NodeAccessControlHandler.php 6.87 KB
Newer Older
1 2 3 4
<?php

/**
 * @file
5
 * Contains \Drupal\node\NodeAccessControlHandler.
6 7 8 9
 */

namespace Drupal\node;

10
use Drupal\Core\Access\AccessResult;
11
use Drupal\Core\Entity\EntityHandlerInterface;
12
use Drupal\Core\Entity\EntityTypeInterface;
13 14
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
15
use Drupal\Core\Language\LanguageInterface;
16
use Drupal\Core\Entity\EntityAccessControlHandler;
17
use Drupal\Core\Entity\EntityInterface;
18
use Drupal\Core\Session\AccountInterface;
19
use Symfony\Component\DependencyInjection\ContainerInterface;
20 21

/**
22 23 24
 * Defines the access control handler for the node entity type.
 *
 * @see \Drupal\node\Entity\Node
25
 */
26
class NodeAccessControlHandler extends EntityAccessControlHandler implements NodeAccessControlHandlerInterface, EntityHandlerInterface {
27 28 29 30

  /**
   * The node grant storage.
   *
31
   * @var \Drupal\node\NodeGrantDatabaseStorageInterface
32 33 34 35
   */
  protected $grantStorage;

  /**
36
   * Constructs a NodeAccessControlHandler object.
37
   *
38 39
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type definition.
40 41 42
   * @param \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage
   *   The node grant storage.
   */
43 44
  public function __construct(EntityTypeInterface $entity_type, NodeGrantDatabaseStorageInterface $grant_storage) {
    parent::__construct($entity_type);
45
    $this->grantStorage = $grant_storage;
46 47 48 49 50
  }

  /**
   * {@inheritdoc}
   */
51
  public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
52
    return new static(
53
      $entity_type,
54
      $container->get('node.grant_storage')
55 56 57
    );
  }

58 59

  /**
60
   * {@inheritdoc}
61
   */
62
  public function access(EntityInterface $entity, $operation, $langcode = LanguageInterface::LANGCODE_DEFAULT, AccountInterface $account = NULL, $return_as_object = FALSE) {
63 64 65
    $account = $this->prepareUser($account);

    if ($account->hasPermission('bypass node access')) {
66
      $result = AccessResult::allowed()->cachePerPermissions();
67
      return $return_as_object ? $result : $result->isAllowed();
68
    }
69
    if (!$account->hasPermission('access content')) {
70
      $result = AccessResult::forbidden()->cachePerPermissions();
71
      return $return_as_object ? $result : $result->isAllowed();
72
    }
73
    $result = parent::access($entity, $operation, $langcode, $account, TRUE)->cachePerPermissions();
74
    return $return_as_object ? $result : $result->isAllowed();
75
  }
76

77 78 79
  /**
   * {@inheritdoc}
   */
80
  public function createAccess($entity_bundle = NULL, AccountInterface $account = NULL, array $context = array(), $return_as_object = FALSE) {
81 82
    $account = $this->prepareUser($account);

83
    if ($account->hasPermission('bypass node access')) {
84
      $result = AccessResult::allowed()->cachePerPermissions();
85
      return $return_as_object ? $result : $result->isAllowed();
86
    }
87
    if (!$account->hasPermission('access content')) {
88
      $result = AccessResult::forbidden()->cachePerPermissions();
89
      return $return_as_object ? $result : $result->isAllowed();
90 91
    }

92
    $result = parent::createAccess($entity_bundle, $account, $context, TRUE)->cachePerPermissions();
93
    return $return_as_object ? $result : $result->isAllowed();
94 95
  }

96 97 98
  /**
   * {@inheritdoc}
   */
99
  protected function checkAccess(EntityInterface $node, $operation, $langcode, AccountInterface $account) {
100
    /** @var \Drupal\node\NodeInterface $node */
101 102
    /** @var \Drupal\node\NodeInterface $translation */
    $translation = $node->getTranslation($langcode);
103 104
    // Fetch information from the node object if possible.
    $status = $translation->isPublished();
105
    $uid = $translation->getOwnerId();
106 107

    // Check if authors can view their own unpublished nodes.
108
    if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) {
109
      return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($node);
110 111
    }

112 113
    // Evaluate node grants.
    return $this->grantStorage->access($node, $operation, $langcode, $account);
114 115
  }

116 117 118 119
  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
120
    return AccessResult::allowedIf($account->hasPermission('create ' . $entity_bundle . ' content'))->cachePerPermissions();
121 122
  }

123 124 125 126
  /**
   * {@inheritdoc}
   */
  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
127 128 129
    // Only users with the administer nodes permission can edit administrative
    // fields.
    $administrative_fields = array('uid', 'status', 'created', 'promote', 'sticky');
130
    if ($operation == 'edit' && in_array($field_definition->getName(), $administrative_fields, TRUE)) {
131
      return AccessResult::allowedIfHasPermission($account, 'administer nodes');
132
    }
133 134

    // No user can change read only fields.
135
    $read_only_fields = array('revision_timestamp', 'revision_uid');
136
    if ($operation == 'edit' && in_array($field_definition->getName(), $read_only_fields, TRUE)) {
137
      return AccessResult::forbidden();
138
    }
139 140 141 142 143

    // Users have access to the revision_log field either if they have
    // administrative permissions or if the new revision option is enabled.
    if ($operation == 'edit' && $field_definition->getName() == 'revision_log') {
      if ($account->hasPermission('administer nodes')) {
144
        return AccessResult::allowed()->cachePerPermissions();
145
      }
146
      return AccessResult::allowedIf($items->getEntity()->type->entity->isNewRevision())->cachePerPermissions();
147
    }
148 149 150
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
  }

151
  /**
152
   * {@inheritdoc}
153
   */
154 155 156 157 158 159 160
  public function acquireGrants(NodeInterface $node) {
    $grants = $this->moduleHandler->invokeAll('node_access_records', array($node));
    // Let modules alter the grants.
    $this->moduleHandler->alter('node_access_records', $grants, $node);
    // If no grants are set and the node is published, then use the default grant.
    if (empty($grants) && $node->isPublished()) {
      $grants[] = array('realm' => 'all', 'gid' => 0, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0);
161
    }
162 163
    return $grants;
  }
164

165 166 167 168 169 170 171
  /**
   * {@inheritdoc}
   */
  public function writeGrants(NodeInterface $node, $delete = TRUE) {
    $grants = $this->acquireGrants($node);
    $this->grantStorage->write($node, $grants, NULL, $delete);
  }
172

173 174 175 176 177 178
  /**
   * {@inheritdoc}
   */
  public function writeDefaultGrant() {
    $this->grantStorage->writeDefault();
  }
179

180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198
  /**
   * {@inheritdoc}
   */
  public function deleteGrants() {
    $this->grantStorage->delete();
  }

  /**
   * {@inheritdoc}
   */
  public function countGrants() {
    return $this->grantStorage->count();
  }

  /**
   * {@inheritdoc}
   */
  public function checkAllGrants(AccountInterface $account) {
    return $this->grantStorage->checkAll($account);
199 200 201
  }

}