3 namespace Drupal\entity;
5 use Drupal\Core\Access\AccessResult;
6 use Drupal\Core\Entity\EntityAccessControlHandler as CoreEntityAccessControlHandler;
7 use Drupal\Core\Entity\EntityInterface;
8 use Drupal\Core\Entity\EntityPublishedInterface;
9 use Drupal\Core\Entity\EntityTypeInterface;
10 use Drupal\Core\Session\AccountInterface;
11 use Drupal\user\EntityOwnerInterface;
14 * Controls access based on the generic entity permissions.
16 * @see \Drupal\entity\UncacheableEntityPermissionProvider
18 class EntityAccessControlHandler extends CoreEntityAccessControlHandler {
23 public function __construct(EntityTypeInterface $entity_type) {
24 parent::__construct($entity_type);
26 if (!$entity_type->hasHandlerClass('permission_provider') || !is_a($entity_type->getHandlerClass('permission_provider'), EntityPermissionProvider::class, TRUE)) {
27 throw new \Exception("This entity access control handler requires the entity permissions provider: {EntityPermissionProvider::class}");
35 protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
36 $account = $this->prepareUser($account);
37 /** @var \Drupal\Core\Access\AccessResult $result */
38 $result = parent::checkAccess($entity, $operation, $account);
40 if ($result->isNeutral()) {
41 if ($entity instanceof EntityOwnerInterface) {
42 $result = $this->checkEntityOwnerPermissions($entity, $operation, $account);
45 $result = $this->checkEntityPermissions($entity, $operation, $account);
49 // Ensure that access is evaluated again when the entity changes.
50 return $result->addCacheableDependency($entity);
54 * Checks the entity operation and bundle permissions.
56 * @param \Drupal\Core\Entity\EntityInterface $entity
57 * The entity for which to check access.
58 * @param string $operation
59 * The entity operation. Usually one of 'view', 'view label', 'update' or
61 * @param \Drupal\Core\Session\AccountInterface $account
62 * The user for which to check access.
64 * @return \Drupal\Core\Access\AccessResultInterface
67 protected function checkEntityPermissions(EntityInterface $entity, $operation, AccountInterface $account) {
68 if ($operation === 'view') {
70 "view {$entity->getEntityTypeId()}"
75 "$operation {$entity->getEntityTypeId()}",
76 "$operation {$entity->bundle()} {$entity->getEntityTypeId()}",
79 return AccessResult::allowedIfHasPermissions($account, $permissions, 'OR');
83 * Checks the entity operation and bundle permissions, with owners.
85 * @param \Drupal\Core\Entity\EntityInterface $entity
86 * The entity for which to check access.
87 * @param string $operation
88 * The entity operation. Usually one of 'view', 'view label', 'update' or
90 * @param \Drupal\Core\Session\AccountInterface $account
91 * The user for which to check access.
93 * @return \Drupal\Core\Access\AccessResultInterface
96 protected function checkEntityOwnerPermissions(EntityInterface $entity, $operation, AccountInterface $account) {
97 if ($operation === 'view') {
98 if ($entity instanceof EntityPublishedInterface && !$entity->isPublished()) {
99 if (($account->id() == $entity->getOwnerId())) {
101 "view own unpublished {$entity->getEntityTypeId()}",
103 return AccessResult::allowedIfHasPermissions($account, $permissions)->cachePerUser();
105 return AccessResult::neutral()->cachePerUser();
108 return AccessResult::allowedIfHasPermissions($account, [
109 "view {$entity->getEntityTypeId()}",
114 if (($account->id() == $entity->getOwnerId())) {
115 $result = AccessResult::allowedIfHasPermissions($account, [
116 "$operation own {$entity->getEntityTypeId()}",
117 "$operation any {$entity->getEntityTypeId()}",
118 "$operation own {$entity->bundle()} {$entity->getEntityTypeId()}",
119 "$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
123 $result = AccessResult::allowedIfHasPermissions($account, [
124 "$operation any {$entity->getEntityTypeId()}",
125 "$operation any {$entity->bundle()} {$entity->getEntityTypeId()}",
135 protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
136 $result = parent::checkCreateAccess($account, $context, $entity_bundle);
137 if ($result->isNeutral()) {
139 'administer ' . $this->entityTypeId,
140 'create ' . $this->entityTypeId,
142 if ($entity_bundle) {
143 $permissions[] = 'create ' . $entity_bundle . ' ' . $this->entityTypeId;
146 $result = AccessResult::allowedIfHasPermissions($account, $permissions, 'OR');