/** * {@inheritdoc} * * When the $operation is 'add' then the $entity is of type 'profile_type', * otherwise $entity is of type 'profile'. */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { $account = $this->prepareUser($account); $user_page = \Drupal::request()->attributes->get('user'); // Some times, operation edit is called update. // Use edit in any case. if ($operation == 'update') { $operation = 'edit'; } // Check that if profile type has require roles, the user the profile is // being added to has any of the required roles. if ($entity->getEntityTypeId() == 'profile') { $profile_roles = ProfileType::load($entity->bundle())->getRoles(); $user_roles = $entity->getOwner()->getRoles(TRUE); if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) { return AccessResult::forbidden(); } } elseif ($entity->getEntityTypeId() == 'profile_type') { $profile_roles = $entity->getRoles(); $user_roles = User::load($user_page->id())->getRoles(TRUE); if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) { return AccessResult::forbidden(); } } if ($account->hasPermission('bypass profile access')) { return AccessResult::allowed()->cachePerPermissions(); } elseif ($operation == 'add' && ($user_page->id() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->id() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->id() . ' profile')) || $operation != 'add' && ($entity->getOwnerId() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->getType() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->getType() . ' profile'))) { return AccessResult::allowed()->cachePerPermissions(); } else { return AccessResult::forbidden()->cachePerPermissions(); } }
/** * {@inheritdoc} */ protected function blockAccess(AccountInterface $account) { if ($account->hasPermission('search content')) { return AccessResult::allowed(); } return AccessResult::forbidden(); }
public function access(AccountInterface $account) { if (!$account->id() == 1) { return AccessResult::forbidden(); } return AccessResult::allowed(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $payment, $operation, AccountInterface $account) { /** @var \Drupal\payment\Entity\PaymentInterface $payment */ if ($operation == 'update_status') { $payment_method = $payment->getPaymentMethod(); if ($payment_method instanceof PaymentMethodUpdatePaymentStatusInterface && !$payment_method->updatePaymentStatusAccess($account)) { return AccessResult::forbidden(); } } elseif ($operation == 'capture') { $payment_method = $payment->getPaymentMethod(); if ($payment_method instanceof PaymentMethodCapturePaymentInterface) { return AccessResult::allowedIf($payment_method instanceof PaymentMethodCapturePaymentInterface)->andIf(AccessResult::allowedIf($payment_method->capturePaymentAccess($account)))->andIf($this->checkAccessPermission($payment, $operation, $account)); } return AccessResult::forbidden(); } elseif ($operation == 'refund') { $payment_method = $payment->getPaymentMethod(); if ($payment_method instanceof PaymentMethodRefundPaymentInterface) { return AccessResult::allowedIf($payment_method->refundPaymentAccess($account))->andIf($this->checkAccessPermission($payment, $operation, $account)); } return AccessResult::forbidden(); } elseif ($operation == 'complete') { if ($payment->getPaymentMethod()) { return AccessResult::allowedIf($payment->getOwnerId() == $account->id())->orIf(AccessResult::forbiddenIf($payment->getPaymentMethod()->getPaymentExecutionResult()->isCompleted())); } else { return AccessResult::forbidden(); } } return $this->checkAccessPermission($payment, $operation, $account); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($account->hasPermission('administer tmgmt')) { // Administrators can do everything. return AccessResult::allowed()->cachePerPermissions(); } switch ($operation) { case 'view': case 'update': return AccessResult::allowedIfHasPermission($account, 'create translation jobs')->orIf(AccessResult::allowedIfHasPermission($account, 'accept translation jobs')); break; case 'delete': // Only administrators can delete jobs. return AccessResult::forbidden(); break; // Custom operations. // Custom operations. case 'submit': return AccessResult::allowedIfHasPermission($account, 'submit translation jobs'); break; case 'accept': return AccessResult::allowedIfHasPermission($account, 'accept translation jobs'); break; case 'abort': case 'resubmit': return AccessResult::allowedIfHasPermission($account, 'submit translation jobs'); break; } }
public function providerBlocksConfig() { $blocks_config = array('block1' => array(AccessResult::allowed(), 'top', 0), 'block2' => array(AccessResult::forbidden(), 'bottom', 0), 'block3' => array(AccessResult::allowed(), 'bottom', 5), 'block4' => array(AccessResult::allowed(), 'bottom', -5)); $test_cases = []; $test_cases[] = [$blocks_config, ['top' => ['block1'], 'center' => [], 'bottom' => ['block4', 'block3']]]; return $test_cases; }
/** * Checks Quick Edit access to the field. * * @param \Drupal\Core\Entity\EntityInterface $entity * The entity containing the field. * @param string $field_name * The field name. * @param string $langcode * The langcode. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. * * @todo Use the $account argument: https://www.drupal.org/node/2266809. */ public function access(EntityInterface $entity, $field_name, $langcode, AccountInterface $account) { if (!$this->validateRequestAttributes($entity, $field_name, $langcode)) { return AccessResult::forbidden(); } return $this->accessEditEntityField($entity, $field_name); }
/** * {@inheritdoc} */ public function access(Route $route, AccountInterface $account, NodeInterface $node = NULL) { if ($node->bundle() && \Drupal::config('webform.settings')->get('node_' . $node->bundle())) { return AccessResult::allowed(); } return AccessResult::forbidden(); }
/** * Checks access to the given user's contact page. * * @param \Drupal\user\UserInterface $user * The user being contacted. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(UserInterface $user, AccountInterface $account) { $contact_account = $user; // Anonymous users cannot have contact forms. if ($contact_account->isAnonymous()) { return AccessResult::forbidden(); } // Users may not contact themselves. if ($account->id() == $contact_account->id()) { return AccessResult::forbidden()->cachePerUser(); } // User administrators should always have access to personal contact forms. $access = AccessResult::neutral()->cachePerRole(); $permission_access = AccessResult::allowedIfHasPermission($account, 'administer users'); if ($permission_access->isAllowed()) { return $access->orIf($permission_access); } // If requested user has been blocked, do not allow users to contact them. $access->cacheUntilEntityChanges($contact_account); if ($contact_account->isBlocked()) { return $access; } // If the requested user has disabled their contact form, do not allow users // to contact them. $account_data = $this->userData->get('contact', $contact_account->id(), 'enabled'); if (isset($account_data) && empty($account_data)) { return $access; } else { if (!$this->configFactory->get('contact.settings')->get('user_default_enabled')) { return $access; } } return $access->orIf(AccessResult::allowedIfHasPermission($account, 'access user contact forms')); }
/** * Checks that there is a forward revision available. * * This checker assumes the presence of an '_entity_access' requirement key * in the same form as used by EntityAccessCheck. * * @see EntityAccessCheck. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parametrized route * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, RouteMatchInterface $route_match) { // This tab should not show up period unless there's a reason to show it. // @todo Do we need any extra cache tags here? $entity = $this->loadEntity($route, $route_match); return $this->moderationInfo->hasForwardRevision($entity) ? AccessResult::allowed()->addCacheableDependency($entity) : AccessResult::forbidden()->addCacheableDependency($entity); }
/** * Handles access to the rdf_entity proposal form. * * @param \Drupal\rdf_entity\RdfEntityTypeInterface $rdf_type * The RDF entity type for which the proposal form is built. * * @return \Drupal\Core\Access\AccessResult * The access result object. */ public function createAssetReleaseAccess(RdfEntityTypeInterface $rdf_type) { if (!in_array($rdf_type->id(), ['collection', 'solution'])) { return AccessResult::forbidden(); } return AccessResult::allowedIf($this->currentUser()->hasPermission("propose {$rdf_type->id()} rdf entity")); }
/** * Limit access to the Library between 9:00 and 18:30. * * @param \Drupal\Core\Session\AccountInterface $account */ public function accessLibrary(AccountInterface $account) { if (time() >= strtotime('today 9:00') && time() <= strtotime('today 18:30')) { return AccessResult::allowed(); } return AccessResult::forbidden(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\crm_core_contact\Entity\ContactType $entity */ // First check permission. if (parent::checkAccess($entity, $operation, $account)->isForbidden()) { return AccessResult::forbidden(); } switch ($operation) { case 'enable': // Only disabled contact type can be enabled. return AccessResult::allowedIf(!$entity->status()); case 'disable': return AccessResult::allowedIf($entity->status()); case 'delete': // If contact instance of this contact type exist, you can't delete it. $results = \Drupal::entityQuery('crm_core_contact')->condition('type', $entity->id())->execute(); return AccessResult::allowedIf(empty($results)); // @todo Which is it? // @todo Which is it? case 'edit': case 'update': // If the contact type is locked, you can't edit it. return AccessResult::allowed(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account) { /** @var \Drupal\filter\FilterFormatInterface $filter_format */ // All users are allowed to use the fallback filter. if ($operation == 'use') { if ($filter_format->isFallbackFormat()) { return AccessResult::allowed(); } else { return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName()); } } // The fallback format may not be disabled. if ($operation == 'disable' && $filter_format->isFallbackFormat()) { return AccessResult::forbidden(); } // We do not allow filter formats to be deleted through the UI, because that // would render any content that uses them unusable. if ($operation == 'delete') { return AccessResult::forbidden(); } if (in_array($operation, array('disable', 'update'))) { return parent::checkAccess($filter_format, $operation, $langcode, $account); } // No opinion. return AccessResult::neutral(); }
/** * Grants access only to UID 1. * * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(AccountInterface $account) { if ($account->id() == 1) { return AccessResult::allowed()->addCacheContexts(['user']); } return AccessResult::forbidden()->addCacheContexts(['user']); }
/** * {@inheritdoc} */ protected function blockAccess(AccountInterface $account) { if ($this->masquerade->isMasquerading()) { return AccessResult::forbidden()->addCacheContexts(['is_masquerading']); } // Display block for all users that has any of masquerade permissions. return AccessResult::allowedIfHasPermissions($account, $this->masquerade->getPermissions(), 'OR'); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $currency_locale, $operation, AccountInterface $account) { /** @var \Drupal\currency\Entity\CurrencyLocaleInterface $currency_locale */ if ($currency_locale->getLocale() == LocaleResolverInterface::DEFAULT_LOCALE && $operation == 'delete') { return AccessResult::forbidden(); } return AccessResult::allowedIfHasPermission($account, 'currency.currency_locale.' . $operation); }
/** * {@inheritdoc} */ protected function blockAccess(AccountInterface $account) { $route_name = $this->routeMatch->getRouteName(); if ($account->isAnonymous() && !in_array($route_name, array('user.login', 'user.logout'))) { return AccessResult::allowed()->addCacheContexts(['route.name', 'user.roles:anonymous']); } return AccessResult::forbidden(); }
/** * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { $installed_translators = $this->translatorManager->getLabels(); if (empty($installed_translators)) { return AccessResult::forbidden(); } return AccessResult::allowedIfHasPermission($account, 'administer tmgmt'); }
/** * {@inheritdoc} */ public function access($object, AccountInterface $account = NULL, $return_as_object = FALSE) { // Just deny access per default for now. if ($return_as_object) { return AccessResult::forbidden(); } return FALSE; }
/** * {@inheritdoc} */ public function access(Route $route) { if (\Drupal::moduleHandler()->moduleExists('contextual') && \Drupal::moduleHandler()->moduleExists('field_ui')) { return AccessResult::allowed(); } else { return AccessResult::forbidden(); } }
/** * Check if the filter is used for the given filter. * * @param \Drupal\Core\Routing\RouteMatchInterface $route * The route. * * @return \Drupal\Core\Access\AccessResult * An access result. */ public function access(RouteMatchInterface $route) { $filter = $route->getParameter('filter_format'); if (!$filter || empty($filter->filters()->get('video_embed_wysiwyg')->getConfiguration()['status'])) { return AccessResult::forbidden()->addCacheableDependency($filter); } return AccessResult::allowed()->addCacheableDependency($filter); }
/** * Tests the access() method with an invalid token. */ public function testAccessTokenFail() { $this->csrfToken->expects($this->once())->method('validate')->with('test_query', 'test-path')->will($this->returnValue(FALSE)); $this->routeMatch->expects($this->once())->method('getRawParameters')->will($this->returnValue(array())); $route = new Route('/test-path', array(), array('_csrf_token' => 'TRUE')); $request = Request::create('/test-path?token=test_query'); $this->assertEquals(AccessResult::forbidden()->setCacheable(FALSE), $this->accessCheck->access($route, $request, $this->routeMatch)); }
/** * Handles access to the solution add form through collection pages. * * @param \Drupal\rdf_entity\RdfInterface $rdf_entity * The RDF entity for which the solution is created. * * @return \Drupal\Core\Access\AccessResult * The access result object. */ public function createSolutionAccess(RdfInterface $rdf_entity) { $user = $this->currentUser(); if (empty($rdf_entity) && !$user->isAnonymous()) { return AccessResult::neutral(); } $membership = Og::getMembership($rdf_entity, $user); return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { // ZZ is the fallback address format and it must always be present. if ($operation == 'delete' && $entity->id() == 'ZZ') { return AccessResult::forbidden(); } else { return parent::checkAccess($entity, $operation, $account); } }
/** * {@inheritdoc} */ protected function blockAccess(AccountInterface $account) { if ($this->view->access($this->displayID)) { $access = AccessResult::allowed(); } else { $access = AccessResult::forbidden(); } return $access; }
/** * Checks new registrations are permitted on an event. */ public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account, RegistrationTypeInterface $registration_type = NULL) { if ($event = $route->getDefault('event')) { $context = ['event' => $route_match->getParameter($event)]; $access_control_handler = $this->entityManager->getAccessControlHandler('registration'); return $access_control_handler->createAccess($registration_type, $account, $context, TRUE); } return AccessResult::forbidden(); }
/** * Access control for the subscription settings user page. * * The user is checked for both global permissions and permissions to edit * his own subscriptions. * * @param \Drupal\Core\Entity\EntityInterface $user * The user object from the route. * * @return \Drupal\Core\Access\AccessResult * An access result object carrying the result of the check. */ public function access(EntityInterface $user) { if ($this->currentUser->hasPermission('manage all subscriptions')) { return AccessResult::allowed(); } elseif (!$this->currentUser->isAnonymous() && $this->currentUser->id() == $user->id() && $this->currentUser->hasPermission('manage own subscriptions')) { return AccessResult::allowed(); } return AccessResult::forbidden(); }
/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { // No user can edit the status of a file. Prevents saving a new file as // persistent before even validating it. if ($field_definition->getName() === 'status' && $operation === 'edit') { return AccessResult::forbidden(); } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }
/** * Checks access to the route based on the _access parameter. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route) { if ($route->getRequirement('_access') === 'TRUE') { return AccessResult::allowed(); } elseif ($route->getRequirement('_access') === 'FALSE') { return AccessResult::forbidden(); } else { return AccessResult::neutral(); } }