Code Coverage for /Users/ericduran/Sites/drupal/drupal/core/modules/user/src/UserAccessControlHandler.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 2	CRAP	40.91% covered (danger)	40.91%	18 / 44
UserAccessControlHandler	0.00% covered (danger)	0.00%	0 / 1	0.00% covered (danger)	0.00%	0 / 2	303.40	40.91% covered (danger)	40.91%	18 / 44
checkAccess				0.00% covered (danger)	0.00%	0 / 1	110	0.00% covered (danger)	0.00%	0 / 15
checkFieldAccess				0.00% covered (danger)	0.00%	0 / 1	62.89	62.07% covered (warning)	62.07%	18 / 29

1	<?php
2
3	/**
4	* @file
5	* Contains \Drupal\user\UserAccessControlHandler.
6	*/
7
8	namespace Drupal\user;
9
10	use Drupal\Core\Access\AccessResult;
11	use Drupal\Core\Entity\EntityInterface;
12	use Drupal\Core\Entity\EntityAccessControlHandler;
13	use Drupal\Core\Field\FieldDefinitionInterface;
14	use Drupal\Core\Field\FieldItemListInterface;
15	use Drupal\Core\Session\AccountInterface;
16
17	/**
18	* Defines the access control handler for the user entity type.
19	*
20	* @see \Drupal\user\Entity\User
21	*/
22	class UserAccessControlHandler extends EntityAccessControlHandler {
23
24	/**
25	* {@inheritdoc}
26	*/
27	protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
28	/** @var \Drupal\user\UserInterface $entity*/
29
30	// The anonymous user's profile can neither be viewed, updated nor deleted.
31	if ($entity->isAnonymous()) {
32	return AccessResult::forbidden();
33	}
34
35	// Administrators can view/update/delete all user profiles.
36	if ($account->hasPermission('administer users')) {
37	return AccessResult::allowed()->cachePerPermissions();
38	}
39
40	switch ($operation) {
41	case 'view':
42	// Only allow view access if the account is active.
43	if ($account->hasPermission('access user profiles') && $entity->isActive()) {
44	return AccessResult::allowed()->cachePerPermissions()->cacheUntilEntityChanges($entity);
45	}
46	// Users can view own profiles at all times.
47	elseif ($account->id() == $entity->id()) {
48	return AccessResult::allowed()->cachePerUser();
49	}
50	break;
51
52	case 'update':
53	// Users can always edit their own account.
54	return AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser();
55
56	case 'delete':
57	// Users with 'cancel account' permission can cancel their own account.
58	return AccessResult::allowedIf($account->id() == $entity->id() && $account->hasPermission('cancel account'))->cachePerPermissions()->cachePerUser();
59	}
60
61	// No opinion.
62	return AccessResult::neutral();
63	}
64
65	/**
66	* {@inheritdoc}
67	*/
68	protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
69	// Fields that are not implicitly allowed to administrative users.
70	$explicit_check_fields = array(
71	'pass',
72	);
73
74	// Administrative users are allowed to edit and view all fields.
75	if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
76	return AccessResult::allowed()->cachePerPermissions();
77	}
78
79	// Flag to indicate if this user entity is the own user account.
80	$is_own_account = $items ? $items->getEntity()->id() == $account->id() : FALSE;
81	switch ($field_definition->getName()) {
82	case 'name':
83	// Allow view access to anyone with access to the entity. Anonymous
84	// users should be able to access the username field during the
85	// registration process, otherwise the username and email constraints
86	// are not checked.
87	if ($operation == 'view' \|\| ($items && $account->isAnonymous() && $items->getEntity()->isAnonymous())) {
88	return AccessResult::allowed()->cachePerPermissions();
89	}
90	// Allow edit access for the own user name if the permission is
91	// satisfied.
92	if ($is_own_account && $account->hasPermission('change own username')) {
93	return AccessResult::allowed()->cachePerPermissions()->cachePerUser();
94	}
95	else {
96	return AccessResult::forbidden();
97	}
98
99	case 'preferred_langcode':
100	case 'preferred_admin_langcode':
101	case 'timezone':
102	case 'mail':
103	// Allow view access to own mail address and other personalization
104	// settings.
105	if ($operation == 'view') {
106	return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::forbidden();
107	}
108	// Anyone that can edit the user can also edit this field.
109	return AccessResult::allowed()->cachePerPermissions();
110
111	case 'pass':
112	// Allow editing the password, but not viewing it.
113	return ($operation == 'edit') ? AccessResult::allowed() : AccessResult::forbidden();
114
115	case 'created':
116	// Allow viewing the created date, but not editing it.
117	return ($operation == 'view') ? AccessResult::allowed() : AccessResult::forbidden();
118
119	case 'roles':
120	case 'status':
121	case 'access':
122	case 'login':
123	case 'init':
124	return AccessResult::forbidden();
125	}
126
127	return parent::checkFieldAccess($operation, $field_definition, $account, $items);
128	}
129
130	}