissions();
} else {
return AccessResult::allowedIf($account->hasPermission('edit own ' . $type . ' ticket') && $account->id() == $support_ticket->getOwnerId())->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($support_ticket);
}
case 'delete':
if ($account->hasPermission('delete any ' . $type . ' ticket')) {
return AccessResult::allowed()->cachePerPermissions();
} else {
return AccessResult::allowedIf($account->hasPermission('delete own ' . $type . ' ticket') && $account->id() == $support_ticket->getOwnerId())->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($support_ticket);
}
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* Checks access to the form mode.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parametrized route.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param string $form_mode_name
* (optional) The form mode. Defaults to 'default'.
* @param string $bundle
* (optional) The bundle. Different entity types can have different names
* for their bundle key, so if not specified on the route via a {bundle}
* parameter, the access checker determines the appropriate key name, and
* gets the value from the corresponding request attribute. For example,
* for nodes, the bundle key is "node_type", so the value would be
* available via the {node_type} parameter rather than a {bundle}
* parameter.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account, $form_mode_name = 'default', $bundle = NULL)
{
$access = AccessResult::neutral();
if ($entity_type_id = $route->getDefault('entity_type_id')) {
if (empty($bundle)) {
$entity_type = $this->entityManager->getDefinition($entity_type_id);
$bundle = $route_match->getRawParameter($entity_type->getBundleEntityType());
}
$visibility = FALSE;
if ($form_mode_name == 'default') {
$visibility = TRUE;
} elseif ($entity_display = $this->entityManager->getStorage('entity_form_display')->load($entity_type_id . '.' . $bundle . '.' . $form_mode_name)) {
$visibility = $entity_display->status();
}
if ($form_mode_name != 'default' && $entity_display) {
$access->addCacheableDependency($entity_display);
}
if ($visibility) {
$permission = $route->getRequirement('_field_ui_form_mode_access');
$access = $access->orIf(AccessResult::allowedIfHasPermission($account, $permission));
}
}
return $access;
}
/**
* Control access to fields.
*
* This hook is invoked from
* \Drupal\Core\Entity\EntityAccessControlHandler::fieldAccess() to let modules
* grant or deny operations on fields.
*
* @param string $operation
* The operation to be performed. See
* \Drupal\Core\Access\AccessibleInterface::access() for possible values.
* @param \Drupal\Core\Field\FieldDefinitionInterface $field_definition
* The field definition.
* @param \Drupal\Core\Session\AccountInterface $account
* The user account to check.
* @param \Drupal\Core\Field\FieldItemListInterface $items
* (optional) The entity field object on which the operation is to be
* performed.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
function hook_entity_field_access($operation, \Drupal\Core\Field\FieldDefinitionInterface $field_definition, \Drupal\Core\Session\AccountInterface $account, \Drupal\Core\Field\FieldItemListInterface $items = NULL)
{
if ($field_definition->getName() == 'field_of_interest' && $operation == 'edit') {
return AccessResult::allowedIfHasPermission($account, 'update field of interest');
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE)
{
$result = AccessResult::allowedIfHasPermission($account, 'access content');
return $return_as_object ? $result : $result->isAllowed();
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL)
{
return AccessResult::allowedIfHasPermission($account, 'add log entities');
}
