// Check if the user has the proper permissions.
$access = AccessResult::allowedIfHasPermission($account, 'post comments');
+ // If commenting is open on the entity.
$status = $entity->{$field_name}->status;
$access = $access->andIf(AccessResult::allowedIf($status == CommentItemInterface::OPEN)
- ->addCacheableDependency($entity));
+ ->addCacheableDependency($entity))
+ // And if user has access to the host entity.
+ ->andIf(AccessResult::allowedIf($entity->access('view')));
// $pid indicates that this is a reply to a comment.
if ($pid) {
// Check if the user has the proper permissions.
$access = $access->andIf(AccessResult::allowedIfHasPermission($account, 'access comments'));
- /// Load the parent comment.
+ // Load the parent comment.
$comment = $this->entityManager()->getStorage('comment')->load($pid);
// Check if the parent comment is published and belongs to the entity.
$access = $access->andIf(AccessResult::allowedIf($comment && $comment->isPublished() && $comment->getCommentedEntityId() == $entity->id()));