3 namespace Drupal\comment;
5 use Drupal\Core\Access\AccessResult;
6 use Drupal\Core\Entity\EntityAccessControlHandler;
7 use Drupal\Core\Entity\EntityInterface;
8 use Drupal\Core\Field\FieldDefinitionInterface;
9 use Drupal\Core\Field\FieldItemListInterface;
10 use Drupal\Core\Session\AccountInterface;
13 * Defines the access control handler for the comment entity type.
15 * @see \Drupal\comment\Entity\Comment
17 class CommentAccessControlHandler extends EntityAccessControlHandler {
22 protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
23 /** @var \Drupal\comment\CommentInterface|\Drupal\user\EntityOwnerInterface $entity */
25 $comment_admin = $account->hasPermission('administer comments');
26 if ($operation == 'approve') {
27 return AccessResult::allowedIf($comment_admin && !$entity->isPublished())
28 ->cachePerPermissions()
29 ->addCacheableDependency($entity);
33 $access = AccessResult::allowed()->cachePerPermissions();
34 return ($operation != 'view') ? $access : $access->andIf($entity->getCommentedEntity()->access($operation, $account, TRUE));
39 $access_result = AccessResult::allowedIf($account->hasPermission('access comments') && $entity->isPublished())->cachePerPermissions()->addCacheableDependency($entity)
40 ->andIf($entity->getCommentedEntity()->access($operation, $account, TRUE));
41 if (!$access_result->isAllowed()) {
42 $access_result->setReason("The 'access comments' permission is required and the comment must be published.");
45 return $access_result;
48 return AccessResult::allowedIf($account->id() && $account->id() == $entity->getOwnerId() && $entity->isPublished() && $account->hasPermission('edit own comments'))->cachePerPermissions()->cachePerUser()->addCacheableDependency($entity);
52 return AccessResult::neutral()->cachePerPermissions();
59 protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
60 return AccessResult::allowedIfHasPermission($account, 'post comments');
66 protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
67 if ($operation == 'edit') {
68 // Only users with the "administer comments" permission can edit
69 // administrative fields.
70 $administrative_fields = [
76 if (in_array($field_definition->getName(), $administrative_fields, TRUE)) {
77 return AccessResult::allowedIfHasPermission($account, 'administer comments');
80 // No user can change read-only fields.
87 // These fields can be edited during comment creation.
88 $create_only_fields = [
96 if ($items && ($entity = $items->getEntity()) && $entity->isNew() && in_array($field_definition->getName(), $create_only_fields, TRUE)) {
97 // We are creating a new comment, user can edit create only fields.
98 return AccessResult::allowedIfHasPermission($account, 'post comments')->addCacheableDependency($entity);
100 // We are editing an existing comment - create only fields are now read
102 $read_only_fields = array_merge($read_only_fields, $create_only_fields);
103 if (in_array($field_definition->getName(), $read_only_fields, TRUE)) {
104 return AccessResult::forbidden();
107 // If the field is configured to accept anonymous contact details - admins
108 // can edit name, homepage and mail. Anonymous users can also fill in the
109 // fields on comment creation.
110 if (in_array($field_definition->getName(), ['name', 'mail', 'homepage'], TRUE)) {
112 // We cannot make a decision about access to edit these fields if we
113 // don't have any items and therefore cannot determine the Comment
114 // entity. In this case we err on the side of caution and prevent edit
116 return AccessResult::forbidden();
118 $is_name = $field_definition->getName() === 'name';
119 /** @var \Drupal\comment\CommentInterface $entity */
120 $entity = $items->getEntity();
121 $commented_entity = $entity->getCommentedEntity();
122 $anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous');
123 $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
124 $anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && ($anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account->hasPermission('post comments'))
125 ->cachePerPermissions()
126 ->addCacheableDependency($entity)
127 ->addCacheableDependency($field_definition->getConfig($commented_entity->bundle()))
128 ->addCacheableDependency($commented_entity);
129 return $admin_access->orIf($anonymous_access);
133 if ($operation == 'view') {
134 // Nobody has access to the hostname.
135 if ($field_definition->getName() == 'hostname') {
136 return AccessResult::forbidden();
138 // The mail field is hidden from non-admins.
139 if ($field_definition->getName() == 'mail') {
140 return AccessResult::allowedIfHasPermission($account, 'administer comments');
143 return parent::checkFieldAccess($operation, $field_definition, $account, $items);