/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\entityqueue\EntitySubqueueInterface $entity */
switch ($operation) {
case 'view':
return AccessResult::allowedIfHasPermission($account, 'access content');
break;
case 'update':
return AccessResult::allowedIfHasPermissions($account, ["update {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR');
break;
case 'delete':
$can_delete_subqueue = AccessResult::allowedIf(!$entity->getQueue()->getHandlerPlugin()->hasAutomatedSubqueues());
$access_result = AccessResult
::allowedIfHasPermissions($account, ["delete {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR')
->andIf($can_delete_subqueue);
return $access_result;
break;
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
// There is no direct viewing of a menu link, but still for purposes of
// content_translation we need a generic way to check access.
return AccessResult::allowedIfHasPermission($account, 'administer menu');
case 'update':
if (!$account->hasPermission('administer menu')) {
return AccessResult::neutral()->cachePerPermissions();
} else {
// If there is a URL, this is an external link so always accessible.
$access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
/** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */
// We allow access, but only if the link is accessible as well.
if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
$link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE);
$access = $access->andIf($link_access);
}
return $access;
}
case 'delete':
return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity);
}
}
/**
* Checks access to the translation overview for the entity and bundle.
*
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parametrized route.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
* @param string $entity_type_id
* The entity type ID.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(RouteMatchInterface $route_match, AccountInterface $account, $entity_type_id)
{
/* @var \Drupal\Core\Entity\ContentEntityInterface $entity */
$entity = $route_match->getParameter($entity_type_id);
if ($entity && $entity->isTranslatable()) {
// Get entity base info.
$bundle = $entity->bundle();
// Get entity access callback.
$definition = $this->entityManager->getDefinition($entity_type_id);
$translation = $definition->get('translation');
$access_callback = $translation['content_translation']['access_callback'];
$access = call_user_func($access_callback, $entity);
if ($access->isAllowed()) {
return $access;
}
// Check "translate any entity" permission.
if ($account->hasPermission('translate any entity')) {
return AccessResult::allowed()->cachePerPermissions()->inheritCacheability($access);
}
// Check per entity permission.
$permission = "translate {$entity_type_id}";
if ($definition->getPermissionGranularity() == 'bundle') {
$permission = "translate {$bundle} {$entity_type_id}";
}
return AccessResult::allowedIfHasPermission($account, $permission)->inheritCacheability($access);
}
// No opinion.
return AccessResult::neutral();
}
/**
* Checks configuration permission.
*
* @param AccountInterface $account
* (optional) The user for which to check access, or NULL to check access
* for the current user. Defaults to NULL.
* @param bool $return_as_object
* (optional) Defaults to FALSE.
*
* @return bool|\Drupal\Core\Access\AccessResultInterface
* The access result. Returns a boolean if $return_as_object is FALSE (this
* is the default) and otherwise an AccessResultInterface object.
* When a boolean is returned, the result of AccessInterface::isAllowed() is
* returned, i.e. TRUE means access is explicitly allowed, FALSE means
* access is either explicitly forbidden or "no opinion".
*/
public function checkConfigurationAccess(AccountInterface $account = NULL, $return_as_object = FALSE)
{
if (!$account) {
$account = \Drupal::currentUser();
}
// We treat these as our "super-user" accesses. We let the reaction
// rule and component permissions control the main admin UI.
$admin_perms = ['administer rules', 'bypass rules access'];
$access = FALSE;
foreach ($admin_perms as $perm) {
if ($account->hasPermission($perm)) {
$access = TRUE;
break;
}
}
if (!$access) {
// See if the plugin has a configuration_access annotation.
$definition = $this->getPluginDefinition();
if (!empty($definition['configure_permissions']) && is_array($definition['configure_permissions'])) {
foreach ($definition['configure_permissions'] as $perm) {
if ($account->hasPermission($perm)) {
$access = TRUE;
break;
}
}
}
}
if ($return_as_object) {
return $access ? AccessResult::allowed() : AccessResult::neutral();
}
return $access;
}
/**
* Checks access to the given user's contact page.
*
* @param \Drupal\user\UserInterface $user
* The user being contacted.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(UserInterface $user, AccountInterface $account)
{
$contact_account = $user;
// Anonymous users cannot have contact forms.
if ($contact_account->isAnonymous()) {
return AccessResult::forbidden();
}
// Users may not contact themselves.
if ($account->id() == $contact_account->id()) {
return AccessResult::forbidden()->cachePerUser();
}
// User administrators should always have access to personal contact forms.
$access = AccessResult::neutral()->cachePerRole();
$permission_access = AccessResult::allowedIfHasPermission($account, 'administer users');
if ($permission_access->isAllowed()) {
return $access->orIf($permission_access);
}
// If requested user has been blocked, do not allow users to contact them.
$access->cacheUntilEntityChanges($contact_account);
if ($contact_account->isBlocked()) {
return $access;
}
// If the requested user has disabled their contact form, do not allow users
// to contact them.
$account_data = $this->userData->get('contact', $contact_account->id(), 'enabled');
if (isset($account_data) && empty($account_data)) {
return $access;
} else {
if (!$this->configFactory->get('contact.settings')->get('user_default_enabled')) {
return $access;
}
}
return $access->orIf(AccessResult::allowedIfHasPermission($account, 'access user contact forms'));
}
/**
* Checks access to create an entity of any bundle for the given route.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Routing\RouteMatchInterface $route_match
* The parameterized route.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account)
{
$entity_type_id = $route->getRequirement($this->requirementsKey);
$entity_type = $this->entityTypeManager->getDefinition($entity_type_id);
$access_control_handler = $this->entityTypeManager->getAccessControlHandler($entity_type_id);
// In case there is no "bundle" entity key, check create access with no
// bundle specified.
if (!$entity_type->hasKey('bundle')) {
return $access_control_handler->createAccess(NULL, $account, [], TRUE);
}
$access = AccessResult::neutral();
$bundles = array_keys($this->entityTypeBundleInfo->getBundleInfo($entity_type_id));
// Include list cache tag as access might change if more bundles are added.
if ($entity_type->getBundleEntityType()) {
$access->addCacheTags($this->entityTypeManager->getDefinition($entity_type->getBundleEntityType())->getListCacheTags());
// Check if the user is allowed to create new bundles. If so, allow
// access, so the add page can show a link to create one.
// @see \Drupal\Core\Entity\Controller\EntityController::addPage()
$bundle_access_control_handler = $this->entityTypeManager->getAccessControlHandler($entity_type->getBundleEntityType());
$access = $access->orIf($bundle_access_control_handler->createAccess(NULL, $account, [], TRUE));
if ($access->isAllowed()) {
return $access;
}
}
// Check whether an entity of any bundle may be created.
foreach ($bundles as $bundle) {
$access = $access->orIf($access_control_handler->createAccess($bundle, $account, [], TRUE));
// In case there is a least one bundle user can create entities for,
// access is allowed.
if ($access->isAllowed()) {
break;
}
}
return $access;
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
/** @var \Drupal\file\FileInterface $entity */
if ($operation == 'download' || $operation == 'view') {
if (\Drupal::service('file_system')->uriScheme($entity->getFileUri()) === 'public') {
// Always allow access to file in public file system.
return AccessResult::allowed();
} elseif ($references = $this->getFileReferences($entity)) {
foreach ($references as $field_name => $entity_map) {
foreach ($entity_map as $referencing_entity_type => $referencing_entities) {
/** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */
foreach ($referencing_entities as $referencing_entity) {
$entity_and_field_access = $referencing_entity->access('view', $account, TRUE)->andIf($referencing_entity->{$field_name}->access('view', $account, TRUE));
if ($entity_and_field_access->isAllowed()) {
return $entity_and_field_access;
}
}
}
}
} elseif ($entity->getOwnerId() == $account->id()) {
// This case handles new nodes, or detached files. The user who uploaded
// the file can always access if it's not yet used.
return AccessResult::allowed();
}
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
public function access($node, AccountInterface $account = NULL, $return_as_object = FALSE)
{
if ($node->hasField('simplenews_issue') && $node->simplenews_issue->target_id != NULL) {
return AccessResult::allowedIfHasPermission($account, 'administer newsletters')->orIf(AccessResult::allowedIfHasPermission($account, 'send newsletter'));
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account)
{
/** @var \Drupal\filter\FilterFormatInterface $filter_format */
// All users are allowed to use the fallback filter.
if ($operation == 'use') {
if ($filter_format->isFallbackFormat()) {
return AccessResult::allowed();
} else {
return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName());
}
}
// The fallback format may not be disabled.
if ($operation == 'disable' && $filter_format->isFallbackFormat()) {
return AccessResult::forbidden();
}
// We do not allow filter formats to be deleted through the UI, because that
// would render any content that uses them unusable.
if ($operation == 'delete') {
return AccessResult::forbidden();
}
if (in_array($operation, array('disable', 'update'))) {
return parent::checkAccess($filter_format, $operation, $langcode, $account);
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
/** @var \Drupal\user\UserInterface $entity*/
// The anonymous user's profile can neither be viewed, updated nor deleted.
if ($entity->isAnonymous()) {
return AccessResult::forbidden();
}
// Administrators can view/update/delete all user profiles.
if ($account->hasPermission('administer users')) {
return AccessResult::allowed()->cachePerRole();
}
switch ($operation) {
case 'view':
// Only allow view access if the account is active.
if ($account->hasPermission('access user profiles') && $entity->isActive()) {
return AccessResult::allowed()->cachePerRole()->cacheUntilEntityChanges($entity);
} else {
if ($account->id() == $entity->id()) {
return AccessResult::allowed()->cachePerUser();
}
}
break;
case 'update':
// Users can always edit their own account.
return AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser();
case 'delete':
// Users with 'cancel account' permission can cancel their own account.
return AccessResult::allowedIf($account->id() == $entity->id() && $account->hasPermission('cancel account'))->cachePerRole()->cachePerUser();
}
// No opinion.
return AccessResult::neutral();
}
/**
* Provides test data for testAccess.
*
* @return array
*/
public function providerTestAccess()
{
$no_access = AccessResult::neutral()->cachePerPermissions();
$access = AccessResult::allowed()->cachePerPermissions();
$no_access_due_to_errors = AccessResult::neutral();
return array(array('', 'entity_test', $no_access, $no_access), array('', 'entity_test', $access, $access), array('test_entity', 'entity_test:test_entity', $access, $access), array('test_entity', 'entity_test:test_entity', $no_access, $no_access), array('test_entity', 'entity_test:{bundle_argument}', $access, $access), array('test_entity', 'entity_test:{bundle_argument}', $no_access, $no_access), array('', 'entity_test:{bundle_argument}', $no_access, $no_access_due_to_errors), array('', 'entity_test:{bundle_argument}', $access, $no_access_due_to_errors));
}
/**
* Node access callback.
*
* @param \Drupal\node\NodeInterface $node
* @param $op
* @param \Drupal\Core\Session\AccountInterface $account
* @return \Drupal\Core\Access\AccessResult
*/
public function nodeAccessRegistration(\Drupal\node\NodeInterface $node, $op, \Drupal\Core\Session\AccountInterface $account)
{
if ($op == 'view') {
return $this->canViewRegistration($node, $account);
}
return \Drupal\Core\Access\AccessResult::neutral();
}
/**
* Tests the method for checking access to routes.
*
* @dataProvider providerTestAccess
*/
public function testAccess($entity_bundle, $requirement, $access, $expected, $expect_permission_context = TRUE)
{
// Set up the access result objects for allowing or denying access.
$access_result = $access ? AccessResult::allowed()->cachePerPermissions() : AccessResult::neutral()->cachePerPermissions();
$expected_access_result = $expected ? AccessResult::allowed() : AccessResult::neutral();
if ($expect_permission_context) {
$expected_access_result->cachePerPermissions();
}
$entity_manager = $this->getMock('Drupal\\Core\\Entity\\EntityManagerInterface');
// Don't expect a call to the access control handler when we have a bundle
// argument requirement but no bundle is provided.
if ($entity_bundle || strpos($requirement, '{') === FALSE) {
$access_control_handler = $this->getMock('Drupal\\Core\\Entity\\EntityAccessControlHandlerInterface');
$access_control_handler->expects($this->once())->method('createAccess')->with($entity_bundle)->will($this->returnValue($access_result));
$entity_manager->expects($this->any())->method('getAccessControlHandler')->will($this->returnValue($access_control_handler));
}
$applies_check = new EntityCreateAccessCheck($entity_manager);
$route = $this->getMockBuilder('Symfony\\Component\\Routing\\Route')->disableOriginalConstructor()->getMock();
$route->expects($this->any())->method('getRequirement')->with('_entity_create_access')->will($this->returnValue($requirement));
$raw_variables = new ParameterBag();
if ($entity_bundle) {
$raw_variables->set('bundle_argument', $entity_bundle);
}
$route_match = $this->getMock('Drupal\\Core\\Routing\\RouteMatchInterface');
$route_match->expects($this->any())->method('getRawParameters')->will($this->returnValue($raw_variables));
$account = $this->getMock('Drupal\\Core\\Session\\AccountInterface');
$this->assertEquals($expected_access_result, $applies_check->access($route, $route_match, $account));
}
/**
* {@inheritdoc}
*/
public function executePaymentAccess(PaymentInterface $payment, PaymentMethodInterface $payment_method, AccountInterface $account)
{
$access = AccessResult::neutral();
foreach ($this->eventDispatchers as $event_dispatcher) {
$access = $access->orIf($event_dispatcher->executePaymentAccess($payment, $payment_method, $account));
}
return $access;
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL)
{
if ($shortcut_set = $this->shortcutSetStorage->load($entity_bundle)) {
return shortcut_set_edit_access($shortcut_set, $account);
}
// @todo Fix this bizarre code: how can a shortcut exist without a shortcut
// set? The above if-test is unnecessary. See https://www.drupal.org/node/2339903.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
public function menuLinkAccess(AccountInterface $account, MenuLinkInterface $menu_link_plugin = NULL)
{
$permission = 'administer ' . $menu_link_plugin->getMenuName() . ' menu items';
$permissions = $this::getPerMenuPermissions($account);
if ($account->hasPermission('administer menu') || isset($permissions[$permission])) {
return AccessResult::allowed();
}
return AccessResult::neutral();
}
/**
* Handles access to the solution add form through collection pages.
*
* @param \Drupal\rdf_entity\RdfInterface $rdf_entity
* The RDF entity for which the solution is created.
*
* @return \Drupal\Core\Access\AccessResult
* The access result object.
*/
public function createSolutionAccess(RdfInterface $rdf_entity)
{
$user = $this->currentUser();
if (empty($rdf_entity) && !$user->isAnonymous()) {
return AccessResult::neutral();
}
$membership = Og::getMembership($rdf_entity, $user);
return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden();
}
/**
* Provides test data for testAccess().
*
* @see \Drupal\Tests\edit\Unit\quickedit\Access\EditEntityFieldAccessCheckTest::testAccess()
*/
public function providerTestAccess()
{
$data = array();
$data[] = array(TRUE, TRUE, AccessResult::allowed());
$data[] = array(FALSE, TRUE, AccessResult::neutral());
$data[] = array(TRUE, FALSE, AccessResult::neutral());
$data[] = array(FALSE, FALSE, AccessResult::neutral());
return $data;
}
/**
* Test the access method.
*/
public function testAccess()
{
$request = new Request(array());
$route = new Route('/test-route', array(), array('_access' => 'NULL'));
$this->assertEquals(AccessResult::neutral(), $this->accessChecker->access($route, $request, $this->account));
$route = new Route('/test-route', array(), array('_access' => 'FALSE'));
$this->assertEquals(AccessResult::forbidden(), $this->accessChecker->access($route, $request, $this->account));
$route = new Route('/test-route', array(), array('_access' => 'TRUE'));
$this->assertEquals(AccessResult::allowed(), $this->accessChecker->access($route, $request, $this->account));
}
/**
* Checks access to the route based on the _access parameter.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route)
{
if ($route->getRequirement('_access') === 'TRUE') {
return AccessResult::allowed();
} elseif ($route->getRequirement('_access') === 'FALSE') {
return AccessResult::forbidden();
} else {
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
$account = $this->prepareUser($account);
$child = $entity instanceof RuleInterface ? $entity : $entity->getRule();
if ($child instanceof EntityInterface) {
/** @var $child RuleInterface|\Drupal\rng\RuleComponentInterface */
return $child->getEvent()->access('manage event', $account, TRUE);
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
switch ($operation) {
case 'view':
case 'update':
case 'delete':
return AccessResult::allowedIfHasPermission($account, 'administer pdfs');
default:
return AccessResult::neutral();
}
}
/**
* Checks that an entity is an event type.
*/
public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account)
{
if ($event = $route->getDefault('event')) {
$event = $route_match->getParameter($event);
if ($event instanceof EntityInterface) {
return AccessResult::allowedIf($this->eventManager->isEvent($event));
}
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*
* @param \Drupal\rng\GroupInterface $entity
* A group entity.
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
$account = $this->prepareUser($account);
$event = $entity->getEvent();
if (!$entity->isUserGenerated() && $operation == 'delete') {
return AccessResult::forbidden();
}
if ($event) {
return $event->access('manage event', $account, TRUE);
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
public function access(AccountInterface $account)
{
// @todo Perhaps read config directly rather than load all feed types.
$access_control_handler = $this->entityManager->getAccessControlHandler('feeds_feed');
foreach ($this->entityManager->getStorage('feeds_feed_type')->loadByProperties(['status' => TRUE]) as $feed_type) {
$access = $access_control_handler->createAccess($feed_type->id(), $account, [], TRUE);
if ($access->isAllowed()) {
return $access;
}
}
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'update':
return AccessResult::allowedIf($account->hasPermission('administer grade letters'))->cachePerPermissions()->cacheUntilEntityChanges($entity);
case 'delete':
return AccessResult::allowedIf($account->hasPermission('administer grade letters') && $entity->getGradeLetterSet() != 'default')->cachePerPermissions();
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
public function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
switch ($operation) {
case 'update':
case 'delete':
/* @var \Drupal\Core\Language\LanguageInterface $entity */
return AccessResult::allowedIf(!$entity->isLocked())->cacheUntilEntityChanges($entity)->andIf(parent::checkAccess($entity, $operation, $langcode, $account));
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account)
{
if ($operation === 'view') {
if ($langcode != LanguageInterface::LANGCODE_DEFAULT) {
return AccessResult::allowedIfHasPermission($account, 'view test entity translations');
}
return AccessResult::allowedIfHasPermission($account, 'view test entity');
} elseif (in_array($operation, array('update', 'delete'))) {
return AccessResult::allowedIfHasPermission($account, 'administer entity_test content');
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'view':
return AccessResult::allowedIfHasPermission($account, 'access content');
case 'update':
return AccessResult::allowedIfHasPermissions($account, ["edit terms in {$entity->bundle()}", 'administer taxonomy'], 'OR');
case 'delete':
return AccessResult::allowedIfHasPermissions($account, ["delete terms in {$entity->bundle()}", 'administer taxonomy'], 'OR');
default:
// No opinion.
return AccessResult::neutral();
}
}
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account)
{
switch ($operation) {
case 'update':
/* @var \Drupal\Core\Language\LanguageInterface $entity */
return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(parent::checkAccess($entity, $operation, $account));
case 'delete':
/* @var \Drupal\Core\Language\LanguageInterface $entity */
return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(AccessResult::allowedIf(!$entity->isDefault())->addCacheableDependency($entity))->andIf(parent::checkAccess($entity, $operation, $account));
default:
// No opinion.
return AccessResult::neutral();
}
}
