function testUserTokens()
{
// Add a user picture to the account.
$image = current($this->drupalGetTestFiles('image'));
$edit = array('files[user_picture_0]' => drupal_realpath($image->uri));
$this->drupalPostForm('user/' . $this->account->id() . '/edit', $edit, t('Save'));
$storage = \Drupal::entityManager()->getStorage('user');
// Load actual user data from database.
$storage->resetCache();
$this->account = $storage->load($this->account->id());
$this->assertTrue(!empty($this->account->user_picture->target_id), 'User picture uploaded.');
$picture = ['#theme' => 'user_picture', '#account' => $this->account];
/** @var \Drupal\Core\Render\RendererInterface $renderer */
$renderer = \Drupal::service('renderer');
$user_tokens = array('picture' => $renderer->render($picture), 'picture:fid' => $this->account->user_picture->target_id, 'picture:size-raw' => 125, 'ip-address' => NULL, 'roles' => implode(', ', $this->account->getRoles()));
$this->assertTokens('user', array('user' => $this->account), $user_tokens);
// Remove the simpletest-created user role.
$roles = $this->account->getRoles();
$this->account->removeRole(end($roles));
$this->account->save();
// Remove the user picture field and reload the user.
FieldStorageConfig::loadByName('user', 'user_picture')->delete();
$storage->resetCache();
$this->account = $storage->load($this->account->id());
$user_tokens = array('picture' => NULL, 'picture:fid' => NULL, 'ip-address' => NULL, 'roles' => 'authenticated', 'roles:keys' => (string) DRUPAL_AUTHENTICATED_RID);
$this->assertTokens('user', array('user' => $this->account), $user_tokens);
// The ip address token should work for the current user token type.
$tokens = array('ip-address' => \Drupal::request()->getClientIp());
$this->assertTokens('current-user', array(), $tokens);
$anonymous = new AnonymousUserSession();
$tokens = array('roles' => 'anonymous', 'roles:keys' => (string) DRUPAL_ANONYMOUS_RID);
$this->assertTokens('user', array('user' => $anonymous), $tokens);
}
/**
* {@inheritdoc}
*
* Cached by role, invalidated whenever permissions change.
*/
public function generate(AccountInterface $account)
{
// User 1 is the super user, and can always access all permissions. Use a
// different, unique identifier for the hash.
if ($account->id() == 1) {
return $this->hash('is-super-user');
}
$sorted_roles = $account->getRoles();
sort($sorted_roles);
$role_list = implode(',', $sorted_roles);
$cid = "user_permissions_hash:{$role_list}";
if ($static_cache = $this->static->get($cid)) {
return $static_cache->data;
} else {
$tags = Cache::buildTags('config:user.role', $sorted_roles, '.');
if ($cache = $this->cache->get($cid)) {
$permissions_hash = $cache->data;
} else {
$permissions_hash = $this->doGenerate($sorted_roles);
$this->cache->set($cid, $permissions_hash, Cache::PERMANENT, $tags);
}
$this->static->set($cid, $permissions_hash, Cache::PERMANENT, $tags);
}
return $permissions_hash;
}
/**
* {@inheritdoc}
*/
public function collect(Request $request, Response $response, \Exception $exception = NULL)
{
$this->data['name'] = $this->currentUser->getDisplayName();
$this->data['authenticated'] = $this->currentUser->isAuthenticated();
$this->data['roles'] = [];
$storage = $this->entityManager->getStorage('user_role');
foreach ($this->currentUser->getRoles() as $role) {
$entity = $storage->load($role);
$this->data['roles'][] = $entity->label();
}
foreach ($this->providerCollector->getSortedProviders() as $provider_id => $provider) {
if ($provider->applies($request)) {
$this->data['provider'] = $provider_id;
}
}
$this->data['anonymous'] = $this->configFactory->get('user.settings')->get('anonymous');
}
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
if ($operation == 'submit') {
/** @var \Drupal\eform\entity\EFormsubmission $entity */
$roles = $entity->getEFormType()->roles;
$eform_roles = $account->getRoles();
return AccessResult::allowed();
}
return parent::checkAccess($entity, $operation, $langcode, $account); // TODO: Change the autogenerated stub
}
/**
* Checks access.
*
* @param \Symfony\Component\Routing\Route $route
* The route to check against.
* @param \Drupal\Core\Session\AccountInterface $account
* The currently logged in account.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/
public function access(Route $route, AccountInterface $account)
{
// Requirements just allow strings, so this might be a comma separated list.
$rid_string = $route->getRequirement('_role');
$explode_and = array_filter(array_map('trim', explode(',', $rid_string)));
if (count($explode_and) > 1) {
$diff = array_diff($explode_and, $account->getRoles());
if (empty($diff)) {
return AccessResult::allowed()->cachePerRole();
}
} else {
$explode_or = array_filter(array_map('trim', explode('+', $rid_string)));
$intersection = array_intersect($explode_or, $account->getRoles());
if (!empty($intersection)) {
return AccessResult::allowed()->cachePerRole();
}
}
// If there is no allowed role, give other access checks a chance.
return AccessResult::neutral()->cachePerRole();
}
/**
* {@inheritdoc}
*
* Cached by role, invalidated whenever permissions change.
*/
public function generate(AccountInterface $account)
{
$sorted_roles = $account->getRoles();
sort($sorted_roles);
$role_list = implode(',', $sorted_roles);
if ($cache = $this->cache->get("user_permissions_hash:{$role_list}")) {
$permissions_hash = $cache->data;
} else {
$permissions_hash = $this->doGenerate($sorted_roles);
$this->cache->set("user_permissions_hash:{$role_list}", $permissions_hash, Cache::PERMANENT, array('user_role' => $sorted_roles));
}
return $permissions_hash;
}
/**
* {@inheritdoc}
*
* Cached by role, invalidated whenever permissions change.
*/
public function generate(AccountInterface $account)
{
$sorted_roles = $account->getRoles();
sort($sorted_roles);
$role_list = implode(',', $sorted_roles);
if ($cache = $this->cache->get("user_permissions_hash:{$role_list}")) {
$permissions_hash = $cache->data;
} else {
$permissions_hash = $this->doGenerate($sorted_roles);
$tags = Cache::buildTags('config:user.role', $sorted_roles, '.');
$this->cache->set("user_permissions_hash:{$role_list}", $permissions_hash, Cache::PERMANENT, $tags);
}
return $permissions_hash;
}
/**
* Alter user access rules when trying to view, edit or delete a node.
*
* Node access modules establish rules for user access to content.
* hook_node_grants() defines permissions for a user to view, edit or delete
* nodes by building a $grants array that indicates the permissions assigned to
* the user by each node access module. This hook is called to allow modules to
* modify the $grants array by reference, so the interaction of multiple node
* access modules can be altered or advanced business logic can be applied.
*
* The resulting grants are then checked against the records stored in the
* {node_access} table to determine if the operation may be completed.
*
* A module may deny all access to a user by setting $grants to an empty array.
*
* Developers may use this hook to either add additional grants to a user or to
* remove existing grants. These rules are typically based on either the
* permissions assigned to a user role, or specific attributes of a user
* account.
*
* @param array $grants
* The $grants array returned by hook_node_grants().
* @param \Drupal\Core\Session\AccountInterface $account
* The account requesting access to content.
* @param string $op
* The operation being performed, 'view', 'update' or 'delete'.
*
* @see hook_node_grants()
* @see hook_node_access_records()
* @see hook_node_access_records_alter()
* @ingroup node_access
*/
function hook_node_grants_alter(&$grants, \Drupal\Core\Session\AccountInterface $account, $op)
{
// Our sample module never allows certain roles to edit or delete
// content. Since some other node access modules might allow this
// permission, we expressly remove it by returning an empty $grants
// array for roles specified in our variable setting.
// Get our list of banned roles.
$restricted = \Drupal::config('example.settings')->get('restricted_roles');
if ($op != 'view' && !empty($restricted)) {
// Now check the roles for this account against the restrictions.
foreach ($account->getRoles() as $rid) {
if (in_array($rid, $restricted)) {
$grants = array();
}
}
}
}
/**
* {@inheritdoc}
*/
public function access(AccountInterface $account)
{
return array_intersect(array_filter($this->options['role']), $account->getRoles());
}
/**
* Grants given user permission to create content of given type.
*
* @param \Drupal\Core\Session\AccountInterface $account
* User to grant permission to.
* @param string $content_type_id
* Content type ID.
*/
protected function grantUserPermissionToCreateContentOfType(AccountInterface $account, $content_type_id)
{
$role_ids = $account->getRoles(TRUE);
/* @var \Drupal\user\RoleInterface $role */
$role_id = reset($role_ids);
$role = Role::load($role_id);
$role->grantPermission(sprintf('create %s content', $content_type_id));
$role->grantPermission(sprintf('edit any %s content', $content_type_id));
$role->save();
}
/**
* {@inheritdoc}
*/
public function access(AccountInterface $account)
{
return $account->hasPermission('access all views') || array_intersect(array_filter($this->options['role']), $account->getRoles());
}
/**
* Returns the selected Medium Editor id for an account from editor settings.
*/
public static function getMediumId(Editor $editor, AccountInterface $account)
{
$settings = $editor->getSettings();
if (!empty($settings['roles_editors'])) {
// Filter roles in two steps. May avoid a db hit by filter_get_roles_by_format().
if ($roles_editors = array_intersect_key($settings['roles_editors'], array_flip($account->getRoles()))) {
if ($roles_editors = array_intersect_key($roles_editors, filter_get_roles_by_format($editor->getFilterFormat()))) {
return reset($roles_editors);
}
}
}
return $settings['default_editor'];
}
