/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { if ($operation == 'edit') { return AccessResult::allowedIfHasPermissions($account, ['administer tmgmt', 'administer translation tasks']); } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }
/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { // No user can edit the status of a file. Prevents saving a new file as // persistent before even validating it. if ($field_definition->getName() === 'status' && $operation === 'edit') { return AccessResult::forbidden(); } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }
/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { if ($operation == 'edit') { // Only users with the "administer comments" permission can edit // administrative fields. $administrative_fields = array('uid', 'status', 'created', 'date'); if (in_array($field_definition->getName(), $administrative_fields, TRUE)) { return AccessResult::allowedIfHasPermission($account, 'administer comments'); } // No user can change read-only fields. $read_only_fields = array('hostname', 'uuid', 'cid', 'thread', 'comment_type', 'pid', 'entity_id', 'entity_type', 'field_name'); if (in_array($field_definition->getName(), $read_only_fields, TRUE)) { return AccessResult::forbidden(); } // If the field is configured to accept anonymous contact details - admins // can edit name, homepage and mail. Anonymous users can also fill in the // fields on comment creation. if (in_array($field_definition->getName(), ['name', 'mail', 'homepage'], TRUE)) { if (!$items) { // We cannot make a decision about access to edit these fields if we // don't have any items and therefore cannot determine the Comment // entity. In this case we err on the side of caution and prevent edit // access. return AccessResult::forbidden(); } /** @var \Drupal\comment\CommentInterface $entity */ $entity = $items->getEntity(); $commented_entity = $entity->getCommentedEntity(); $anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous'); $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments'); $anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT && $account->hasPermission('post comments'))->cachePerPermissions()->cacheUntilEntityChanges($entity)->cacheUntilEntityChanges($field_definition->getConfig($commented_entity->bundle()))->cacheUntilEntityChanges($commented_entity); return $admin_access->orIf($anonymous_access); } } if ($operation == 'view') { $entity = $items ? $items->getEntity() : NULL; // Admins can view any fields except hostname, other users need both the // "access comments" permission and for the comment to be published. The // mail field is hidden from non-admins. $admin_access = AccessResult::allowedIf($account->hasPermission('administer comments') && $field_definition->getName() != 'hostname')->cachePerPermissions(); $anonymous_access = AccessResult::allowedIf($account->hasPermission('access comments') && (!$entity || $entity->isPublished()) && !in_array($field_definition->getName(), array('mail', 'hostname'), TRUE))->cachePerPermissions(); if ($entity) { $anonymous_access->cacheUntilEntityChanges($entity); } return $admin_access->orIf($anonymous_access); } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }
/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { // Only users with the administer nodes permission can edit administrative // fields. $administrative_fields = array('uid', 'status', 'created', 'promote', 'sticky'); if ($operation == 'edit' && in_array($field_definition->getName(), $administrative_fields, TRUE)) { return AccessResult::allowedIfHasPermission($account, 'administer nodes'); } // No user can change read only fields. $read_only_fields = array('revision_timestamp', 'revision_uid'); if ($operation == 'edit' && in_array($field_definition->getName(), $read_only_fields, TRUE)) { return AccessResult::forbidden(); } // Users have access to the revision_log field either if they have // administrative permissions or if the new revision option is enabled. if ($operation == 'edit' && $field_definition->getName() == 'revision_log') { if ($account->hasPermission('administer nodes')) { return AccessResult::allowed()->cachePerPermissions(); } return AccessResult::allowedIf($items->getEntity()->type->entity->isNewRevision())->cachePerPermissions(); } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }
/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { // Fields that are not implicitly allowed to administrative users. $explicit_check_fields = array('pass'); // Administrative users are allowed to edit and view all fields. if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) { return AccessResult::allowed()->cachePerRole(); } // Flag to indicate if this user entity is the own user account. $is_own_account = $items ? $items->getEntity()->id() == $account->id() : FALSE; switch ($field_definition->getName()) { case 'name': // Allow view access to anyone with access to the entity. if ($operation == 'view') { return AccessResult::allowed()->cachePerRole(); } // Allow edit access for the own user name if the permission is // satisfied. if ($is_own_account && $account->hasPermission('change own username')) { return AccessResult::allowed()->cachePerRole()->cachePerUser(); } else { return AccessResult::forbidden(); } case 'preferred_langcode': case 'preferred_admin_langcode': case 'timezone': case 'mail': // Allow view access to own mail address and other personalization // settings. if ($operation == 'view') { return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::forbidden(); } // Anyone that can edit the user can also edit this field. return AccessResult::allowed()->cachePerRole(); case 'pass': // Allow editing the password, but not viewing it. return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden(); case 'created': // Allow viewing the created date, but not editing it. return $operation == 'view' ? AccessResult::allowed() : AccessResult::forbidden(); case 'roles': case 'status': case 'access': case 'login': case 'init': return AccessResult::forbidden(); } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }
/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { if ($operation == 'edit') { // Only users with the "administer comments" permission can edit // administrative fields. $administrative_fields = array('uid', 'status', 'created', 'date'); if (in_array($field_definition->getName(), $administrative_fields, TRUE)) { return AccessResult::allowedIfHasPermission($account, 'administer comments'); } // No user can change read-only fields. $read_only_fields = array('hostname', 'changed', 'cid', 'thread'); // These fields can be edited during comment creation. $create_only_fields = ['comment_type', 'uuid', 'entity_id', 'entity_type', 'field_name', 'pid']; if ($items && ($entity = $items->getEntity()) && $entity->isNew() && in_array($field_definition->getName(), $create_only_fields, TRUE)) { // We are creating a new comment, user can edit create only fields. return AccessResult::allowedIfHasPermission($account, 'post comments')->addCacheableDependency($entity); } // We are editing an existing comment - create only fields are now read // only. $read_only_fields = array_merge($read_only_fields, $create_only_fields); if (in_array($field_definition->getName(), $read_only_fields, TRUE)) { return AccessResult::forbidden(); } // If the field is configured to accept anonymous contact details - admins // can edit name, homepage and mail. Anonymous users can also fill in the // fields on comment creation. if (in_array($field_definition->getName(), ['name', 'mail', 'homepage'], TRUE)) { if (!$items) { // We cannot make a decision about access to edit these fields if we // don't have any items and therefore cannot determine the Comment // entity. In this case we err on the side of caution and prevent edit // access. return AccessResult::forbidden(); } /** @var \Drupal\comment\CommentInterface $entity */ $entity = $items->getEntity(); $commented_entity = $entity->getCommentedEntity(); $anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous'); $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments'); $anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT && $account->hasPermission('post comments'))->cachePerPermissions()->cacheUntilEntityChanges($entity)->cacheUntilEntityChanges($field_definition->getConfig($commented_entity->bundle()))->cacheUntilEntityChanges($commented_entity); return $admin_access->orIf($anonymous_access); } } if ($operation == 'view') { // Nobody has access to the hostname. if ($field_definition->getName() == 'hostname') { return AccessResult::forbidden(); } // The mail field is hidden from non-admins. if ($field_definition->getName() == 'mail') { return AccessResult::allowedIfHasPermission($account, 'administer comments'); } } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }