UserAccessControlHandler::checkFieldAccess

protected UserAccessControlHandler::checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL)

Default field access as determined by this access control handler.

Parameters

string $operation: The operation access should be checked for. Usually one of "view" or "edit".

\Drupal\Core\Field\FieldDefinitionInterface $field_definition: The field definition.

\Drupal\Core\Session\AccountInterface $account: The user session for which to check access.

\Drupal\Core\Field\FieldItemListInterface $items: (optional) The field values for which to check access, or NULL if access is checked for the field definition, without any specific value available. Defaults to NULL.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkFieldAccess

File

core/modules/user/src/UserAccessControlHandler.php, line 77

Class

UserAccessControlHandler: Defines the access control handler for the user entity type.

Namespace

Drupal\user

Code

protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
  // Fields that are not implicitly allowed to administrative users.
  $explicit_check_fields = array(
    'pass',
  );

  // Administrative users are allowed to edit and view all fields.
  if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
    return AccessResult::allowed()->cachePerPermissions();
  }

  // Flag to indicate if this user entity is the own user account.
  $is_own_account = $items ? $items->getEntity()->id() == $account->id() : FALSE;
  switch ($field_definition->getName()) {
    case 'name':
      // Allow view access to anyone with access to the entity. Anonymous
      // users should be able to access the username field during the
      // registration process, otherwise the username and email constraints
      // are not checked.
      if ($operation == 'view' || ($items && $account->isAnonymous() && $items->getEntity()->isAnonymous())) {
        return AccessResult::allowed()->cachePerPermissions();
      }
      // Allow edit access for the own user name if the permission is
      // satisfied.
      if ($is_own_account && $account->hasPermission('change own username')) {
        return AccessResult::allowed()->cachePerPermissions()->cachePerUser();
      }
      else {
        return AccessResult::forbidden();
      }

    case 'preferred_langcode':
    case 'preferred_admin_langcode':
    case 'timezone':
    case 'mail':
      // Allow view access to own mail address and other personalization
      // settings.
      if ($operation == 'view') {
        return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::forbidden();
      }
      // Anyone that can edit the user can also edit this field.
      return AccessResult::allowed()->cachePerPermissions();

    case 'pass':
      // Allow editing the password, but not viewing it.
      return ($operation == 'edit') ? AccessResult::allowed() : AccessResult::forbidden();

    case 'created':
      // Allow viewing the created date, but not editing it.
      return ($operation == 'view') ? AccessResult::allowed() : AccessResult::forbidden();

    case 'roles':
    case 'status':
    case 'access':
    case 'login':
    case 'init':
      return AccessResult::forbidden();
  }

  return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}

Links:

https://api.drupal.org/api/drupal/core%21modules%21user%21src%21UserAccessControlHandler.php/function/UserAccessControlHandler%3A%3AcheckFieldAccess/8.2.x

doc_Drupal

2016-10-29 09:52:12

Comments