/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': // There is no direct viewing of a menu link, but still for purposes of // content_translation we need a generic way to check access. return AccessResult::allowedIfHasPermission($account, 'administer menu'); case 'update': if (!$account->hasPermission('administer menu')) { return AccessResult::neutral()->cachePerPermissions(); } else { // If there is a URL, this is an external link so always accessible. $access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity); /** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */ // We allow access, but only if the link is accessible as well. if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) { $link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE); $access = $access->andIf($link_access); } return $access; } case 'delete': return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity); } }
/** * {@inheritdoc} */ public function access(Route $route, AccountInterface $account, Request $request) { $_entity_revision = $request->attributes->get('_entity_revision'); $operation = $route->getRequirement('_entity_access_revision'); list(, $operation) = explode('.', $operation, 2); return AccessResult::allowedIf($_entity_revision && $this->checkAccess($_entity_revision, $account, $operation))->cachePerPermissions(); }
/** * Handles access to the rdf_entity proposal form. * * @param \Drupal\rdf_entity\RdfEntityTypeInterface $rdf_type * The RDF entity type for which the proposal form is built. * * @return \Drupal\Core\Access\AccessResult * The access result object. */ public function createAssetReleaseAccess(RdfEntityTypeInterface $rdf_type) { if (!in_array($rdf_type->id(), ['collection', 'solution'])) { return AccessResult::forbidden(); } return AccessResult::allowedIf($this->currentUser()->hasPermission("propose {$rdf_type->id()} rdf entity")); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { /** @var \Drupal\user\UserInterface $entity*/ // The anonymous user's profile can neither be viewed, updated nor deleted. if ($entity->isAnonymous()) { return AccessResult::forbidden(); } // Administrators can view/update/delete all user profiles. if ($account->hasPermission('administer users')) { return AccessResult::allowed()->cachePerRole(); } switch ($operation) { case 'view': // Only allow view access if the account is active. if ($account->hasPermission('access user profiles') && $entity->isActive()) { return AccessResult::allowed()->cachePerRole()->cacheUntilEntityChanges($entity); } else { if ($account->id() == $entity->id()) { return AccessResult::allowed()->cachePerUser(); } } break; case 'update': // Users can always edit their own account. return AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser(); case 'delete': // Users with 'cancel account' permission can cancel their own account. return AccessResult::allowedIf($account->id() == $entity->id() && $account->hasPermission('cancel account'))->cachePerRole()->cachePerUser(); } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ public function access(Route $route, AccountInterface $account, RdfInterface $rdf_entity, $operation = 'view') { $graph = $route->getOption('graph_name'); $entity_type_id = $route->getOption('entity_type_id'); $storage = $this->entityManager->getStorage($entity_type_id); if (!$storage instanceof RdfEntitySparqlStorage) { throw new \Exception('Storage not supported.'); } // The active graph is the published graph. It is handled by the default // operation handler. // @todo: getActiveGraph is not the default. We should load from settings. $default_graph = $storage->getBundleGraphUri($rdf_entity->bundle(), 'default'); $requested_graph = $storage->getBundleGraphUri($rdf_entity->bundle(), $graph); if ($requested_graph == $default_graph) { return AccessResult::neutral(); } $active_graph_type = $storage->getRequestGraphs($rdf_entity->id()); // Check if there is an entity saved in the passed graph. $storage->setRequestGraphs($rdf_entity->id(), [$graph]); $entity = $storage->load($rdf_entity->id()); // Restore active graph. $storage->setRequestGraphs($rdf_entity->id(), $active_graph_type); // @todo: When the requested graph is the only one and it is not the // default, it is loaded in the default view, so maybe there is no need // to also show a separate tab. return AccessResult::allowedIf($entity && $this->checkAccess($rdf_entity, $route, $account, $operation, $graph))->cachePerPermissions()->addCacheableDependency($rdf_entity); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\crm_core_contact\Entity\ContactType $entity */ // First check permission. if (parent::checkAccess($entity, $operation, $account)->isForbidden()) { return AccessResult::forbidden(); } switch ($operation) { case 'enable': // Only disabled contact type can be enabled. return AccessResult::allowedIf(!$entity->status()); case 'disable': return AccessResult::allowedIf($entity->status()); case 'delete': // If contact instance of this contact type exist, you can't delete it. $results = \Drupal::entityQuery('crm_core_contact')->condition('type', $entity->id())->execute(); return AccessResult::allowedIf(empty($results)); // @todo Which is it? // @todo Which is it? case 'edit': case 'update': // If the contact type is locked, you can't edit it. return AccessResult::allowed(); } }
/** * Checks routing access for the support_ticket revision. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * @param int $support_ticket_revision * (optional) The support_ticket revision ID. If not specified, but * $support_ticket is, access is checked for that object's revision. * @param \Drupal\support_ticket\SupportTicketInterface $support_ticket * (optional) A support_ticket object. Used for checking access to a * support_ticket's default revision when $support_ticket_revision is * unspecified. Ignored when $support_ticket_revision is specified. If neither * $support_ticket_revision nor $support_ticket are specified, then access is * denied. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, AccountInterface $account, $support_ticket_revision = NULL, SupportTicketInterface $support_ticket = NULL) { if ($support_ticket_revision) { $support_ticket = $this->supportTicketStorage->loadRevision($support_ticket_revision); } $operation = $route->getRequirement('_access_support_ticket_revision'); return AccessResult::allowedIf($support_ticket && $this->checkAccess($support_ticket, $account, $operation))->cachePerPermissions(); }
/** * Checks routing access for the node revision. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * @param int $node_revision * (optional) The node revision ID. If not specified, but $node is, access * is checked for that object's revision. * @param \Drupal\node\NodeInterface $node * (optional) A node object. Used for checking access to a node's default * revision when $node_revision is unspecified. Ignored when $node_revision * is specified. If neither $node_revision nor $node are specified, then * access is denied. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, AccountInterface $account, $node_revision = NULL, NodeInterface $node = NULL) { if ($node_revision) { $node = $this->nodeStorage->loadRevision($node_revision); } $operation = $route->getRequirement('_access_node_revision'); return AccessResult::allowedIf($node && $this->checkAccess($node, $account, $operation))->cachePerPermissions(); }
/** * Tests the access check method. * * @dataProvider providerTestAccess * @covers ::access */ public function testAccess($requirements, $access, array $contexts = []) { $access_result = AccessResult::allowedIf($access)->addCacheContexts($contexts); $user = $this->getMock('Drupal\\Core\\Session\\AccountInterface'); $user->expects($this->any())->method('hasPermission')->will($this->returnValueMap([['allowed', TRUE], ['denied', FALSE], ['other', FALSE]])); $route = new Route('', [], $requirements); $this->assertEquals($access_result, $this->accessCheck->access($route, $user)); }
/** * Check to see if user accessed this page. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access() { if (!isset($_SESSION['menu_test'])) { $result = AccessResult::allowed(); } else { $result = AccessResult::allowedIf($_SESSION['menu_test'] < 2); } return $result->setCacheMaxAge(0); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { switch ($operation) { case 'delete': return AccessResult::allowedIf($account->hasPermission('administer feeds') && !$entity->isLocked()); default: return AccessResult::allowedIfHasPermission($account, 'administer feeds'); } }
/** * Access callback; check if the module is configured. * * This function does not actually check whether Mollom keys are valid for the * site, but just if the keys have been entered. * * @param $permission * An optional permission string to check with \Drupal::currentUser()->hasPermission(). * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ function access($permission = FALSE) { $configured = \Drupal::config('mollom.settings')->get('keys.public') && \Drupal::config('mollom.settings')->get('keys.private'); if ($configured && $permission) { return AccessResult::allowedIfHasPermission($permission, \Drupal::currentUser()); } else { return AccessResult::allowedIf($configured); } }
/** * Checks that an entity is an event type. */ public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account) { if ($event = $route->getDefault('event')) { $event = $route_match->getParameter($event); if ($event instanceof EntityInterface) { return AccessResult::allowedIf($this->eventManager->isEvent($event)); } } return AccessResult::neutral(); }
/** * {@inheritdoc} */ public function access(Route $route, AccountInterface $account, RouteMatchInterface $route_match, $entity_revision = NULL, $_entity_revision = NULL) { $entity = $_entity_revision ?: $this->extractEntityFromRouteMatch($route_match); if ($entity_revision) { $entity = $this->entityManager->getStorage($entity->getEntityTypeId())->loadRevision($entity_revision); } $operation = $route->getRequirement('_entity_access_revision'); list(, $operation) = explode('.', $operation, 2); return AccessResult::allowedIf($entity && $this->checkAccess($entity, $account, $operation))->cachePerPermissions(); }
/** * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { $access_result = AccessResult::allowedIfHasPermissions($account, ["create {$entity_bundle} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR'); if ($entity_bundle) { $queue = EntityQueue::load($entity_bundle); $access_result = AccessResult::allowedIf(!$queue->getHandlerPlugin()->hasAutomatedSubqueues()); } return $access_result; }
/** * {@inheritdoc} */ public function access(NodeInterface $node, $operation, AccountInterface $account) { // Grants only support these operations. if (!in_array($operation, ['view', 'update', 'delete'])) { return AccessResult::neutral(); } // If no module implements the hook or the node does not have an id there is // no point in querying the database for access grants. if (!$this->moduleHandler->getImplementations('node_grants') || !$node->id()) { // Return the equivalent of the default grant, defined by // self::writeDefault(). if ($operation === 'view') { return AccessResult::allowedIf($node->isPublished())->addCacheableDependency($node); } else { return AccessResult::neutral(); } } // Check the database for potential access grants. $query = $this->database->select('node_access'); $query->addExpression('1'); // Only interested for granting in the current operation. $query->condition('grant_' . $operation, 1, '>='); // Check for grants for this node and the correct langcode. $nids = $query->andConditionGroup()->condition('nid', $node->id())->condition('langcode', $node->language()->getId()); // If the node is published, also take the default grant into account. The // default is saved with a node ID of 0. $status = $node->isPublished(); if ($status) { $nids = $query->orConditionGroup()->condition($nids)->condition('nid', 0); } $query->condition($nids); $query->range(0, 1); $grants = static::buildGrantsQueryCondition(node_access_grants($operation, $account)); if (count($grants) > 0) { $query->condition($grants); } // Only the 'view' node grant can currently be cached; the others currently // don't have any cacheability metadata. Hopefully, we can add that in the // future, which would allow this access check result to be cacheable in all // cases. For now, this must remain marked as uncacheable, even when it is // theoretically cacheable, because we don't have the necessary metadata to // know it for a fact. $set_cacheability = function (AccessResult $access_result) use($operation) { $access_result->addCacheContexts(['user.node_grants:' . $operation]); if ($operation !== 'view') { $access_result->setCacheMaxAge(0); } return $access_result; }; if ($query->execute()->fetchField()) { return $set_cacheability(AccessResult::allowed()); } else { return $set_cacheability(AccessResult::neutral()); } }
/** * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { $contact_type_is_active = empty($entity_bundle); // Load the contact type entity. if (!empty($entity_bundle)) { /* @var \Drupal\crm_core_contact\Entity\ContactType $contact_type_entity */ $contact_type_entity = ContactType::load($entity_bundle); $contact_type_is_active = $contact_type_entity->status(); } return AccessResult::allowedIf($contact_type_is_active)->andIf(AccessResult::allowedIfHasPermissions($account, ['administer crm_core_contact entities', 'create crm_core_contact entities', 'create crm_core_contact entities of bundle ' . $entity_bundle], 'OR')); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': // Check for status and set 'published' or 'unpublished'. $status = $entity->status->value ? 'published' : 'unpublished'; return AccessResult::allowedIf($account->hasPermission('access content') && $account->hasPermission('view ' . $status . ' terms in ' . $entity->bundle())); default: return parent::checkAccess($entity, $operation, $account); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($operation == 'view' || $operation == 'update') { if ($account->hasPermission('administer tmgmt') || $account->hasPermission('administer translation tasks')) { // Administrators can do everything. return AccessResult::allowed()->cachePerPermissions(); } return AccessResult::allowedIf($entity->getTask()->tuid->target_id == $account->id() && $account->hasPermission('provide translation services')); } return $entity->getTask()->access($operation, $account, TRUE); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($operation == 'view') { // Do not allow access personal form via site-wide route. return AccessResult::allowedIf($account->hasPermission('access site-wide contact form') && $entity->id() !== 'personal')->cachePerPermissions(); } elseif ($operation == 'delete' || $operation == 'update') { // Do not allow the 'personal' form to be deleted, as it's used for // the personal contact form. return AccessResult::allowedIf($account->hasPermission('administer contact forms') && $entity->id() !== 'personal')->cachePerPermissions(); } return parent::checkAccess($entity, $operation, $account); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'update': return AccessResult::allowedIf($account->hasPermission('administer grade letters'))->cachePerPermissions()->cacheUntilEntityChanges($entity); case 'delete': return AccessResult::allowedIf($account->hasPermission('administer grade letters') && $entity->getGradeLetterSet() != 'default')->cachePerPermissions(); default: // No opinion. return AccessResult::neutral(); } }
/** * {@inheritdoc} */ public function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { switch ($operation) { case 'update': case 'delete': /* @var \Drupal\Core\Language\LanguageInterface $entity */ return AccessResult::allowedIf(!$entity->isLocked())->cacheUntilEntityChanges($entity)->andIf(parent::checkAccess($entity, $operation, $langcode, $account)); default: // No opinion. return AccessResult::neutral(); } }
/** * Checks access to the overview based on permissions and translatability. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, AccountInterface $account) { /** @var \Drupal\config_translation\ConfigMapperInterface $mapper */ $mapper = $this->configMapperManager->createInstance($route->getDefault('plugin_id')); $this->sourceLanguage = $this->languageManager->getLanguage($mapper->getLangcode()); // Allow access to the translation overview if the proper permission is // granted, the configuration has translatable pieces, and the source // language is not locked if it is present. $source_language_access = is_null($this->sourceLanguage) || !$this->sourceLanguage->isLocked(); $access = $account->hasPermission('translate configuration') && $mapper->hasSchema() && $mapper->hasTranslatable() && $source_language_access; return AccessResult::allowedIf($access)->cachePerRole(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $paragraph, $operation, AccountInterface $account) { // Allowed when the operation is not view or the status is true. /** @var \Drupal\paragraphs\Entity\Paragraph $paragraph */ if ($paragraph->getParentEntity() != NULL) { // Delete permission on the paragraph, should just depend on 'update' // access permissions on the parent. $operation = $operation == 'delete' ? 'update' : $operation; $parent_access = $paragraph->getParentEntity()->access($operation, $account, TRUE); return AccessResult::allowedIf($operation != 'view' || $paragraph->status->value)->andIf($parent_access); } return AccessResult::allowedIf($operation != 'view' || $paragraph->status->value); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $payment_method_configuration, $operation, AccountInterface $account) { /** @var \Drupal\payment\Entity\PaymentMethodConfigurationInterface $payment_method_configuration */ if ($operation == 'enable') { return AccessResult::allowedIf(!$payment_method_configuration->status())->andIf($this->access($payment_method_configuration, 'update', $account, TRUE))->cacheUntilEntityChanges($payment_method_configuration); } elseif ($operation == 'disable') { return AccessResult::allowedIf($payment_method_configuration->status())->andIf($this->access($payment_method_configuration, 'update', $account, TRUE))->cacheUntilEntityChanges($payment_method_configuration); } elseif ($operation == 'duplicate') { return $this->createAccess($payment_method_configuration->bundle(), $account, [], TRUE)->andIf($this->access($payment_method_configuration, 'view', $account, TRUE)); } else { $permission_prefix = 'payment.payment_method_configuration.' . $operation; return AccessResult::allowedIfHasPermission($account, $permission_prefix . '.any')->orIf(AccessResult::allowedIfHasPermission($account, $permission_prefix . '.own')->andIf(AccessResult::allowedIf($account->id() == $payment_method_configuration->getOwnerId())->addCacheableDependency($payment_method_configuration))); } }
/** * {@inheritdoc} */ public function getTranslationAccess(EntityInterface $entity, $op) { // @todo Move this logic into a translation access control handler checking also // the translation language and the given account. $entity_type = $entity->getEntityType(); $translate_permission = TRUE; // If no permission granularity is defined this entity type does not need an // explicit translate permission. $current_user = \Drupal::currentUser(); if (!$current_user->hasPermission('translate any entity') && ($permission_granularity = $entity_type->getPermissionGranularity())) { $translate_permission = $current_user->hasPermission($permission_granularity == 'bundle' ? "translate {$entity->bundle()} {$entity->getEntityTypeId()}" : "translate {$entity->getEntityTypeId()}"); } return AccessResult::allowedIf($translate_permission && $current_user->hasPermission("{$op} content translations"))->cachePerRole(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'update': /* @var \Drupal\Core\Language\LanguageInterface $entity */ return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(parent::checkAccess($entity, $operation, $account)); case 'delete': /* @var \Drupal\Core\Language\LanguageInterface $entity */ return AccessResult::allowedIf(!$entity->isLocked())->addCacheableDependency($entity)->andIf(AccessResult::allowedIf(!$entity->isDefault())->addCacheableDependency($entity))->andIf(parent::checkAccess($entity, $operation, $account)); default: // No opinion. return AccessResult::neutral(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($operation === 'delete') { return AccessResult::allowedIf($entity->isInactive()); } else { if ($operation == 'abort') { return AccessResult::allowedIf($entity->isActive() || $entity->isNeedsReview()); } else { if ($entity->getJob()) { return $entity->getJob()->access($operation, $account, TRUE); } } } }
/** * {@inheritdoc} */ public function access(Route $route, AccountInterface $account, Request $request = NULL) { if (empty($request)) { $request = $this->requestStack->getCurrentRequest(); } $operation = $route->getRequirement('_entity_access_revision'); list(, $operation) = explode('.', $operation, 2); if ($operation === 'list') { $_entity = $request->attributes->get('_entity', $request->attributes->get($route->getOption('entity_type_id'))); return AccessResult::allowedIf($this->checkAccess($_entity, $account, $operation))->cachePerPermissions(); } else { $_entity_revision = $request->attributes->get('_entity_revision'); return AccessResult::allowedIf($_entity_revision && $this->checkAccess($_entity_revision, $account, $operation))->cachePerPermissions(); } }
/** * Tests the method for checking access to routes. * * @param bool $entity_is_editable * Whether the subject entity is editable. * @param bool $field_storage_is_accessible * Whether the user has access to the field storage entity. * @param \Drupal\Core\Access\AccessResult $expected_result * The expected result of the access call. * * @dataProvider providerTestAccess */ public function testAccess($entity_is_editable, $field_storage_is_accessible, AccessResult $expected_result) { $entity = $this->createMockEntity(); $entity->expects($this->any())->method('access')->willReturn(AccessResult::allowedIf($entity_is_editable)->cachePerPermissions()); $field_storage = $this->getMock('Drupal\\field\\FieldStorageConfigInterface'); $field_storage->expects($this->any())->method('access')->willReturn(AccessResult::allowedIf($field_storage_is_accessible)); $expected_result->cachePerPermissions(); $field_name = 'valid'; $entity_with_field = clone $entity; $entity_with_field->expects($this->any())->method('get')->with($field_name)->will($this->returnValue($field_storage)); $entity_with_field->expects($this->once())->method('hasTranslation')->with(LanguageInterface::LANGCODE_NOT_SPECIFIED)->will($this->returnValue(TRUE)); $account = $this->getMock('Drupal\\Core\\Session\\AccountInterface'); $access = $this->editAccessCheck->access($entity_with_field, $field_name, LanguageInterface::LANGCODE_NOT_SPECIFIED, $account); $this->assertEquals($expected_result, $access); }