/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\entityqueue\EntitySubqueueInterface $entity */ switch ($operation) { case 'view': return AccessResult::allowedIfHasPermission($account, 'access content'); break; case 'update': return AccessResult::allowedIfHasPermissions($account, ["update {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR'); break; case 'delete': $can_delete_subqueue = AccessResult::allowedIf(!$entity->getQueue()->getHandlerPlugin()->hasAutomatedSubqueues()); $access_result = AccessResult ::allowedIfHasPermissions($account, ["delete {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR') ->andIf($can_delete_subqueue); return $access_result; break; default: // No opinion. return AccessResult::neutral(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': // There is no direct viewing of a menu link, but still for purposes of // content_translation we need a generic way to check access. return AccessResult::allowedIfHasPermission($account, 'administer menu'); case 'update': if (!$account->hasPermission('administer menu')) { return AccessResult::neutral()->cachePerPermissions(); } else { // If there is a URL, this is an external link so always accessible. $access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity); /** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */ // We allow access, but only if the link is accessible as well. if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) { $link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE); $access = $access->andIf($link_access); } return $access; } case 'delete': return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity); } }
/** * Checks access to the translation overview for the entity and bundle. * * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parametrized route. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * @param string $entity_type_id * The entity type ID. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(RouteMatchInterface $route_match, AccountInterface $account, $entity_type_id) { /* @var \Drupal\Core\Entity\ContentEntityInterface $entity */ $entity = $route_match->getParameter($entity_type_id); if ($entity && $entity->isTranslatable()) { // Get entity base info. $bundle = $entity->bundle(); // Get entity access callback. $definition = $this->entityManager->getDefinition($entity_type_id); $translation = $definition->get('translation'); $access_callback = $translation['content_translation']['access_callback']; $access = call_user_func($access_callback, $entity); if ($access->isAllowed()) { return $access; } // Check "translate any entity" permission. if ($account->hasPermission('translate any entity')) { return AccessResult::allowed()->cachePerPermissions()->inheritCacheability($access); } // Check per entity permission. $permission = "translate {$entity_type_id}"; if ($definition->getPermissionGranularity() == 'bundle') { $permission = "translate {$bundle} {$entity_type_id}"; } return AccessResult::allowedIfHasPermission($account, $permission)->inheritCacheability($access); } // No opinion. return AccessResult::neutral(); }
/** * Checks configuration permission. * * @param AccountInterface $account * (optional) The user for which to check access, or NULL to check access * for the current user. Defaults to NULL. * @param bool $return_as_object * (optional) Defaults to FALSE. * * @return bool|\Drupal\Core\Access\AccessResultInterface * The access result. Returns a boolean if $return_as_object is FALSE (this * is the default) and otherwise an AccessResultInterface object. * When a boolean is returned, the result of AccessInterface::isAllowed() is * returned, i.e. TRUE means access is explicitly allowed, FALSE means * access is either explicitly forbidden or "no opinion". */ public function checkConfigurationAccess(AccountInterface $account = NULL, $return_as_object = FALSE) { if (!$account) { $account = \Drupal::currentUser(); } // We treat these as our "super-user" accesses. We let the reaction // rule and component permissions control the main admin UI. $admin_perms = ['administer rules', 'bypass rules access']; $access = FALSE; foreach ($admin_perms as $perm) { if ($account->hasPermission($perm)) { $access = TRUE; break; } } if (!$access) { // See if the plugin has a configuration_access annotation. $definition = $this->getPluginDefinition(); if (!empty($definition['configure_permissions']) && is_array($definition['configure_permissions'])) { foreach ($definition['configure_permissions'] as $perm) { if ($account->hasPermission($perm)) { $access = TRUE; break; } } } } if ($return_as_object) { return $access ? AccessResult::allowed() : AccessResult::neutral(); } return $access; }
/** * Checks access to the given user's contact page. * * @param \Drupal\user\UserInterface $user * The user being contacted. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(UserInterface $user, AccountInterface $account) { $contact_account = $user; // Anonymous users cannot have contact forms. if ($contact_account->isAnonymous()) { return AccessResult::forbidden(); } // Users may not contact themselves. if ($account->id() == $contact_account->id()) { return AccessResult::forbidden()->cachePerUser(); } // User administrators should always have access to personal contact forms. $access = AccessResult::neutral()->cachePerRole(); $permission_access = AccessResult::allowedIfHasPermission($account, 'administer users'); if ($permission_access->isAllowed()) { return $access->orIf($permission_access); } // If requested user has been blocked, do not allow users to contact them. $access->cacheUntilEntityChanges($contact_account); if ($contact_account->isBlocked()) { return $access; } // If the requested user has disabled their contact form, do not allow users // to contact them. $account_data = $this->userData->get('contact', $contact_account->id(), 'enabled'); if (isset($account_data) && empty($account_data)) { return $access; } else { if (!$this->configFactory->get('contact.settings')->get('user_default_enabled')) { return $access; } } return $access->orIf(AccessResult::allowedIfHasPermission($account, 'access user contact forms')); }
/** * Checks access to create an entity of any bundle for the given route. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parameterized route. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account) { $entity_type_id = $route->getRequirement($this->requirementsKey); $entity_type = $this->entityTypeManager->getDefinition($entity_type_id); $access_control_handler = $this->entityTypeManager->getAccessControlHandler($entity_type_id); // In case there is no "bundle" entity key, check create access with no // bundle specified. if (!$entity_type->hasKey('bundle')) { return $access_control_handler->createAccess(NULL, $account, [], TRUE); } $access = AccessResult::neutral(); $bundles = array_keys($this->entityTypeBundleInfo->getBundleInfo($entity_type_id)); // Include list cache tag as access might change if more bundles are added. if ($entity_type->getBundleEntityType()) { $access->addCacheTags($this->entityTypeManager->getDefinition($entity_type->getBundleEntityType())->getListCacheTags()); // Check if the user is allowed to create new bundles. If so, allow // access, so the add page can show a link to create one. // @see \Drupal\Core\Entity\Controller\EntityController::addPage() $bundle_access_control_handler = $this->entityTypeManager->getAccessControlHandler($entity_type->getBundleEntityType()); $access = $access->orIf($bundle_access_control_handler->createAccess(NULL, $account, [], TRUE)); if ($access->isAllowed()) { return $access; } } // Check whether an entity of any bundle may be created. foreach ($bundles as $bundle) { $access = $access->orIf($access_control_handler->createAccess($bundle, $account, [], TRUE)); // In case there is a least one bundle user can create entities for, // access is allowed. if ($access->isAllowed()) { break; } } return $access; }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\file\FileInterface $entity */ if ($operation == 'download' || $operation == 'view') { if (\Drupal::service('file_system')->uriScheme($entity->getFileUri()) === 'public') { // Always allow access to file in public file system. return AccessResult::allowed(); } elseif ($references = $this->getFileReferences($entity)) { foreach ($references as $field_name => $entity_map) { foreach ($entity_map as $referencing_entity_type => $referencing_entities) { /** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */ foreach ($referencing_entities as $referencing_entity) { $entity_and_field_access = $referencing_entity->access('view', $account, TRUE)->andIf($referencing_entity->{$field_name}->access('view', $account, TRUE)); if ($entity_and_field_access->isAllowed()) { return $entity_and_field_access; } } } } } elseif ($entity->getOwnerId() == $account->id()) { // This case handles new nodes, or detached files. The user who uploaded // the file can always access if it's not yet used. return AccessResult::allowed(); } } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ public function access($node, AccountInterface $account = NULL, $return_as_object = FALSE) { if ($node->hasField('simplenews_issue') && $node->simplenews_issue->target_id != NULL) { return AccessResult::allowedIfHasPermission($account, 'administer newsletters')->orIf(AccessResult::allowedIfHasPermission($account, 'send newsletter')); } return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account) { /** @var \Drupal\filter\FilterFormatInterface $filter_format */ // All users are allowed to use the fallback filter. if ($operation == 'use') { if ($filter_format->isFallbackFormat()) { return AccessResult::allowed(); } else { return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName()); } } // The fallback format may not be disabled. if ($operation == 'disable' && $filter_format->isFallbackFormat()) { return AccessResult::forbidden(); } // We do not allow filter formats to be deleted through the UI, because that // would render any content that uses them unusable. if ($operation == 'delete') { return AccessResult::forbidden(); } if (in_array($operation, array('disable', 'update'))) { return parent::checkAccess($filter_format, $operation, $langcode, $account); } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { /** @var \Drupal\user\UserInterface $entity*/ // The anonymous user's profile can neither be viewed, updated nor deleted. if ($entity->isAnonymous()) { return AccessResult::forbidden(); } // Administrators can view/update/delete all user profiles. if ($account->hasPermission('administer users')) { return AccessResult::allowed()->cachePerRole(); } switch ($operation) { case 'view': // Only allow view access if the account is active. if ($account->hasPermission('access user profiles') && $entity->isActive()) { return AccessResult::allowed()->cachePerRole()->cacheUntilEntityChanges($entity); } else { if ($account->id() == $entity->id()) { return AccessResult::allowed()->cachePerUser(); } } break; case 'update': // Users can always edit their own account. return AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser(); case 'delete': // Users with 'cancel account' permission can cancel their own account. return AccessResult::allowedIf($account->id() == $entity->id() && $account->hasPermission('cancel account'))->cachePerRole()->cachePerUser(); } // No opinion. return AccessResult::neutral(); }
/** * Provides test data for testAccess. * * @return array */ public function providerTestAccess() { $no_access = AccessResult::neutral()->cachePerPermissions(); $access = AccessResult::allowed()->cachePerPermissions(); $no_access_due_to_errors = AccessResult::neutral(); return array(array('', 'entity_test', $no_access, $no_access), array('', 'entity_test', $access, $access), array('test_entity', 'entity_test:test_entity', $access, $access), array('test_entity', 'entity_test:test_entity', $no_access, $no_access), array('test_entity', 'entity_test:{bundle_argument}', $access, $access), array('test_entity', 'entity_test:{bundle_argument}', $no_access, $no_access), array('', 'entity_test:{bundle_argument}', $no_access, $no_access_due_to_errors), array('', 'entity_test:{bundle_argument}', $access, $no_access_due_to_errors)); }
/** * Node access callback. * * @param \Drupal\node\NodeInterface $node * @param $op * @param \Drupal\Core\Session\AccountInterface $account * @return \Drupal\Core\Access\AccessResult */ public function nodeAccessRegistration(\Drupal\node\NodeInterface $node, $op, \Drupal\Core\Session\AccountInterface $account) { if ($op == 'view') { return $this->canViewRegistration($node, $account); } return \Drupal\Core\Access\AccessResult::neutral(); }
/** * Tests the method for checking access to routes. * * @dataProvider providerTestAccess */ public function testAccess($entity_bundle, $requirement, $access, $expected, $expect_permission_context = TRUE) { // Set up the access result objects for allowing or denying access. $access_result = $access ? AccessResult::allowed()->cachePerPermissions() : AccessResult::neutral()->cachePerPermissions(); $expected_access_result = $expected ? AccessResult::allowed() : AccessResult::neutral(); if ($expect_permission_context) { $expected_access_result->cachePerPermissions(); } $entity_manager = $this->getMock('Drupal\\Core\\Entity\\EntityManagerInterface'); // Don't expect a call to the access control handler when we have a bundle // argument requirement but no bundle is provided. if ($entity_bundle || strpos($requirement, '{') === FALSE) { $access_control_handler = $this->getMock('Drupal\\Core\\Entity\\EntityAccessControlHandlerInterface'); $access_control_handler->expects($this->once())->method('createAccess')->with($entity_bundle)->will($this->returnValue($access_result)); $entity_manager->expects($this->any())->method('getAccessControlHandler')->will($this->returnValue($access_control_handler)); } $applies_check = new EntityCreateAccessCheck($entity_manager); $route = $this->getMockBuilder('Symfony\\Component\\Routing\\Route')->disableOriginalConstructor()->getMock(); $route->expects($this->any())->method('getRequirement')->with('_entity_create_access')->will($this->returnValue($requirement)); $raw_variables = new ParameterBag(); if ($entity_bundle) { $raw_variables->set('bundle_argument', $entity_bundle); } $route_match = $this->getMock('Drupal\\Core\\Routing\\RouteMatchInterface'); $route_match->expects($this->any())->method('getRawParameters')->will($this->returnValue($raw_variables)); $account = $this->getMock('Drupal\\Core\\Session\\AccountInterface'); $this->assertEquals($expected_access_result, $applies_check->access($route, $route_match, $account)); }
/** * {@inheritdoc} */ public function executePaymentAccess(PaymentInterface $payment, PaymentMethodInterface $payment_method, AccountInterface $account) { $access = AccessResult::neutral(); foreach ($this->eventDispatchers as $event_dispatcher) { $access = $access->orIf($event_dispatcher->executePaymentAccess($payment, $payment_method, $account)); } return $access; }
/** * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { if ($shortcut_set = $this->shortcutSetStorage->load($entity_bundle)) { return shortcut_set_edit_access($shortcut_set, $account); } // @todo Fix this bizarre code: how can a shortcut exist without a shortcut // set? The above if-test is unnecessary. See https://www.drupal.org/node/2339903. return AccessResult::neutral(); }
/** * {@inheritdoc} */ public function menuLinkAccess(AccountInterface $account, MenuLinkInterface $menu_link_plugin = NULL) { $permission = 'administer ' . $menu_link_plugin->getMenuName() . ' menu items'; $permissions = $this::getPerMenuPermissions($account); if ($account->hasPermission('administer menu') || isset($permissions[$permission])) { return AccessResult::allowed(); } return AccessResult::neutral(); }
/** * Handles access to the solution add form through collection pages. * * @param \Drupal\rdf_entity\RdfInterface $rdf_entity * The RDF entity for which the solution is created. * * @return \Drupal\Core\Access\AccessResult * The access result object. */ public function createSolutionAccess(RdfInterface $rdf_entity) { $user = $this->currentUser(); if (empty($rdf_entity) && !$user->isAnonymous()) { return AccessResult::neutral(); } $membership = Og::getMembership($rdf_entity, $user); return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden(); }
/** * Provides test data for testAccess(). * * @see \Drupal\Tests\edit\Unit\quickedit\Access\EditEntityFieldAccessCheckTest::testAccess() */ public function providerTestAccess() { $data = array(); $data[] = array(TRUE, TRUE, AccessResult::allowed()); $data[] = array(FALSE, TRUE, AccessResult::neutral()); $data[] = array(TRUE, FALSE, AccessResult::neutral()); $data[] = array(FALSE, FALSE, AccessResult::neutral()); return $data; }
/** * Test the access method. */ public function testAccess() { $request = new Request(array()); $route = new Route('/test-route', array(), array('_access' => 'NULL')); $this->assertEquals(AccessResult::neutral(), $this->accessChecker->access($route, $request, $this->account)); $route = new Route('/test-route', array(), array('_access' => 'FALSE')); $this->assertEquals(AccessResult::forbidden(), $this->accessChecker->access($route, $request, $this->account)); $route = new Route('/test-route', array(), array('_access' => 'TRUE')); $this->assertEquals(AccessResult::allowed(), $this->accessChecker->access($route, $request, $this->account)); }
/** * Checks access to the route based on the _access parameter. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route) { if ($route->getRequirement('_access') === 'TRUE') { return AccessResult::allowed(); } elseif ($route->getRequirement('_access') === 'FALSE') { return AccessResult::forbidden(); } else { return AccessResult::neutral(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { $account = $this->prepareUser($account); $child = $entity instanceof RuleInterface ? $entity : $entity->getRule(); if ($child instanceof EntityInterface) { /** @var $child RuleInterface|\Drupal\rng\RuleComponentInterface */ return $child->getEvent()->access('manage event', $account, TRUE); } return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': case 'update': case 'delete': return AccessResult::allowedIfHasPermission($account, 'administer pdfs'); default: return AccessResult::neutral(); } }
/** * Checks that an entity is an event type. */ public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account) { if ($event = $route->getDefault('event')) { $event = $route_match->getParameter($event); if ($event instanceof EntityInterface) { return AccessResult::allowedIf($this->eventManager->isEvent($event)); } } return AccessResult::neutral(); }
/** * {@inheritdoc} * * @param \Drupal\rng\GroupInterface $entity * A group entity. */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { $account = $this->prepareUser($account); $event = $entity->getEvent(); if (!$entity->isUserGenerated() && $operation == 'delete') { return AccessResult::forbidden(); } if ($event) { return $event->access('manage event', $account, TRUE); } return AccessResult::neutral(); }
/** * {@inheritdoc} */ public function access(AccountInterface $account) { // @todo Perhaps read config directly rather than load all feed types. $access_control_handler = $this->entityManager->getAccessControlHandler('feeds_feed'); foreach ($this->entityManager->getStorage('feeds_feed_type')->loadByProperties(['status' => TRUE]) as $feed_type) { $access = $access_control_handler->createAccess($feed_type->id(), $account, [], TRUE); if ($access->isAllowed()) { return $access; } } return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'update': return AccessResult::allowedIf($account->hasPermission('administer grade letters'))->cachePerPermissions()->cacheUntilEntityChanges($entity); case 'delete': return AccessResult::allowedIf($account->hasPermission('administer grade letters') && $entity->getGradeLetterSet() != 'default')->cachePerPermissions(); default: // No opinion. return AccessResult::neutral(); } }
/** * {@inheritdoc} */ public function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { switch ($operation) { case 'update': case 'delete': /* @var \Drupal\Core\Language\LanguageInterface $entity */ return AccessResult::allowedIf(!$entity->isLocked())->cacheUntilEntityChanges($entity)->andIf(parent::checkAccess($entity, $operation, $langcode, $account)); default: // No opinion. return AccessResult::neutral(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { if ($operation === 'view') { if ($langcode != LanguageInterface::LANGCODE_DEFAULT) { return AccessResult::allowedIfHasPermission($account, 'view test entity translations'); } return AccessResult::allowedIfHasPermission($account, 'view test entity'); } elseif (in_array($operation, array('update', 'delete'))) { return AccessResult::allowedIfHasPermission($account, 'administer entity_test content'); } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': return AccessResult::allowedIfHasPermission($account, 'access content'); case 'update': return AccessResult::allowedIfHasPermissions($account, ["edit terms in {$entity->bundle()}", 'administer taxonomy'], 'OR'); case 'delete': return AccessResult::allowedIfHasPermissions($account, ["delete terms in {$entity->bundle()}", 'administer taxonomy'], 'OR'); default: // No opinion. return AccessResult::neutral(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'update': /* @var \Drupal\Core\Language\LanguageInterface $entity */ return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(parent::checkAccess($entity, $operation, $account)); case 'delete': /* @var \Drupal\Core\Language\LanguageInterface $entity */ return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(AccessResult::allowedIf(!$entity->isDefault())->addCacheableDependency($entity))->andIf(parent::checkAccess($entity, $operation, $account)); default: // No opinion. return AccessResult::neutral(); } }