Code Coverage |
||||||||||
Classes and Traits |
Functions and Methods |
Lines |
||||||||
| Total | |
0.00% |
0 / 1 |
|
16.67% |
2 / 12 |
CRAP | |
35.29% |
24 / 68 |
| EntityAccessControlHandler | |
0.00% |
0 / 1 |
|
16.67% |
2 / 12 |
309.42 | |
35.29% |
24 / 68 |
| __construct | |
100.00% |
1 / 1 |
1 | |
100.00% |
3 / 3 |
|||
| access | |
0.00% |
0 / 1 |
30 | |
0.00% |
0 / 12 |
|||
| processAccessHookResults | |
0.00% |
0 / 1 |
3.33 | |
66.67% |
4 / 6 |
|||
| checkAccess | |
0.00% |
0 / 1 |
20 | |
0.00% |
0 / 5 |
|||
| getCache | |
0.00% |
0 / 1 |
6 | |
0.00% |
0 / 3 |
|||
| setCache | |
0.00% |
0 / 1 |
2 | |
0.00% |
0 / 1 |
|||
| resetCache | |
0.00% |
0 / 1 |
2 | |
0.00% |
0 / 2 |
|||
| createAccess | |
0.00% |
0 / 1 |
42 | |
0.00% |
0 / 14 |
|||
| checkCreateAccess | |
0.00% |
0 / 1 |
6 | |
0.00% |
0 / 3 |
|||
| prepareUser | |
0.00% |
0 / 1 |
2.15 | |
66.67% |
2 / 3 |
|||
| fieldAccess | |
0.00% |
0 / 1 |
4.00 | |
93.33% |
14 / 15 |
|||
| checkFieldAccess | |
100.00% |
1 / 1 |
1 | |
100.00% |
1 / 1 |
|||
| <?php | |
| /** | |
| * @file | |
| * Contains \Drupal\Core\Entity\EntityAccessControlHandler. | |
| */ | |
| namespace Drupal\Core\Entity; | |
| use Drupal\Core\Access\AccessResult; | |
| use Drupal\Core\Field\FieldItemListInterface; | |
| use Drupal\Core\Field\FieldDefinitionInterface; | |
| use Drupal\Core\Language\LanguageInterface; | |
| use Drupal\Core\Session\AccountInterface; | |
| /** | |
| * Defines a default implementation for entity access control handler. | |
| */ | |
| class EntityAccessControlHandler extends EntityHandlerBase implements EntityAccessControlHandlerInterface { | |
| /** | |
| * Stores calculated access check results. | |
| * | |
| * @var array | |
| */ | |
| protected $accessCache = array(); | |
| /** | |
| * The entity type ID of the access control handler instance. | |
| * | |
| * @var string | |
| */ | |
| protected $entityTypeId; | |
| /** | |
| * Information about the entity type. | |
| * | |
| * @var \Drupal\Core\Entity\EntityTypeInterface | |
| */ | |
| protected $entityType; | |
| /** | |
| * Constructs an access control handler instance. | |
| * | |
| * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type | |
| * The entity type definition. | |
| */ | |
| public function __construct(EntityTypeInterface $entity_type) { | |
| $this->entityTypeId = $entity_type->id(); | |
| $this->entityType = $entity_type; | |
| } | |
| /** | |
| * {@inheritdoc} | |
| */ | |
| public function access(EntityInterface $entity, $operation, AccountInterface $account = NULL, $return_as_object = FALSE) { | |
| $account = $this->prepareUser($account); | |
| $langcode = $entity->language()->getId(); | |
| if (($return = $this->getCache($entity->uuid(), $operation, $langcode, $account)) !== NULL) { | |
| // Cache hit, no work necessary. | |
| return $return_as_object ? $return : $return->isAllowed(); | |
| } | |
| // Invoke hook_entity_access() and hook_ENTITY_TYPE_access(). Hook results | |
| // take precedence over overridden implementations of | |
| // EntityAccessControlHandler::checkAccess(). Entities that have checks that | |
| // need to be done before the hook is invoked should do so by overriding | |
| // this method. | |
| // We grant access to the entity if both of these conditions are met: | |
| // - No modules say to deny access. | |
| // - At least one module says to grant access. | |
| $access = array_merge( | |
| $this->moduleHandler()->invokeAll('entity_access', [$entity, $operation, $account]), | |
| $this->moduleHandler()->invokeAll($entity->getEntityTypeId() . '_access', [$entity, $operation, $account]) | |
| ); | |
| $return = $this->processAccessHookResults($access); | |
| // Also execute the default access check except when the access result is | |
| // already forbidden, as in that case, it can not be anything else. | |
| if (!$return->isForbidden()) { | |
| $return = $return->orIf($this->checkAccess($entity, $operation, $account)); | |
| } | |
| $result = $this->setCache($return, $entity->uuid(), $operation, $langcode, $account); | |
| return $return_as_object ? $result : $result->isAllowed(); | |
| } | |
| /** | |
| * We grant access to the entity if both of these conditions are met: | |
| * - No modules say to deny access. | |
| * - At least one module says to grant access. | |
| * | |
| * @param \Drupal\Core\Access\AccessResultInterface[] $access | |
| * An array of access results of the fired access hook. | |
| * | |
| * @return \Drupal\Core\Access\AccessResultInterface | |
| * The combined result of the various access checks' results. All their | |
| * cacheability metadata is merged as well. | |
| * | |
| * @see \Drupal\Core\Access\AccessResultInterface::orIf() | |
| */ | |
| protected function processAccessHookResults(array $access) { | |
| // No results means no opinion. | |
| if (empty($access)) { | |
| return AccessResult::neutral(); | |
| } | |
| /** @var \Drupal\Core\Access\AccessResultInterface $result */ | |
| $result = array_shift($access); | |
| foreach ($access as $other) { | |
| $result = $result->orIf($other); | |
| } | |
| return $result; | |
| } | |
| /** | |
| * Performs access checks. | |
| * | |
| * This method is supposed to be overwritten by extending classes that | |
| * do their own custom access checking. | |
| * | |
| * @param \Drupal\Core\Entity\EntityInterface $entity | |
| * The entity for which to check access. | |
| * @param string $operation | |
| * The entity operation. Usually one of 'view', 'update' or 'delete'. | |
| * @param \Drupal\Core\Session\AccountInterface $account | |
| * The user for which to check access. | |
| * | |
| * @return \Drupal\Core\Access\AccessResultInterface | |
| * The access result. | |
| */ | |
| protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { | |
| if ($operation == 'delete' && $entity->isNew()) { | |
| return AccessResult::forbidden()->cacheUntilEntityChanges($entity); | |
| } | |
| if ($admin_permission = $this->entityType->getAdminPermission()) { | |
| return AccessResult::allowedIfHasPermission($account, $this->entityType->getAdminPermission()); | |
| } | |
| else { | |
| // No opinion. | |
| return AccessResult::neutral(); | |
| } | |
| } | |
| /** | |
| * Tries to retrieve a previously cached access value from the static cache. | |
| * | |
| * @param string $cid | |
| * Unique string identifier for the entity/operation, for example the | |
| * entity UUID or a custom string. | |
| * @param string $operation | |
| * The entity operation. Usually one of 'view', 'update', 'create' or | |
| * 'delete'. | |
| * @param string $langcode | |
| * The language code for which to check access. | |
| * @param \Drupal\Core\Session\AccountInterface $account | |
| * The user for which to check access. | |
| * | |
| * @return \Drupal\Core\Access\AccessResultInterface|null | |
| * The cached AccessResult, or NULL if there is no record for the given | |
| * user, operation, langcode and entity in the cache. | |
| */ | |
| protected function getCache($cid, $operation, $langcode, AccountInterface $account) { | |
| // Return from cache if a value has been set for it previously. | |
| if (isset($this->accessCache[$account->id()][$cid][$langcode][$operation])) { | |
| return $this->accessCache[$account->id()][$cid][$langcode][$operation]; | |
| } | |
| } | |
| /** | |
| * Statically caches whether the given user has access. | |
| * | |
| * @param \Drupal\Core\Access\AccessResultInterface $access | |
| * The access result. | |
| * @param string $cid | |
| * Unique string identifier for the entity/operation, for example the | |
| * entity UUID or a custom string. | |
| * @param string $operation | |
| * The entity operation. Usually one of 'view', 'update', 'create' or | |
| * 'delete'. | |
| * @param string $langcode | |
| * The language code for which to check access. | |
| * @param \Drupal\Core\Session\AccountInterface $account | |
| * The user for which to check access. | |
| * | |
| * @return \Drupal\Core\Access\AccessResultInterface | |
| * Whether the user has access, plus cacheability metadata. | |
| */ | |
| protected function setCache($access, $cid, $operation, $langcode, AccountInterface $account) { | |
| // Save the given value in the static cache and directly return it. | |
| return $this->accessCache[$account->id()][$cid][$langcode][$operation] = $access; | |
| } | |
| /** | |
| * {@inheritdoc} | |
| */ | |
| public function resetCache() { | |
| $this->accessCache = array(); | |
| } | |
| /** | |
| * {@inheritdoc} | |
| */ | |
| public function createAccess($entity_bundle = NULL, AccountInterface $account = NULL, array $context = array(), $return_as_object = FALSE) { | |
| $account = $this->prepareUser($account); | |
| $context += array( | |
| 'entity_type_id' => $this->entityTypeId, | |
| 'langcode' => LanguageInterface::LANGCODE_DEFAULT, | |
| ); | |
| $cid = $entity_bundle ? 'create:' . $entity_bundle : 'create'; | |
| if (($access = $this->getCache($cid, 'create', $context['langcode'], $account)) !== NULL) { | |
| // Cache hit, no work necessary. | |
| return $return_as_object ? $access : $access->isAllowed(); | |
| } | |
| // Invoke hook_entity_create_access() and hook_ENTITY_TYPE_create_access(). | |
| // Hook results take precedence over overridden implementations of | |
| // EntityAccessControlHandler::checkCreateAccess(). Entities that have | |
| // checks that need to be done before the hook is invoked should do so by | |
| // overriding this method. | |
| // We grant access to the entity if both of these conditions are met: | |
| // - No modules say to deny access. | |
| // - At least one module says to grant access. | |
| $access = array_merge( | |
| $this->moduleHandler()->invokeAll('entity_create_access', array($account, $context, $entity_bundle)), | |
| $this->moduleHandler()->invokeAll($this->entityTypeId . '_create_access', array($account, $context, $entity_bundle)) | |
| ); | |
| $return = $this->processAccessHookResults($access); | |
| // Also execute the default access check except when the access result is | |
| // already forbidden, as in that case, it can not be anything else. | |
| if (!$return->isForbidden()) { | |
| $return = $return->orIf($this->checkCreateAccess($account, $context, $entity_bundle)); | |
| } | |
| $result = $this->setCache($return, $cid, 'create', $context['langcode'], $account); | |
| return $return_as_object ? $result : $result->isAllowed(); | |
| } | |
| /** | |
| * Performs create access checks. | |
| * | |
| * This method is supposed to be overwritten by extending classes that | |
| * do their own custom access checking. | |
| * | |
| * @param \Drupal\Core\Session\AccountInterface $account | |
| * The user for which to check access. | |
| * @param array $context | |
| * An array of key-value pairs to pass additional context when needed. | |
| * @param string|null $entity_bundle | |
| * (optional) The bundle of the entity. Required if the entity supports | |
| * bundles, defaults to NULL otherwise. | |
| * | |
| * @return \Drupal\Core\Access\AccessResultInterface | |
| * The access result. | |
| */ | |
| protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { | |
| if ($admin_permission = $this->entityType->getAdminPermission()) { | |
| return AccessResult::allowedIfHasPermission($account, $admin_permission); | |
| } | |
| else { | |
| // No opinion. | |
| return AccessResult::neutral(); | |
| } | |
| } | |
| /** | |
| * Loads the current account object, if it does not exist yet. | |
| * | |
| * @param \Drupal\Core\Session\AccountInterface $account | |
| * The account interface instance. | |
| * | |
| * @return \Drupal\Core\Session\AccountInterface | |
| * Returns the current account object. | |
| */ | |
| protected function prepareUser(AccountInterface $account = NULL) { | |
| if (!$account) { | |
| $account = \Drupal::currentUser(); | |
| } | |
| return $account; | |
| } | |
| /** | |
| * {@inheritdoc} | |
| */ | |
| public function fieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account = NULL, FieldItemListInterface $items = NULL, $return_as_object = FALSE) { | |
| $account = $this->prepareUser($account); | |
| // Get the default access restriction that lives within this field. | |
| $default = $items ? $items->defaultAccess($operation, $account) : AccessResult::allowed(); | |
| // Get the default access restriction as specified by the access control | |
| // handler. | |
| $entity_default = $this->checkFieldAccess($operation, $field_definition, $account, $items); | |
| // Combine default access, denying access wins. | |
| $default = $default->andIf($entity_default); | |
| // Invoke hook and collect grants/denies for field access from other | |
| // modules. Our default access flag is masked under the ':default' key. | |
| $grants = array(':default' => $default); | |
| $hook_implementations = $this->moduleHandler()->getImplementations('entity_field_access'); | |
| foreach ($hook_implementations as $module) { | |
| $grants = array_merge($grants, array($module => $this->moduleHandler()->invoke($module, 'entity_field_access', array($operation, $field_definition, $account, $items)))); | |
| } | |
| // Also allow modules to alter the returned grants/denies. | |
| $context = array( | |
| 'operation' => $operation, | |
| 'field_definition' => $field_definition, | |
| 'items' => $items, | |
| 'account' => $account, | |
| ); | |
| $this->moduleHandler()->alter('entity_field_access', $grants, $context); | |
| $result = $this->processAccessHookResults($grants); | |
| return $return_as_object ? $result : $result->isAllowed(); | |
| } | |
| /** | |
| * Default field access as determined by this access control handler. | |
| * | |
| * @param string $operation | |
| * The operation access should be checked for. | |
| * Usually one of "view" or "edit". | |
| * @param \Drupal\Core\Field\FieldDefinitionInterface $field_definition | |
| * The field definition. | |
| * @param \Drupal\Core\Session\AccountInterface $account | |
| * The user session for which to check access. | |
| * @param \Drupal\Core\Field\FieldItemListInterface $items | |
| * (optional) The field values for which to check access, or NULL if access | |
| * is checked for the field definition, without any specific value | |
| * available. Defaults to NULL. | |
| * | |
| * @return bool | |
| * TRUE if access is allowed, FALSE otherwise. | |
| */ | |
| protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { | |
| return AccessResult::allowed(); | |
| } | |
| } |