/** * {@inheritdoc} * * When the $operation is 'add' then the $entity is of type 'profile_type', * otherwise $entity is of type 'profile'. */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { $account = $this->prepareUser($account); $user_page = \Drupal::request()->attributes->get('user'); // Some times, operation edit is called update. // Use edit in any case. if ($operation == 'update') { $operation = 'edit'; } // Check that if profile type has require roles, the user the profile is // being added to has any of the required roles. if ($entity->getEntityTypeId() == 'profile') { $profile_roles = ProfileType::load($entity->bundle())->getRoles(); $user_roles = $entity->getOwner()->getRoles(TRUE); if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) { return AccessResult::forbidden(); } } elseif ($entity->getEntityTypeId() == 'profile_type') { $profile_roles = $entity->getRoles(); $user_roles = User::load($user_page->id())->getRoles(TRUE); if (!empty(array_filter($profile_roles)) && !array_intersect($user_roles, $profile_roles)) { return AccessResult::forbidden(); } } if ($account->hasPermission('bypass profile access')) { return AccessResult::allowed()->cachePerPermissions(); } elseif ($operation == 'add' && ($user_page->id() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->id() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->id() . ' profile')) || $operation != 'add' && ($entity->getOwnerId() == $account->id() && $account->hasPermission($operation . ' own ' . $entity->getType() . ' profile') || $account->hasPermission($operation . ' any ' . $entity->getType() . ' profile'))) { return AccessResult::allowed()->cachePerPermissions(); } else { return AccessResult::forbidden()->cachePerPermissions(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\file\FileInterface $entity */ if ($operation == 'download' || $operation == 'view') { if (\Drupal::service('file_system')->uriScheme($entity->getFileUri()) === 'public') { // Always allow access to file in public file system. return AccessResult::allowed(); } elseif ($references = $this->getFileReferences($entity)) { foreach ($references as $field_name => $entity_map) { foreach ($entity_map as $referencing_entity_type => $referencing_entities) { /** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */ foreach ($referencing_entities as $referencing_entity) { $entity_and_field_access = $referencing_entity->access('view', $account, TRUE)->andIf($referencing_entity->{$field_name}->access('view', $account, TRUE)); if ($entity_and_field_access->isAllowed()) { return $entity_and_field_access; } } } } } elseif ($entity->getOwnerId() == $account->id()) { // This case handles new nodes, or detached files. The user who uploaded // the file can always access if it's not yet used. return AccessResult::allowed(); } } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function blockAccess(AccountInterface $account) { if ($account->hasPermission('search content')) { return AccessResult::allowed(); } return AccessResult::forbidden(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': // There is no direct viewing of a menu link, but still for purposes of // content_translation we need a generic way to check access. return AccessResult::allowedIfHasPermission($account, 'administer menu'); case 'update': if (!$account->hasPermission('administer menu')) { return AccessResult::neutral()->cachePerPermissions(); } else { // If there is a URL, this is an external link so always accessible. $access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity); /** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */ // We allow access, but only if the link is accessible as well. if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) { $link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE); $access = $access->andIf($link_access); } return $access; } case 'delete': return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($account->hasPermission('administer tmgmt')) { // Administrators can do everything. return AccessResult::allowed()->cachePerPermissions(); } switch ($operation) { case 'view': case 'update': return AccessResult::allowedIfHasPermission($account, 'create translation jobs')->orIf(AccessResult::allowedIfHasPermission($account, 'accept translation jobs')); break; case 'delete': // Only administrators can delete jobs. return AccessResult::forbidden(); break; // Custom operations. // Custom operations. case 'submit': return AccessResult::allowedIfHasPermission($account, 'submit translation jobs'); break; case 'accept': return AccessResult::allowedIfHasPermission($account, 'accept translation jobs'); break; case 'abort': case 'resubmit': return AccessResult::allowedIfHasPermission($account, 'submit translation jobs'); break; } }
/** * Checks access to the translation overview for the entity and bundle. * * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parametrized route. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * @param string $entity_type_id * The entity type ID. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(RouteMatchInterface $route_match, AccountInterface $account, $entity_type_id) { /* @var \Drupal\Core\Entity\ContentEntityInterface $entity */ $entity = $route_match->getParameter($entity_type_id); if ($entity && $entity->isTranslatable()) { // Get entity base info. $bundle = $entity->bundle(); // Get entity access callback. $definition = $this->entityManager->getDefinition($entity_type_id); $translation = $definition->get('translation'); $access_callback = $translation['content_translation']['access_callback']; $access = call_user_func($access_callback, $entity); if ($access->isAllowed()) { return $access; } // Check "translate any entity" permission. if ($account->hasPermission('translate any entity')) { return AccessResult::allowed()->cachePerPermissions()->inheritCacheability($access); } // Check per entity permission. $permission = "translate {$entity_type_id}"; if ($definition->getPermissionGranularity() == 'bundle') { $permission = "translate {$bundle} {$entity_type_id}"; } return AccessResult::allowedIfHasPermission($account, $permission)->inheritCacheability($access); } // No opinion. return AccessResult::neutral(); }
/** * Checks that there is a forward revision available. * * This checker assumes the presence of an '_entity_access' requirement key * in the same form as used by EntityAccessCheck. * * @see EntityAccessCheck. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parametrized route * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, RouteMatchInterface $route_match) { // This tab should not show up period unless there's a reason to show it. // @todo Do we need any extra cache tags here? $entity = $this->loadEntity($route, $route_match); return $this->moderationInfo->hasForwardRevision($entity) ? AccessResult::allowed()->addCacheableDependency($entity) : AccessResult::forbidden()->addCacheableDependency($entity); }
/** * {@inheritdoc} */ public function defaultAccess($operation = 'view', AccountInterface $account = NULL) { if ($operation == 'view') { return AccessResult::allowed(); } return AccessResult::allowedIfHasPermissions($account, ['create url aliases', 'administer url aliases'], 'OR')->cachePerPermissions(); }
/** * {@inheritdoc} */ public function setUp() { parent::setUp(); $cache_contexts_manager = $this->prophesize(CacheContextsManager::class); $cache_contexts_manager->assertValidTokens()->willReturn(TRUE); $cache_contexts_manager->reveal(); $container = new Container(); $container->set('cache_contexts_manager', $cache_contexts_manager); \Drupal::setContainer($container); $this->viewer = $this->getMock('\\Drupal\\Core\\Session\\AccountInterface'); $this->viewer->expects($this->any())->method('hasPermission')->will($this->returnValue(FALSE)); $this->viewer->expects($this->any())->method('id')->will($this->returnValue(1)); $this->owner = $this->getMock('\\Drupal\\Core\\Session\\AccountInterface'); $this->owner->expects($this->any())->method('hasPermission')->will($this->returnValueMap(array(array('administer users', FALSE), array('change own username', TRUE)))); $this->owner->expects($this->any())->method('id')->will($this->returnValue(2)); $this->admin = $this->getMock('\\Drupal\\Core\\Session\\AccountInterface'); $this->admin->expects($this->any())->method('hasPermission')->will($this->returnValue(TRUE)); $entity_type = $this->getMock('Drupal\\Core\\Entity\\EntityTypeInterface'); $this->accessControlHandler = new UserAccessControlHandler($entity_type); $module_handler = $this->getMock('Drupal\\Core\\Extension\\ModuleHandlerInterface'); $module_handler->expects($this->any())->method('getImplementations')->will($this->returnValue(array())); $this->accessControlHandler->setModuleHandler($module_handler); $this->items = $this->getMockBuilder('Drupal\\Core\\Field\\FieldItemList')->disableOriginalConstructor()->getMock(); $this->items->expects($this->any())->method('defaultAccess')->will($this->returnValue(AccessResult::allowed())); }
/** * Checks configuration permission. * * @param AccountInterface $account * (optional) The user for which to check access, or NULL to check access * for the current user. Defaults to NULL. * @param bool $return_as_object * (optional) Defaults to FALSE. * * @return bool|\Drupal\Core\Access\AccessResultInterface * The access result. Returns a boolean if $return_as_object is FALSE (this * is the default) and otherwise an AccessResultInterface object. * When a boolean is returned, the result of AccessInterface::isAllowed() is * returned, i.e. TRUE means access is explicitly allowed, FALSE means * access is either explicitly forbidden or "no opinion". */ public function checkConfigurationAccess(AccountInterface $account = NULL, $return_as_object = FALSE) { if (!$account) { $account = \Drupal::currentUser(); } // We treat these as our "super-user" accesses. We let the reaction // rule and component permissions control the main admin UI. $admin_perms = ['administer rules', 'bypass rules access']; $access = FALSE; foreach ($admin_perms as $perm) { if ($account->hasPermission($perm)) { $access = TRUE; break; } } if (!$access) { // See if the plugin has a configuration_access annotation. $definition = $this->getPluginDefinition(); if (!empty($definition['configure_permissions']) && is_array($definition['configure_permissions'])) { foreach ($definition['configure_permissions'] as $perm) { if ($account->hasPermission($perm)) { $access = TRUE; break; } } } } if ($return_as_object) { return $access ? AccessResult::allowed() : AccessResult::neutral(); } return $access; }
/** * Provides test data for testAccess. * * @return array */ public function providerTestAccess() { $no_access = AccessResult::neutral()->cachePerPermissions(); $access = AccessResult::allowed()->cachePerPermissions(); $no_access_due_to_errors = AccessResult::neutral(); return array(array('', 'entity_test', $no_access, $no_access), array('', 'entity_test', $access, $access), array('test_entity', 'entity_test:test_entity', $access, $access), array('test_entity', 'entity_test:test_entity', $no_access, $no_access), array('test_entity', 'entity_test:{bundle_argument}', $access, $access), array('test_entity', 'entity_test:{bundle_argument}', $no_access, $no_access), array('', 'entity_test:{bundle_argument}', $no_access, $no_access_due_to_errors), array('', 'entity_test:{bundle_argument}', $access, $no_access_due_to_errors)); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account) { /** @var \Drupal\filter\FilterFormatInterface $filter_format */ // All users are allowed to use the fallback filter. if ($operation == 'use') { if ($filter_format->isFallbackFormat()) { return AccessResult::allowed(); } else { return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName()); } } // The fallback format may not be disabled. if ($operation == 'disable' && $filter_format->isFallbackFormat()) { return AccessResult::forbidden(); } // We do not allow filter formats to be deleted through the UI, because that // would render any content that uses them unusable. if ($operation == 'delete') { return AccessResult::forbidden(); } if (in_array($operation, array('disable', 'update'))) { return parent::checkAccess($filter_format, $operation, $langcode, $account); } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($operation === 'view') { return AccessResult::allowed(); } return parent::checkAccess($entity, $operation, $account); }
/** * Limit access to the Library between 9:00 and 18:30. * * @param \Drupal\Core\Session\AccountInterface $account */ public function accessLibrary(AccountInterface $account) { if (time() >= strtotime('today 9:00') && time() <= strtotime('today 18:30')) { return AccessResult::allowed(); } return AccessResult::forbidden(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\crm_core_contact\Entity\ContactType $entity */ // First check permission. if (parent::checkAccess($entity, $operation, $account)->isForbidden()) { return AccessResult::forbidden(); } switch ($operation) { case 'enable': // Only disabled contact type can be enabled. return AccessResult::allowedIf(!$entity->status()); case 'disable': return AccessResult::allowedIf($entity->status()); case 'delete': // If contact instance of this contact type exist, you can't delete it. $results = \Drupal::entityQuery('crm_core_contact')->condition('type', $entity->id())->execute(); return AccessResult::allowedIf(empty($results)); // @todo Which is it? // @todo Which is it? case 'edit': case 'update': // If the contact type is locked, you can't edit it. return AccessResult::allowed(); } }
public function access(AccountInterface $account) { if (!$account->id() == 1) { return AccessResult::forbidden(); } return AccessResult::allowed(); }
/** * {@inheritdoc} */ public function access(Route $route, AccountInterface $account, NodeInterface $node = NULL) { if ($node->bundle() && \Drupal::config('webform.settings')->get('node_' . $node->bundle())) { return AccessResult::allowed(); } return AccessResult::forbidden(); }
/** * Grants access only to UID 1. * * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(AccountInterface $account) { if ($account->id() == 1) { return AccessResult::allowed()->addCacheContexts(['user']); } return AccessResult::forbidden()->addCacheContexts(['user']); }
/** * Checks translation access for the entity and operation on the given route. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parametrized route. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * @param string $source * (optional) For a create operation, the language code of the source. * @param string $target * (optional) For a create operation, the language code of the translation. * @param string $language * (optional) For an update or delete operation, the language code of the * translation being updated or deleted. * @param string $entity_type_id * (optional) The entity type ID. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account, $source = NULL, $target = NULL, $language = NULL, $entity_type_id = NULL) { /* @var \Drupal\Core\Entity\ContentEntityInterface $entity */ if ($entity = $route_match->getParameter($entity_type_id)) { if ($account->hasPermission('translate any entity')) { return AccessResult::allowed()->cachePerRole(); } $operation = $route->getRequirement('_access_content_translation_manage'); /* @var \Drupal\content_translation\ContentTranslationHandlerInterface $handler */ $handler = $this->entityManager->getHandler($entity->getEntityTypeId(), 'translation'); // Load translation. $translations = $entity->getTranslationLanguages(); $languages = $this->languageManager->getLanguages(); switch ($operation) { case 'create': $source_language = $this->languageManager->getLanguage($source) ?: $entity->language(); $target_language = $this->languageManager->getLanguage($target) ?: $this->languageManager->getCurrentLanguage(LanguageInterface::TYPE_CONTENT); $is_new_translation = $source_language->getId() != $target_language->getId() && isset($languages[$source_language->getId()]) && isset($languages[$target_language->getId()]) && !isset($translations[$target_language->getId()]); return AccessResult::allowedIf($is_new_translation)->cachePerRole()->cacheUntilEntityChanges($entity)->andIf($handler->getTranslationAccess($entity, $operation)); case 'update': case 'delete': $language = $this->languageManager->getLanguage($language) ?: $this->languageManager->getCurrentLanguage(LanguageInterface::TYPE_CONTENT); $has_translation = isset($languages[$language->getId()]) && $language->getId() != $entity->getUntranslated()->language()->getId() && isset($translations[$language->getId()]); return AccessResult::allowedIf($has_translation)->cachePerRole()->cacheUntilEntityChanges($entity)->andIf($handler->getTranslationAccess($entity, $operation)); } } // No opinion. return AccessResult::neutral(); }
/** * Tests the method for checking access to routes. * * @dataProvider providerTestAccess */ public function testAccess($entity_bundle, $requirement, $access, $expected, $expect_permission_context = TRUE) { // Set up the access result objects for allowing or denying access. $access_result = $access ? AccessResult::allowed()->cachePerPermissions() : AccessResult::neutral()->cachePerPermissions(); $expected_access_result = $expected ? AccessResult::allowed() : AccessResult::neutral(); if ($expect_permission_context) { $expected_access_result->cachePerPermissions(); } $entity_manager = $this->getMock('Drupal\\Core\\Entity\\EntityManagerInterface'); // Don't expect a call to the access control handler when we have a bundle // argument requirement but no bundle is provided. if ($entity_bundle || strpos($requirement, '{') === FALSE) { $access_control_handler = $this->getMock('Drupal\\Core\\Entity\\EntityAccessControlHandlerInterface'); $access_control_handler->expects($this->once())->method('createAccess')->with($entity_bundle)->will($this->returnValue($access_result)); $entity_manager->expects($this->any())->method('getAccessControlHandler')->will($this->returnValue($access_control_handler)); } $applies_check = new EntityCreateAccessCheck($entity_manager); $route = $this->getMockBuilder('Symfony\\Component\\Routing\\Route')->disableOriginalConstructor()->getMock(); $route->expects($this->any())->method('getRequirement')->with('_entity_create_access')->will($this->returnValue($requirement)); $raw_variables = new ParameterBag(); if ($entity_bundle) { $raw_variables->set('bundle_argument', $entity_bundle); } $route_match = $this->getMock('Drupal\\Core\\Routing\\RouteMatchInterface'); $route_match->expects($this->any())->method('getRawParameters')->will($this->returnValue($raw_variables)); $account = $this->getMock('Drupal\\Core\\Session\\AccountInterface'); $this->assertEquals($expected_access_result, $applies_check->access($route, $route_match, $account)); }
/** * {@inheritdoc} */ public function access(Route $route) { if (\Drupal::moduleHandler()->moduleExists('contextual') && \Drupal::moduleHandler()->moduleExists('field_ui')) { return AccessResult::allowed(); } else { return AccessResult::forbidden(); } }
/** * Check if the filter is used for the given filter. * * @param \Drupal\Core\Routing\RouteMatchInterface $route * The route. * * @return \Drupal\Core\Access\AccessResult * An access result. */ public function access(RouteMatchInterface $route) { $filter = $route->getParameter('filter_format'); if (!$filter || empty($filter->filters()->get('video_embed_wysiwyg')->getConfiguration()['status'])) { return AccessResult::forbidden()->addCacheableDependency($filter); } return AccessResult::allowed()->addCacheableDependency($filter); }
/** * {@inheritdoc} */ protected function blockAccess(AccountInterface $account) { $route_name = $this->routeMatch->getRouteName(); if ($account->isAnonymous() && !in_array($route_name, array('user.login', 'user.logout'))) { return AccessResult::allowed()->addCacheContexts(['route.name', 'user.roles:anonymous']); } return AccessResult::forbidden(); }
/** * {@inheritdoc} */ public function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { if ($operation == 'view') { return AccessResult::allowed(); } else { return parent::checkAccess($entity, $operation, $langcode, $account); } }
/** * Tests the access() method with a valid token. */ public function testAccessTokenPass() { $this->csrfToken->expects($this->once())->method('validate')->with('test_query', 'test-path/42')->will($this->returnValue(TRUE)); $this->routeMatch->expects($this->once())->method('getRawParameters')->will($this->returnValue(array('node' => 42))); $route = new Route('/test-path/{node}', array(), array('_csrf_token' => 'TRUE')); $request = Request::create('/test-path/42?token=test_query'); $this->assertEquals(AccessResult::allowed()->setCacheable(FALSE), $this->accessCheck->access($route, $request, $this->routeMatch)); }
/** * Provides test data for testAccess(). * * @see \Drupal\Tests\edit\Unit\quickedit\Access\EditEntityFieldAccessCheckTest::testAccess() */ public function providerTestAccess() { $data = array(); $data[] = array(TRUE, TRUE, AccessResult::allowed()); $data[] = array(FALSE, TRUE, AccessResult::neutral()); $data[] = array(TRUE, FALSE, AccessResult::neutral()); $data[] = array(FALSE, FALSE, AccessResult::neutral()); return $data; }
/** * Check to see if user accessed this page. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access() { if (!isset($_SESSION['menu_test'])) { $result = AccessResult::allowed(); } else { $result = AccessResult::allowedIf($_SESSION['menu_test'] < 2); } return $result->setCacheMaxAge(0); }
/** * Handles access to the solution add form through collection pages. * * @param \Drupal\rdf_entity\RdfInterface $rdf_entity * The RDF entity for which the solution is created. * * @return \Drupal\Core\Access\AccessResult * The access result object. */ public function createSolutionAccess(RdfInterface $rdf_entity) { $user = $this->currentUser(); if (empty($rdf_entity) && !$user->isAnonymous()) { return AccessResult::neutral(); } $membership = Og::getMembership($rdf_entity, $user); return !empty($membership) && $membership->hasPermission('create solution rdf_entity') ? AccessResult::allowed() : AccessResult::forbidden(); }
/** * Check to see if user has any permissions to masquerade. * * @param \Drupal\Core\Session\AccountInterface $account * Run access checks for this account. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(AccountInterface $account) { // Uid 1 may masquerade as anyone. if ($account->id() == 1) { return AccessResult::allowed()->cachePerUser(); } $permissions = $this->masquerade->getPermissions(); return AccessResult::allowedIfHasPermissions($account, $permissions, 'OR'); }
/** * Access control for the subscription settings user page. * * The user is checked for both global permissions and permissions to edit * his own subscriptions. * * @param \Drupal\Core\Entity\EntityInterface $user * The user object from the route. * * @return \Drupal\Core\Access\AccessResult * An access result object carrying the result of the check. */ public function access(EntityInterface $user) { if ($this->currentUser->hasPermission('manage all subscriptions')) { return AccessResult::allowed(); } elseif (!$this->currentUser->isAnonymous() && $this->currentUser->id() == $user->id() && $this->currentUser->hasPermission('manage own subscriptions')) { return AccessResult::allowed(); } return AccessResult::forbidden(); }