Version 1

[yaffs-website] / web / core / modules / rest / src / Plugin / rest / resource / EntityResourceAccessTrait.php

diff --git a/web/core/modules/rest/src/Plugin/rest/resource/EntityResourceAccessTrait.php b/web/core/modules/rest/src/Plugin/rest/resource/EntityResourceAccessTrait.php
new file mode 100644 (file)
index 0000000..7bf8e82
--- /dev/null
+++ b/web/core/modules/rest/src/Plugin/rest/resource/EntityResourceAccessTrait.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace Drupal\rest\Plugin\rest\resource;
+
+use Drupal\Core\Entity\EntityInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * @internal
+ * @todo Consider making public in https://www.drupal.org/node/2300677
+ */
+trait EntityResourceAccessTrait {
+
+  /**
+   * Performs edit access checks for fields.
+   *
+   * @param \Drupal\Core\Entity\EntityInterface $entity
+   *   The entity whose fields edit access should be checked for.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+   *   Throws access denied when the user does not have permissions to edit a
+   *   field.
+   */
+  protected function checkEditFieldAccess(EntityInterface $entity) {
+    // Only check 'edit' permissions for fields that were actually submitted by
+    // the user. Field access makes no difference between 'create' and 'update',
+    // so the 'edit' operation is used here.
+    foreach ($entity->_restSubmittedFields as $key => $field_name) {
+      if (!$entity->get($field_name)->access('edit')) {
+        throw new AccessDeniedHttpException("Access denied on creating field '$field_name'.");
+      }
+    }
+  }
+
+}