Home Explore Help
Register Sign In
styupoln
/
test1
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Commits 3 Releases 0 Wiki

Drupal investigation

Branch: master
Branches Tags
test1
/
public
/
drupal
/
core
/
modules
/
user
/
src
/
UserAccessCo...

UserAccessControlHandler.php 5.1KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. <?php
    2. 

  2. 

  3. namespace Drupal\user;
    4. 

  4. 

  5. use Drupal\Core\Access\AccessResult;
    6. 

  6. use Drupal\Core\Access\AccessResultNeutral;
    7. 

  7. use Drupal\Core\Entity\EntityInterface;
    8. 

  8. use Drupal\Core\Entity\EntityAccessControlHandler;
    9. 

  9. use Drupal\Core\Field\FieldDefinitionInterface;
    10. 

  10. use Drupal\Core\Field\FieldItemListInterface;
    11. 

  11. use Drupal\Core\Session\AccountInterface;
    12. 

  12. 

  13. /**
    14. 

  14.  * Defines the access control handler for the user entity type.
    15. 

  15.  *
    16. 

  16.  * @see \Drupal\user\Entity\User
    17. 

  17.  */
    18. 

  18. class UserAccessControlHandler extends EntityAccessControlHandler {
    19. 

  19. 

  20.   /**
    21. 

  21.    * Allow access to user label.
    22. 

  22.    *
    23. 

  23.    * @var bool
    24. 

  24.    */
    25. 

  25.   protected $viewLabelOperation = TRUE;
    26. 

  26. 

  27.   /**
    28. 

  28.    * {@inheritdoc}
    29. 

  29.    */
    30. 

  30.   protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
    31. 

  31.     /** @var \Drupal\user\UserInterface $entity*/
    32. 

  32. 

  33.     // We don't treat the user label as privileged information, so this check
    34. 

  34.     // has to be the first one in order to allow labels for all users to be
    35. 

  35.     // viewed, including the special anonymous user.
    36. 

  36.     if ($operation === 'view label') {
    37. 

  37.       return AccessResult::allowed();
    38. 

  38.     }
    39. 

  39. 

  40.     // The anonymous user's profile can neither be viewed, updated nor deleted.
    41. 

  41.     if ($entity->isAnonymous()) {
    42. 

  42.       return AccessResult::forbidden();
    43. 

  43.     }
    44. 

  44. 

  45.     // Administrators can view/update/delete all user profiles.
    46. 

  46.     if ($account->hasPermission('administer users')) {
    47. 

  47.       return AccessResult::allowed()->cachePerPermissions();
    48. 

  48.     }
    49. 

  49. 

  50.     switch ($operation) {
    51. 

  51.       case 'view':
    52. 

  52.         // Only allow view access if the account is active.
    53. 

  53.         if ($account->hasPermission('access user profiles') && $entity->isActive()) {
    54. 

  54.           return AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
    55. 

  55.         }
    56. 

  56.         // Users can view own profiles at all times.
    57. 

  57.         elseif ($account->id() == $entity->id()) {
    58. 

  58.           return AccessResult::allowed()->cachePerUser();
    59. 

  59.         }
    60. 

  60.         else {
    61. 

  61.           return AccessResultNeutral::neutral("The 'access user profiles' permission is required and the user must be active.");
    62. 

  62.         }
    63. 

  63.         break;
    64. 

  64. 

  65.       case 'update':
    66. 

  66.         // Users can always edit their own account.
    67. 

  67.         return AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser();
    68. 

  68. 

  69.       case 'delete':
    70. 

  70.         // Users with 'cancel account' permission can cancel their own account.
    71. 

  71.         return AccessResult::allowedIf($account->id() == $entity->id() && $account->hasPermission('cancel account'))->cachePerPermissions()->cachePerUser();
    72. 

  72.     }
    73. 

  73. 

  74.     // No opinion.
    75. 

  75.     return AccessResult::neutral();
    76. 

  76.   }
    77. 

  77. 

  78.   /**
    79. 

  79.    * {@inheritdoc}
    80. 

  80.    */
    81. 

  81.   protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
    82. 

  82.     // Fields that are not implicitly allowed to administrative users.
    83. 

  83.     $explicit_check_fields = [
    84. 

  84.       'pass',
    85. 

  85.     ];
    86. 

  86. 

  87.     // Administrative users are allowed to edit and view all fields.
    88. 

  88.     if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
    89. 

  89.       return AccessResult::allowed()->cachePerPermissions();
    90. 

  90.     }
    91. 

  91. 

  92.     // Flag to indicate if this user entity is the own user account.
    93. 

  93.     $is_own_account = $items ? $items->getEntity()->id() == $account->id() : FALSE;
    94. 

  94.     switch ($field_definition->getName()) {
    95. 

  95.       case 'name':
    96. 

  96.         // Allow view access to anyone with access to the entity. Anonymous
    97. 

  97.         // users should be able to access the username field during the
    98. 

  98.         // registration process, otherwise the username and email constraints
    99. 

  99.         // are not checked.
    100. 

  100.         if ($operation == 'view' || ($items && $account->isAnonymous() && $items->getEntity()->isAnonymous())) {
    101. 

  101.           return AccessResult::allowed()->cachePerPermissions();
    102. 

  102.         }
    103. 

  103.         // Allow edit access for the own user name if the permission is
    104. 

  104.         // satisfied.
    105. 

  105.         if ($is_own_account && $account->hasPermission('change own username')) {
    106. 

  106.           return AccessResult::allowed()->cachePerPermissions()->cachePerUser();
    107. 

  107.         }
    108. 

  108.         else {
    109. 

  109.           return AccessResult::forbidden();
    110. 

  110.         }
    111. 

  111. 

  112.       case 'preferred_langcode':
    113. 

  113.       case 'preferred_admin_langcode':
    114. 

  114.       case 'timezone':
    115. 

  115.       case 'mail':
    116. 

  116.         // Allow view access to own mail address and other personalization
    117. 

  117.         // settings.
    118. 

  118.         if ($operation == 'view') {
    119. 

  119.           return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::forbidden();
    120. 

  120.         }
    121. 

  121.         // Anyone that can edit the user can also edit this field.
    122. 

  122.         return AccessResult::allowed()->cachePerPermissions();
    123. 

  123. 

  124.       case 'pass':
    125. 

  125.         // Allow editing the password, but not viewing it.
    126. 

  126.         return ($operation == 'edit') ? AccessResult::allowed() : AccessResult::forbidden();
    127. 

  127. 

  128.       case 'created':
    129. 

  129.         // Allow viewing the created date, but not editing it.
    130. 

  130.         return ($operation == 'view') ? AccessResult::allowed() : AccessResult::forbidden();
    131. 

  131. 

  132.       case 'roles':
    133. 

  133.       case 'status':
    134. 

  134.       case 'access':
    135. 

  135.       case 'login':
    136. 

  136.       case 'init':
    137. 

  137.         return AccessResult::forbidden();
    138. 

  138.     }
    139. 

  139. 

  140.     return parent::checkFieldAccess($operation, $field_definition, $account, $items);
    141. 

  141.   }
    142. 

  142. 

  143. }
    144. 

  144.