NodeAccessControlHandler.php 6.65 KB
Newer Older
1 2 3 4
<?php

/**
 * @file
5
 * Contains \Drupal\node\NodeAccessControlHandler.
6 7 8 9
 */

namespace Drupal\node;

10
use Drupal\Core\Access\AccessResult;
11
use Drupal\Core\Entity\EntityHandlerInterface;
12
use Drupal\Core\Entity\EntityTypeInterface;
13 14
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
15
use Drupal\Core\Entity\EntityAccessControlHandler;
16
use Drupal\Core\Entity\EntityInterface;
17
use Drupal\Core\Session\AccountInterface;
18
use Symfony\Component\DependencyInjection\ContainerInterface;
19 20

/**
21 22 23
 * Defines the access control handler for the node entity type.
 *
 * @see \Drupal\node\Entity\Node
24
 * @ingroup node_access
25
 */
26
class NodeAccessControlHandler extends EntityAccessControlHandler implements NodeAccessControlHandlerInterface, EntityHandlerInterface {
27 28 29 30

  /**
   * The node grant storage.
   *
31
   * @var \Drupal\node\NodeGrantDatabaseStorageInterface
32 33 34 35
   */
  protected $grantStorage;

  /**
36
   * Constructs a NodeAccessControlHandler object.
37
   *
38 39
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type definition.
40 41 42
   * @param \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage
   *   The node grant storage.
   */
43 44
  public function __construct(EntityTypeInterface $entity_type, NodeGrantDatabaseStorageInterface $grant_storage) {
    parent::__construct($entity_type);
45
    $this->grantStorage = $grant_storage;
46 47 48 49 50
  }

  /**
   * {@inheritdoc}
   */
51
  public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
52
    return new static(
53
      $entity_type,
54
      $container->get('node.grant_storage')
55 56 57
    );
  }

58 59

  /**
60
   * {@inheritdoc}
61
   */
62
  public function access(EntityInterface $entity, $operation, AccountInterface $account = NULL, $return_as_object = FALSE) {
63 64 65
    $account = $this->prepareUser($account);

    if ($account->hasPermission('bypass node access')) {
66
      $result = AccessResult::allowed()->cachePerPermissions();
67
      return $return_as_object ? $result : $result->isAllowed();
68
    }
69
    if (!$account->hasPermission('access content')) {
70
      $result = AccessResult::forbidden()->cachePerPermissions();
71
      return $return_as_object ? $result : $result->isAllowed();
72
    }
73
    $result = parent::access($entity, $operation, $account, TRUE)->cachePerPermissions();
74
    return $return_as_object ? $result : $result->isAllowed();
75
  }
76

77 78 79
  /**
   * {@inheritdoc}
   */
80
  public function createAccess($entity_bundle = NULL, AccountInterface $account = NULL, array $context = array(), $return_as_object = FALSE) {
81 82
    $account = $this->prepareUser($account);

83
    if ($account->hasPermission('bypass node access')) {
84
      $result = AccessResult::allowed()->cachePerPermissions();
85
      return $return_as_object ? $result : $result->isAllowed();
86
    }
87
    if (!$account->hasPermission('access content')) {
88
      $result = AccessResult::forbidden()->cachePerPermissions();
89
      return $return_as_object ? $result : $result->isAllowed();
90 91
    }

92
    $result = parent::createAccess($entity_bundle, $account, $context, TRUE)->cachePerPermissions();
93
    return $return_as_object ? $result : $result->isAllowed();
94 95
  }

96 97 98
  /**
   * {@inheritdoc}
   */
99
  protected function checkAccess(EntityInterface $node, $operation, AccountInterface $account) {
100
    /** @var \Drupal\node\NodeInterface $node */
101

102
    // Fetch information from the node object if possible.
103 104
    $status = $node->isPublished();
    $uid = $node->getOwnerId();
105 106

    // Check if authors can view their own unpublished nodes.
107
    if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) {
108
      return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($node);
109 110
    }

111
    // Evaluate node grants.
112
    return $this->grantStorage->access($node, $operation, $account);
113 114
  }

115 116 117 118
  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
119
    return AccessResult::allowedIf($account->hasPermission('create ' . $entity_bundle . ' content'))->cachePerPermissions();
120 121
  }

122 123 124 125
  /**
   * {@inheritdoc}
   */
  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
126 127 128
    // Only users with the administer nodes permission can edit administrative
    // fields.
    $administrative_fields = array('uid', 'status', 'created', 'promote', 'sticky');
129
    if ($operation == 'edit' && in_array($field_definition->getName(), $administrative_fields, TRUE)) {
130
      return AccessResult::allowedIfHasPermission($account, 'administer nodes');
131
    }
132 133

    // No user can change read only fields.
134
    $read_only_fields = array('revision_timestamp', 'revision_uid');
135
    if ($operation == 'edit' && in_array($field_definition->getName(), $read_only_fields, TRUE)) {
136
      return AccessResult::forbidden();
137
    }
138 139 140 141 142

    // Users have access to the revision_log field either if they have
    // administrative permissions or if the new revision option is enabled.
    if ($operation == 'edit' && $field_definition->getName() == 'revision_log') {
      if ($account->hasPermission('administer nodes')) {
143
        return AccessResult::allowed()->cachePerPermissions();
144
      }
145
      return AccessResult::allowedIf($items->getEntity()->type->entity->isNewRevision())->cachePerPermissions();
146
    }
147 148 149
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
  }

150
  /**
151
   * {@inheritdoc}
152
   */
153 154 155 156 157 158 159
  public function acquireGrants(NodeInterface $node) {
    $grants = $this->moduleHandler->invokeAll('node_access_records', array($node));
    // Let modules alter the grants.
    $this->moduleHandler->alter('node_access_records', $grants, $node);
    // If no grants are set and the node is published, then use the default grant.
    if (empty($grants) && $node->isPublished()) {
      $grants[] = array('realm' => 'all', 'gid' => 0, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0);
160
    }
161 162
    return $grants;
  }
163

164 165 166 167 168 169 170
  /**
   * {@inheritdoc}
   */
  public function writeGrants(NodeInterface $node, $delete = TRUE) {
    $grants = $this->acquireGrants($node);
    $this->grantStorage->write($node, $grants, NULL, $delete);
  }
171

172 173 174 175 176 177
  /**
   * {@inheritdoc}
   */
  public function writeDefaultGrant() {
    $this->grantStorage->writeDefault();
  }
178

179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197
  /**
   * {@inheritdoc}
   */
  public function deleteGrants() {
    $this->grantStorage->delete();
  }

  /**
   * {@inheritdoc}
   */
  public function countGrants() {
    return $this->grantStorage->count();
  }

  /**
   * {@inheritdoc}
   */
  public function checkAllGrants(AccountInterface $account) {
    return $this->grantStorage->checkAll($account);
198 199 200
  }

}