/**
* {@inheritdoc}
*
* When the $operation is 'add' then the $entity is of type 'profile_type',
* otherwise $entity is of type 'profile'.
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
$account = $this->prepareUser($account);
$user_page = \Drupal::request()->attributes->get('user');
// Some times, operation edit is called update.
// Use edit in any case.
if ($operation == 'update') {
$operation = 'edit';
}
// Check that if profile type has require roles, the user the profile is
// being added to has any of the required roles.
if ($entity->getEntityTypeId() == 'profile') {
$profile_roles = ProfileType::load($entity->bundle())->getRoles();
$user_roles = $entity->getOwner()->getRoles(TRUE);
if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) {
return AccessResult::forbidden();
}
} elseif ($entity->getEntityTypeId() == 'profile_type') {
$profile_roles = $entity->getRoles();
$user_roles = User::load($user_page->id())->getRoles(TRUE);
if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) {
return AccessResult::forbidden();
}
}
if ($account->hasPermission('bypass profile access')) {
return AccessResult::allowed()->cachePerPermissions();
} elseif ($operation == 'add' && ($user_page->id() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->id() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->id() . ' profile')) || $operation != 'add' && ($entity->getOwnerId() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->getType() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->getType() . ' profile'))) {
return AccessResult::allowed()->cachePerPermissions();
} else {
return AccessResult::forbidden()->cachePerPermissions();
}
}
/**
* {@inheritdoc}
*/
protected function blockAccess(AccountInterface $account)
{
if ($account->hasPermission('search content')) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
public function access(AccountInterface $account)
{
if (!$account->id() == 1) {
return AccessResult::forbidden();
}
return AccessResult::allowed();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $payment, $operation, AccountInterface $account)
{
/** @var \Drupal\payment\Entity\PaymentInterface $payment */
if ($operation == 'update_status') {
$payment_method = $payment->getPaymentMethod();
if ($payment_method instanceof PaymentMethodUpdatePaymentStatusInterface && !$payment_method->updatePaymentStatusAccess($account)) {
return AccessResult::forbidden();
}
} elseif ($operation == 'capture') {
$payment_method = $payment->getPaymentMethod();
if ($payment_method instanceof PaymentMethodCapturePaymentInterface) {
return AccessResult::allowedIf($payment_method instanceof PaymentMethodCapturePaymentInterface)->andIf(AccessResult::allowedIf($payment_method->capturePaymentAccess($account)))->andIf($this->checkAccessPermission($payment, $operation, $account));
}
return AccessResult::forbidden();
} elseif ($operation == 'refund') {
$payment_method = $payment->getPaymentMethod();
if ($payment_method instanceof PaymentMethodRefundPaymentInterface) {
return AccessResult::allowedIf($payment_method->refundPaymentAccess($account))->andIf($this->checkAccessPermission($payment, $operation, $account));
}
return AccessResult::forbidden();
} elseif ($operation == 'complete') {
if ($payment->getPaymentMethod()) {
return AccessResult::allowedIf($payment->getOwnerId() == $account->id())->orIf(AccessResult::forbiddenIf($payment->getPaymentMethod()->getPaymentExecutionResult()->isCompleted()));
} else {
return AccessResult::forbidden();
}
}
return $this->checkAccessPermission($payment, $operation, $account);
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
if ($account->hasPermission('administer tmgmt')) {
// Administrators can do everything.
return AccessResult::allowed()->cachePerPermissions();
}
switch ($operation) {
case 'view':
case 'update':
return AccessResult::allowedIfHasPermission($account, 'create translation jobs')->orIf(AccessResult::allowedIfHasPermission($account, 'accept translation jobs'));
break;
case 'delete':
// Only administrators can delete jobs.
return AccessResult::forbidden();
break;
// Custom operations.
// Custom operations.
case 'submit':
return AccessResult::allowedIfHasPermission($account, 'submit translation jobs');
break;
case 'accept':
return AccessResult::allowedIfHasPermission($account, 'accept translation jobs');
break;
case 'abort':
case 'resubmit':
return AccessResult::allowedIfHasPermission($account, 'submit translation jobs');
break;
}
}
public function providerBlocksConfig()
{
$blocks_config = array('block1' => array(AccessResult::allowed(), 'top', 0), 'block2' => array(AccessResult::forbidden(), 'bottom', 0), 'block3' => array(AccessResult::allowed(), 'bottom', 5), 'block4' => array(AccessResult::allowed(), 'bottom', -5));
$test_cases = [];
$test_cases[] = [$blocks_config, ['top' => ['block1'], 'center' => [], 'bottom' => ['block4', 'block3']]];
return $test_cases;
}
/**
* Checks Quick Edit access to the field.
*
* @param \Drupal\Core\Entity\EntityInterface $entity
* The entity containing the field.
* @param string $field_name
* The field name.
* @param string $langcode
* The langcode.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*
* @todo Use the $account argument: https://www.drupal.org/node/2266809.
*/
public function access(EntityInterface $entity, $field_name, $langcode, AccountInterface $account)
{
if (!$this->validateRequestAttributes($entity, $field_name, $langcode)) {
return AccessResult::forbidden();
}
return $this->accessEditEntityField($entity, $field_name);
}
/**
* {@inheritdoc}
*/
public function access(Route $route, AccountInterface $account, NodeInterface $node = NULL)
{
if ($node->bundle() && \Drupal::config('webform.settings')->get('node_' . $node->bundle())) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
/**
* Checks access to the given user's contact page.
*
* @param \Drupal\user\UserInterface $user
* The user being contacted.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(UserInterface $user, AccountInterface $account)
{
$contact_account = $user;
// Anonymous users cannot have contact forms.
if ($contact_account->isAnonymous()) {
return AccessResult::forbidden();
}
// Users may not contact themselves.
if ($account->id() == $contact_account->id()) {
return AccessResult::forbidden()->cachePerUser();
}
// User administrators should always have access to personal contact forms.
$access = AccessResult::neutral()->cachePerRole();
$permission_access = AccessResult::allowedIfHasPermission($account, 'administer users');
if ($permission_access->isAllowed()) {
return $access->orIf($permission_access);
}
// If requested user has been blocked, do not allow users to contact them.
$access->cacheUntilEntityChanges($contact_account);
if ($contact_account->isBlocked()) {
return $access;
}
// If the requested user has disabled their contact form, do not allow users
// to contact them.
$account_data = $this->userData->get('contact', $contact_account->id(), 'enabled');
if (isset($account_data) && empty($account_data)) {
return $access;
} else {
if (!$this->configFactory->get('contact.settings')->get('user_default_enabled')) {
return $access;
}
}
return $access->orIf(AccessResult::allowedIfHasPermission($account, 'access user contact forms'));
}
/**
* Checks that there is a forward revision available.
*
* This checker assumes the presence of an '_entity_access' requirement key
* in the same form as used by EntityAccessCheck.
*
* @see EntityAccessCheck.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parametrized route
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, RouteMatchInterface $route_match)
{
// This tab should not show up period unless there's a reason to show it.
// @todo Do we need any extra cache tags here?
$entity = $this->loadEntity($route, $route_match);
return $this->moderationInfo->hasForwardRevision($entity) ? AccessResult::allowed()->addCacheableDependency($entity) : AccessResult::forbidden()->addCacheableDependency($entity);
}
/**
* Handles access to the rdf_entity proposal form.
*
* @param \Drupal\rdf_entity\RdfEntityTypeInterface $rdf_type
* The RDF entity type for which the proposal form is built.
*
* @return \Drupal\Core\Access\AccessResult
* The access result object.
*/
public function createAssetReleaseAccess(RdfEntityTypeInterface $rdf_type)
{
if (!in_array($rdf_type->id(), ['collection', 'solution'])) {
return AccessResult::forbidden();
}
return AccessResult::allowedIf($this->currentUser()->hasPermission("propose {$rdf_type->id()} rdf entity"));
}
/**
* Limit access to the Library between 9:00 and 18:30.
*
* @param \Drupal\Core\Session\AccountInterface $account
*/
public function accessLibrary(AccountInterface $account)
{
if (time() >= strtotime('today 9:00') && time() <= strtotime('today 18:30')) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
/** @var \Drupal\crm_core_contact\Entity\ContactType $entity */
// First check permission.
if (parent::checkAccess($entity, $operation, $account)->isForbidden()) {
return AccessResult::forbidden();
}
switch ($operation) {
case 'enable':
// Only disabled contact type can be enabled.
return AccessResult::allowedIf(!$entity->status());
case 'disable':
return AccessResult::allowedIf($entity->status());
case 'delete':
// If contact instance of this contact type exist, you can't delete it.
$results = \Drupal::entityQuery('crm_core_contact')->condition('type', $entity->id())->execute();
return AccessResult::allowedIf(empty($results));
// @todo Which is it?
// @todo Which is it?
case 'edit':
case 'update':
// If the contact type is locked, you can't edit it.
return AccessResult::allowed();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account)
{
/** @var \Drupal\filter\FilterFormatInterface $filter_format */
// All users are allowed to use the fallback filter.
if ($operation == 'use') {
if ($filter_format->isFallbackFormat()) {
return AccessResult::allowed();
} else {
return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName());
}
}
// The fallback format may not be disabled.
if ($operation == 'disable' && $filter_format->isFallbackFormat()) {
return AccessResult::forbidden();
}
// We do not allow filter formats to be deleted through the UI, because that
// would render any content that uses them unusable.
if ($operation == 'delete') {
return AccessResult::forbidden();
}
if (in_array($operation, array('disable', 'update'))) {
return parent::checkAccess($filter_format, $operation, $langcode, $account);
}
// No opinion.
return AccessResult::neutral();
}
/**
* Grants access only to UID 1.
*
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(AccountInterface $account)
{
if ($account->id() == 1) {
return AccessResult::allowed()->addCacheContexts(['user']);
}
return AccessResult::forbidden()->addCacheContexts(['user']);
}
/**
* {@inheritdoc}
*/
protected function blockAccess(AccountInterface $account)
{
if ($this->masquerade->isMasquerading()) {
return AccessResult::forbidden()->addCacheContexts(['is_masquerading']);
}
// Display block for all users that has any of masquerade permissions.
return AccessResult::allowedIfHasPermissions($account, $this->masquerade->getPermissions(), 'OR');
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $currency_locale, $operation, AccountInterface $account)
{
/** @var \Drupal\currency\Entity\CurrencyLocaleInterface $currency_locale */
if ($currency_locale->getLocale() == LocaleResolverInterface::DEFAULT_LOCALE && $operation == 'delete') {
return AccessResult::forbidden();
}
return AccessResult::allowedIfHasPermission($account, 'currency.currency_locale.' . $operation);
}
/**
* {@inheritdoc}
*/
protected function blockAccess(AccountInterface $account)
{
$route_name = $this->routeMatch->getRouteName();
if ($account->isAnonymous() && !in_array($route_name, array('user.login', 'user.logout'))) {
return AccessResult::allowed()->addCacheContexts(['route.name', 'user.roles:anonymous']);
}
return AccessResult::forbidden();
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL)
{
$installed_translators = $this->translatorManager->getLabels();
if (empty($installed_translators)) {
return AccessResult::forbidden();
}
return AccessResult::allowedIfHasPermission($account, 'administer tmgmt');
}
/**
* {@inheritdoc}
*/
public function access($object, AccountInterface $account = NULL, $return_as_object = FALSE)
{
// Just deny access per default for now.
if ($return_as_object) {
return AccessResult::forbidden();
}
return FALSE;
}
/**
* {@inheritdoc}
*/
public function access(Route $route) {
if (\Drupal::moduleHandler()->moduleExists('contextual') && \Drupal::moduleHandler()->moduleExists('field_ui')) {
return AccessResult::allowed();
}
else {
return AccessResult::forbidden();
}
}
/**
* Check if the filter is used for the given filter.
*
* @param \Drupal\Core\Routing\RouteMatchInterface $route
* The route.
*
* @return \Drupal\Core\Access\AccessResult
* An access result.
*/
public function access(RouteMatchInterface $route)
{
$filter = $route->getParameter('filter_format');
if (!$filter || empty($filter->filters()->get('video_embed_wysiwyg')->getConfiguration()['status'])) {
return AccessResult::forbidden()->addCacheableDependency($filter);
}
return AccessResult::allowed()->addCacheableDependency($filter);
}
/**
* Tests the access() method with an invalid token.
*/
public function testAccessTokenFail()
{
$this->csrfToken->expects($this->once())->method('validate')->with('test_query', 'test-path')->will($this->returnValue(FALSE));
$this->routeMatch->expects($this->once())->method('getRawParameters')->will($this->returnValue(array()));
$route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE'));
$request = Request::create('/test-path?token=test_query');
$this->assertEquals(AccessResult::forbidden()->setCacheable(FALSE), $this->accessCheck->access($route, $request, $this->routeMatch));
}
/**
* Handles access to the solution add form through collection pages.
*
* @param \Drupal\rdf_entity\RdfInterface $rdf_entity
* The RDF entity for which the solution is created.
*
* @return \Drupal\Core\Access\AccessResult
* The access result object.
*/
public function createSolutionAccess(RdfInterface $rdf_entity)
{
$user = $this->currentUser();
if (empty($rdf_entity) && !$user->isAnonymous()) {
return AccessResult::neutral();
}
$membership = Og::getMembership($rdf_entity, $user);
return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
// ZZ is the fallback address format and it must always be present.
if ($operation == 'delete' && $entity->id() == 'ZZ') {
return AccessResult::forbidden();
} else {
return parent::checkAccess($entity, $operation, $account);
}
}
/**
* {@inheritdoc}
*/
protected function blockAccess(AccountInterface $account)
{
if ($this->view->access($this->displayID)) {
$access = AccessResult::allowed();
} else {
$access = AccessResult::forbidden();
}
return $access;
}
/**
* Checks new registrations are permitted on an event.
*/
public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account, RegistrationTypeInterface $registration_type = NULL)
{
if ($event = $route->getDefault('event')) {
$context = ['event' => $route_match->getParameter($event)];
$access_control_handler = $this->entityManager->getAccessControlHandler('registration');
return $access_control_handler->createAccess($registration_type, $account, $context, TRUE);
}
return AccessResult::forbidden();
}
/**
* Access control for the subscription settings user page.
*
* The user is checked for both global permissions and permissions to edit
* his own subscriptions.
*
* @param \Drupal\Core\Entity\EntityInterface $user
* The user object from the route.
*
* @return \Drupal\Core\Access\AccessResult
* An access result object carrying the result of the check.
*/
public function access(EntityInterface $user)
{
if ($this->currentUser->hasPermission('manage all subscriptions')) {
return AccessResult::allowed();
} elseif (!$this->currentUser->isAnonymous() && $this->currentUser->id() == $user->id() && $this->currentUser->hasPermission('manage own subscriptions')) {
return AccessResult::allowed();
}
return AccessResult::forbidden();
}
/**
* {@inheritdoc}
*/
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL)
{
// No user can edit the status of a file. Prevents saving a new file as
// persistent before even validating it.
if ($field_definition->getName() === 'status' && $operation === 'edit') {
return AccessResult::forbidden();
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
/**
* Checks access to the route based on the _access parameter.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route)
{
if ($route->getRequirement('_access') === 'TRUE') {
return AccessResult::allowed();
} elseif ($route->getRequirement('_access') === 'FALSE') {
return AccessResult::forbidden();
} else {
return AccessResult::neutral();
}
}
