/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': // There is no direct viewing of a menu link, but still for purposes of // content_translation we need a generic way to check access. return AccessResult::allowedIfHasPermission($account, 'administer menu'); case 'update': if (!$account->hasPermission('administer menu')) { return AccessResult::neutral()->cachePerPermissions(); } else { // If there is a URL, this is an external link so always accessible. $access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity); /** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */ // We allow access, but only if the link is accessible as well. if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) { $link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE); $access = $access->andIf($link_access); } return $access; } case 'delete': return AccessResult::allowedIf(!$entity->isNew() && $account->hasPermission('administer menu'))->cachePerPermissions()->addCacheableDependency($entity); } }
/** * Checks access to the translation overview for the entity and bundle. * * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parametrized route. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * @param string $entity_type_id * The entity type ID. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(RouteMatchInterface $route_match, AccountInterface $account, $entity_type_id) { /* @var \Drupal\Core\Entity\ContentEntityInterface $entity */ $entity = $route_match->getParameter($entity_type_id); if ($entity && $entity->isTranslatable()) { // Get entity base info. $bundle = $entity->bundle(); // Get entity access callback. $definition = $this->entityManager->getDefinition($entity_type_id); $translation = $definition->get('translation'); $access_callback = $translation['content_translation']['access_callback']; $access = call_user_func($access_callback, $entity); if ($access->isAllowed()) { return $access; } // Check "translate any entity" permission. if ($account->hasPermission('translate any entity')) { return AccessResult::allowed()->cachePerPermissions()->inheritCacheability($access); } // Check per entity permission. $permission = "translate {$entity_type_id}"; if ($definition->getPermissionGranularity() == 'bundle') { $permission = "translate {$bundle} {$entity_type_id}"; } return AccessResult::allowedIfHasPermission($account, $permission)->inheritCacheability($access); } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($entity->getOwnerId() == $account->id()) { return AccessResult::allowedIfHasPermission($account, $operation . ' own ' . $entity->bundle() . ' entity'); } return AccessResult::allowedIfHasPermission($account, $operation . ' any ' . $entity->bundle() . ' entity'); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\entityqueue\EntitySubqueueInterface $entity */ switch ($operation) { case 'view': return AccessResult::allowedIfHasPermission($account, 'access content'); break; case 'update': return AccessResult::allowedIfHasPermissions($account, ["update {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR'); break; case 'delete': $can_delete_subqueue = AccessResult::allowedIf(!$entity->getQueue()->getHandlerPlugin()->hasAutomatedSubqueues()); $access_result = AccessResult ::allowedIfHasPermissions($account, ["delete {$entity->bundle()} entityqueue", 'manipulate all entityqueues', 'administer entityqueue'], 'OR') ->andIf($can_delete_subqueue); return $access_result; break; default: // No opinion. return AccessResult::neutral(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($operation === 'view') { return AccessResult::allowedIfHasPermission($account, 'access content'); } return parent::checkAccess($entity, $operation, $account); }
/** * {@inheritdoc} * * Separate from the checkAccess because the entity does not yet exist, it * will be created during the 'add' process. */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { if ($entity_bundle) { return AccessResult::allowedIfHasPermission($account, 'create ' . $entity_bundle . ' rdf entity'); } return AccessResult::allowedIfHasPermission($account, 'add rdf entity'); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $filter_format, $operation, $langcode, AccountInterface $account) { /** @var \Drupal\filter\FilterFormatInterface $filter_format */ // All users are allowed to use the fallback filter. if ($operation == 'use') { if ($filter_format->isFallbackFormat()) { return AccessResult::allowed(); } else { return AccessResult::allowedIfHasPermission($account, $filter_format->getPermissionName()); } } // The fallback format may not be disabled. if ($operation == 'disable' && $filter_format->isFallbackFormat()) { return AccessResult::forbidden(); } // We do not allow filter formats to be deleted through the UI, because that // would render any content that uses them unusable. if ($operation == 'delete') { return AccessResult::forbidden(); } if (in_array($operation, array('disable', 'update'))) { return parent::checkAccess($filter_format, $operation, $langcode, $account); } // No opinion. return AccessResult::neutral(); }
/** * {@inheritdoc} */ public function access($node, AccountInterface $account = NULL, $return_as_object = FALSE) { if ($node->hasField('simplenews_issue') && $node->simplenews_issue->target_id != NULL) { return AccessResult::allowedIfHasPermission($account, 'administer newsletters')->orIf(AccessResult::allowedIfHasPermission($account, 'send newsletter')); } return AccessResult::neutral(); }
/** * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { $installed_translators = $this->translatorManager->getLabels(); if (empty($installed_translators)) { return AccessResult::forbidden(); } return AccessResult::allowedIfHasPermission($account, 'administer tmgmt'); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { $access = parent::checkAccess($entity, $operation, $account); if ($operation === 'view') { $access = $access->orIf(AccessResult::allowedIfHasPermission($account, 'access ' . $entity->getEntityTypeId())); } return $access; }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { switch ($operation) { case 'delete': return AccessResult::allowedIf($account->hasPermission('administer feeds') && !$entity->isLocked()); default: return AccessResult::allowedIfHasPermission($account, 'administer feeds'); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { $admin_access = parent::checkAccess($entity, $operation, $account); // Allow view with other permission. if ($operation === 'view') { return AccessResult::allowedIfHasPermission($account, 'view moderation states')->orIf($admin_access); } return $admin_access; }
/** * Access callback; check if the module is configured. * * This function does not actually check whether Mollom keys are valid for the * site, but just if the keys have been entered. * * @param $permission * An optional permission string to check with \Drupal::currentUser()->hasPermission(). * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ function access($permission = FALSE) { $configured = \Drupal::config('mollom.settings')->get('keys.public') && \Drupal::config('mollom.settings')->get('keys.private'); if ($configured && $permission) { return AccessResult::allowedIfHasPermission($permission, \Drupal::currentUser()); } else { return AccessResult::allowedIf($configured); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': case 'update': case 'delete': return AccessResult::allowedIfHasPermission($account, 'administer pdfs'); default: return AccessResult::neutral(); } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': return AccessResult::allowedIfHasPermission($account, 'access content'); break; default: return parent::checkAccess($entity, $operation, $account); break; } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { if ($operation == 'delete') { $field_storage_entity = $entity->getFieldStorageDefinition(); if ($field_storage_entity->isLocked()) { return AccessResult::forbidden()->cacheUntilEntityChanges($field_storage_entity); } else { return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->entity_type . ' fields')->cacheUntilEntityChanges($field_storage_entity); } } return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->entity_type . ' fields'); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { if ($operation == 'delete') { $field_storage_entity = $entity->getFieldStorageDefinition(); if ($field_storage_entity->isLocked()) { return AccessResult::forbidden()->addCacheableDependency($field_storage_entity); } else { return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->getTargetEntityTypeId() . ' fields')->addCacheableDependency($field_storage_entity); } } return AccessResult::allowedIfHasPermission($account, 'administer ' . $entity->getTargetEntityTypeId() . ' fields'); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': return AccessResult::allowedIfHasPermission($account, 'view scheduled update entities'); break; case 'delete': return parent::checkAccess($entity, $operation, $account)->cacheUntilEntityChanges($entity); break; default: return parent::checkAccess($entity, $operation, $account); break; } }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'create': case 'update': return AccessResult::allowedIfHasPermission($account, 'administer site configuration'); case 'delete': if ($entity->isLocked()) { return AccessResult::forbidden(); } return AccessResult::allowedIfHasPermission($account, 'administer site configuration'); } return parent::checkAccess($entity, $operation, $account); }
/** * {@inheritdoc} */ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { if ($operation == 'edit') { // Only users with the "administer comments" permission can edit // administrative fields. $administrative_fields = array('uid', 'status', 'created', 'date'); if (in_array($field_definition->getName(), $administrative_fields, TRUE)) { return AccessResult::allowedIfHasPermission($account, 'administer comments'); } // No user can change read-only fields. $read_only_fields = array('hostname', 'uuid', 'cid', 'thread', 'comment_type', 'pid', 'entity_id', 'entity_type', 'field_name'); if (in_array($field_definition->getName(), $read_only_fields, TRUE)) { return AccessResult::forbidden(); } // If the field is configured to accept anonymous contact details - admins // can edit name, homepage and mail. Anonymous users can also fill in the // fields on comment creation. if (in_array($field_definition->getName(), ['name', 'mail', 'homepage'], TRUE)) { if (!$items) { // We cannot make a decision about access to edit these fields if we // don't have any items and therefore cannot determine the Comment // entity. In this case we err on the side of caution and prevent edit // access. return AccessResult::forbidden(); } /** @var \Drupal\comment\CommentInterface $entity */ $entity = $items->getEntity(); $commented_entity = $entity->getCommentedEntity(); $anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous'); $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments'); $anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT && $account->hasPermission('post comments'))->cachePerPermissions()->cacheUntilEntityChanges($entity)->cacheUntilEntityChanges($field_definition->getConfig($commented_entity->bundle()))->cacheUntilEntityChanges($commented_entity); return $admin_access->orIf($anonymous_access); } } if ($operation == 'view') { $entity = $items ? $items->getEntity() : NULL; // Admins can view any fields except hostname, other users need both the // "access comments" permission and for the comment to be published. The // mail field is hidden from non-admins. $admin_access = AccessResult::allowedIf($account->hasPermission('administer comments') && $field_definition->getName() != 'hostname')->cachePerPermissions(); $anonymous_access = AccessResult::allowedIf($account->hasPermission('access comments') && (!$entity || $entity->isPublished()) && !in_array($field_definition->getName(), array('mail', 'hostname'), TRUE))->cachePerPermissions(); if ($entity) { $anonymous_access->cacheUntilEntityChanges($entity); } return $admin_access->orIf($anonymous_access); } return parent::checkFieldAccess($operation, $field_definition, $account, $items); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': $url_string = $entity->context->value; $decoded_url = rawurldecode($url_string); return $this->accessHelper->canGeneratePdfFromUrlString($decoded_url, $account); case 'update': return AccessResult::forbidden(); case 'delete': return AccessResult::allowedIfHasPermission($account, 'administer pdfs'); } return AccessResult::allowed(); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { switch ($operation) { case 'view': return AccessResult::allowedIfHasPermission($account, 'access content'); case 'delete': if ($entity->isLocked()) { return AccessResult::forbidden()->addCacheableDependency($entity); } else { return parent::checkAccess($entity, $operation, $account)->addCacheableDependency($entity); } break; default: return parent::checkAccess($entity, $operation, $account); } }
/** * {@inheritdoc} */ protected function blockAccess(AccountInterface $account) { $access = AccessResult::allowedIfHasPermission($account, 'access content'); if ($account->hasPermission('access content')) { $daytop = $this->configuration['top_day_num']; if (!$daytop || !($result = statistics_title_list('daycount', $daytop)) || !($this->day_list = node_title_list($result, $this->t("Today's:")))) { return AccessResult::forbidden()->inheritCacheability($access); } $alltimetop = $this->configuration['top_all_num']; if (!$alltimetop || !($result = statistics_title_list('totalcount', $alltimetop)) || !($this->all_time_list = node_title_list($result, $this->t('All time:')))) { return AccessResult::forbidden()->inheritCacheability($access); } $lasttop = $this->configuration['top_last_num']; if (!$lasttop || !($result = statistics_title_list('timestamp', $lasttop)) || !($this->last_list = node_title_list($result, $this->t('Last viewed:')))) { return AccessResult::forbidden()->inheritCacheability($access); } return $access; } return AccessResult::forbidden()->inheritCacheability($access); }
/** * {@inheritdoc} */ public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE) { if ($operation === 'edit') { // Only users with administer comments permission can edit the comment // status field. $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'administer comments'); return $return_as_object ? $result : $result->isAllowed(); } if ($operation === 'view') { // Only users with either post comments or access comments permisison can // view the field value. The formatter, // Drupal\comment\Plugin\Field\FieldFormatter\CommentDefaultFormatter, // takes care of showing the thread and form based on individual // permissions, so if a user only has ‘post comments’ access, only the // form will be shown and not the comments. $result = AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'access comments')->orIf(AccessResult::allowedIfHasPermission($account ?: \Drupal::currentUser(), 'post comments')); return $return_as_object ? $result : $result->isAllowed(); } return parent::access($operation, $account, $return_as_object); }
/** * {@inheritdoc} */ protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { /** @var \Drupal\entity_test\Entity\EntityTest $entity */ // Always forbid access to entities with the label 'forbid_access', used for // \Drupal\system\Tests\Entity\EntityAccessHControlandlerTest::testDefaultEntityAccess(). if ($entity->label() == 'forbid_access') { return AccessResult::forbidden(); } if ($operation === 'view label' && $entity instanceof EntityTestLabel) { // Viewing the label of the 'entity_test_label' entity type is allowed. return AccessResult::allowed(); } elseif (in_array($operation, array('view', 'view label'))) { if (!$entity->isDefaultTranslation()) { return AccessResult::allowedIfHasPermission($account, 'view test entity translations'); } return AccessResult::allowedIfHasPermission($account, 'view test entity'); } elseif (in_array($operation, array('update', 'delete'))) { return AccessResult::allowedIfHasPermission($account, 'administer entity_test content'); } // No opinion. return AccessResult::neutral(); }
/** * Controls access to a support ticket. * * Modules may implement this hook if they want to have a say in whether or not * a given user has access to perform a given operation on a support ticket. * * Note that not all modules will want to influence access on all support ticket * types. If your module does not want to explicitly allow or forbid access, * return an AccessResultInterface object with neither isAllowed() nor * isForbidden() equaling TRUE. Blindly returning an object with isForbidden() * equaling TRUE will break other support ticket access modules. * * @param \Drupal\support_ticket\SupportTicketInterface|string $support_ticket * Either a support ticket entity or the machine name of the content type on * which to perform the access check. * @param string $op * The operation to be performed. Possible values: * - "create" * - "delete" * - "update" * - "view" * @param \Drupal\Core\Session\AccountInterface $account * The user object to perform the access check operation on. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. * * @ingroup support_ticket_access */ function hook_support_ticket_access(\Drupal\support_ticket\SupportTicketInterface $support_ticket, $op, \Drupal\Core\Session\AccountInterface $account) { $type = $support_ticket->bundle(); switch ($op) { case 'create': return AccessResult::allowedIfHasPermission($account, 'create ' . $type . ' ticket'); case 'update': if ($account->hasPermission('edit any ' . $type . ' ticket')) { return AccessResult::allowed()->cachePerPermissions(); } else { return AccessResult::allowedIf($account->hasPermission('edit own ' . $type . ' ticket') && $account->id() == $support_ticket->getOwnerId())->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($support_ticket); } case 'delete': if ($account->hasPermission('delete any ' . $type . ' ticket')) { return AccessResult::allowed()->cachePerPermissions(); } else { return AccessResult::allowedIf($account->hasPermission('delete own ' . $type . ' ticket') && $account->id() == $support_ticket->getOwnerId())->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($support_ticket); } default: // No opinion. return AccessResult::neutral(); } }
/** * Checks access to the form mode. * * @param \Symfony\Component\Routing\Route $route * The route to check against. * @param \Drupal\Core\Routing\RouteMatchInterface $route_match * The parametrized route. * @param \Drupal\Core\Session\AccountInterface $account * The currently logged in account. * @param string $form_mode_name * (optional) The form mode. Defaults to 'default'. * @param string $bundle * (optional) The bundle. Different entity types can have different names * for their bundle key, so if not specified on the route via a {bundle} * parameter, the access checker determines the appropriate key name, and * gets the value from the corresponding request attribute. For example, * for nodes, the bundle key is "node_type", so the value would be * available via the {node_type} parameter rather than a {bundle} * parameter. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account, $form_mode_name = 'default', $bundle = NULL) { $access = AccessResult::neutral(); if ($entity_type_id = $route->getDefault('entity_type_id')) { if (empty($bundle)) { $entity_type = $this->entityManager->getDefinition($entity_type_id); $bundle = $route_match->getRawParameter($entity_type->getBundleEntityType()); } $visibility = FALSE; if ($form_mode_name == 'default') { $visibility = TRUE; } elseif ($entity_display = $this->entityManager->getStorage('entity_form_display')->load($entity_type_id . '.' . $bundle . '.' . $form_mode_name)) { $visibility = $entity_display->status(); } if ($form_mode_name != 'default' && $entity_display) { $access->addCacheableDependency($entity_display); } if ($visibility) { $permission = $route->getRequirement('_field_ui_form_mode_access'); $access = $access->orIf(AccessResult::allowedIfHasPermission($account, $permission)); } } return $access; }
/** * Control access to fields. * * This hook is invoked from * \Drupal\Core\Entity\EntityAccessControlHandler::fieldAccess() to let modules * grant or deny operations on fields. * * @param string $operation * The operation to be performed. See * \Drupal\Core\Access\AccessibleInterface::access() for possible values. * @param \Drupal\Core\Field\FieldDefinitionInterface $field_definition * The field definition. * @param \Drupal\Core\Session\AccountInterface $account * The user account to check. * @param \Drupal\Core\Field\FieldItemListInterface $items * (optional) The entity field object on which the operation is to be * performed. * * @return \Drupal\Core\Access\AccessResultInterface * The access result. */ function hook_entity_field_access($operation, \Drupal\Core\Field\FieldDefinitionInterface $field_definition, \Drupal\Core\Session\AccountInterface $account, \Drupal\Core\Field\FieldItemListInterface $items = NULL) { if ($field_definition->getName() == 'field_of_interest' && $operation == 'edit') { return AccessResult::allowedIfHasPermission($account, 'update field of interest'); } return AccessResult::neutral(); }
/** * {@inheritdoc} */ public function access($operation = 'view', AccountInterface $account = NULL, $return_as_object = FALSE) { $result = AccessResult::allowedIfHasPermission($account, 'access content'); return $return_as_object ? $result : $result->isAllowed(); }
/** * {@inheritdoc} */ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { return AccessResult::allowedIfHasPermission($account, 'add log entities'); }