NodeAccessControlHandler.php 6.93 KB
Newer Older
1 2 3 4
<?php

/**
 * @file
5
 * Contains \Drupal\node\NodeAccessControlHandler.
6 7 8 9
 */

namespace Drupal\node;

10
use Drupal\Core\Access\AccessResult;
11
use Drupal\Core\Entity\EntityHandlerInterface;
12
use Drupal\Core\Entity\EntityTypeInterface;
13 14
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
15
use Drupal\Core\Language\LanguageInterface;
16
use Drupal\Core\Entity\EntityAccessControlHandler;
17
use Drupal\Core\Entity\EntityInterface;
18
use Drupal\Core\Session\AccountInterface;
19
use Symfony\Component\DependencyInjection\ContainerInterface;
20 21

/**
22 23 24
 * Defines the access control handler for the node entity type.
 *
 * @see \Drupal\node\Entity\Node
25
 * @ingroup node_access
26
 */
27
class NodeAccessControlHandler extends EntityAccessControlHandler implements NodeAccessControlHandlerInterface, EntityHandlerInterface {
28 29 30 31

  /**
   * The node grant storage.
   *
32
   * @var \Drupal\node\NodeGrantDatabaseStorageInterface
33 34 35 36
   */
  protected $grantStorage;

  /**
37
   * Constructs a NodeAccessControlHandler object.
38
   *
39 40
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type definition.
41 42 43
   * @param \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage
   *   The node grant storage.
   */
44 45
  public function __construct(EntityTypeInterface $entity_type, NodeGrantDatabaseStorageInterface $grant_storage) {
    parent::__construct($entity_type);
46
    $this->grantStorage = $grant_storage;
47 48 49 50 51
  }

  /**
   * {@inheritdoc}
   */
52
  public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
53
    return new static(
54
      $entity_type,
55
      $container->get('node.grant_storage')
56 57 58
    );
  }

59 60

  /**
61
   * {@inheritdoc}
62
   */
63
  public function access(EntityInterface $entity, $operation, $langcode = LanguageInterface::LANGCODE_DEFAULT, AccountInterface $account = NULL, $return_as_object = FALSE) {
64 65 66
    $account = $this->prepareUser($account);

    if ($account->hasPermission('bypass node access')) {
67
      $result = AccessResult::allowed()->cachePerPermissions();
68
      return $return_as_object ? $result : $result->isAllowed();
69
    }
70
    if (!$account->hasPermission('access content')) {
71
      $result = AccessResult::forbidden()->cachePerPermissions();
72
      return $return_as_object ? $result : $result->isAllowed();
73
    }
74
    $result = parent::access($entity, $operation, $langcode, $account, TRUE)->cachePerPermissions();
75
    return $return_as_object ? $result : $result->isAllowed();
76
  }
77

78 79 80
  /**
   * {@inheritdoc}
   */
81
  public function createAccess($entity_bundle = NULL, AccountInterface $account = NULL, array $context = array(), $return_as_object = FALSE) {
82 83
    $account = $this->prepareUser($account);

84
    if ($account->hasPermission('bypass node access')) {
85
      $result = AccessResult::allowed()->cachePerPermissions();
86
      return $return_as_object ? $result : $result->isAllowed();
87
    }
88
    if (!$account->hasPermission('access content')) {
89
      $result = AccessResult::forbidden()->cachePerPermissions();
90
      return $return_as_object ? $result : $result->isAllowed();
91 92
    }

93
    $result = parent::createAccess($entity_bundle, $account, $context, TRUE)->cachePerPermissions();
94
    return $return_as_object ? $result : $result->isAllowed();
95 96
  }

97 98 99
  /**
   * {@inheritdoc}
   */
100
  protected function checkAccess(EntityInterface $node, $operation, $langcode, AccountInterface $account) {
101
    /** @var \Drupal\node\NodeInterface $node */
102
    /** @var \Drupal\node\NodeInterface $translation */
103 104
    $translation = $node->hasTranslation($langcode) ? $node->getTranslation($langcode) : $node;

105 106
    // Fetch information from the node object if possible.
    $status = $translation->isPublished();
107
    $uid = $translation->getOwnerId();
108 109

    // Check if authors can view their own unpublished nodes.
110
    if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) {
111
      return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($node);
112 113
    }

114 115
    // Evaluate node grants.
    return $this->grantStorage->access($node, $operation, $langcode, $account);
116 117
  }

118 119 120 121
  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
122
    return AccessResult::allowedIf($account->hasPermission('create ' . $entity_bundle . ' content'))->cachePerPermissions();
123 124
  }

125 126 127 128
  /**
   * {@inheritdoc}
   */
  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
129 130 131
    // Only users with the administer nodes permission can edit administrative
    // fields.
    $administrative_fields = array('uid', 'status', 'created', 'promote', 'sticky');
132
    if ($operation == 'edit' && in_array($field_definition->getName(), $administrative_fields, TRUE)) {
133
      return AccessResult::allowedIfHasPermission($account, 'administer nodes');
134
    }
135 136

    // No user can change read only fields.
137
    $read_only_fields = array('revision_timestamp', 'revision_uid');
138
    if ($operation == 'edit' && in_array($field_definition->getName(), $read_only_fields, TRUE)) {
139
      return AccessResult::forbidden();
140
    }
141 142 143 144 145

    // Users have access to the revision_log field either if they have
    // administrative permissions or if the new revision option is enabled.
    if ($operation == 'edit' && $field_definition->getName() == 'revision_log') {
      if ($account->hasPermission('administer nodes')) {
146
        return AccessResult::allowed()->cachePerPermissions();
147
      }
148
      return AccessResult::allowedIf($items->getEntity()->type->entity->isNewRevision())->cachePerPermissions();
149
    }
150 151 152
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
  }

153
  /**
154
   * {@inheritdoc}
155
   */
156 157 158 159 160 161 162
  public function acquireGrants(NodeInterface $node) {
    $grants = $this->moduleHandler->invokeAll('node_access_records', array($node));
    // Let modules alter the grants.
    $this->moduleHandler->alter('node_access_records', $grants, $node);
    // If no grants are set and the node is published, then use the default grant.
    if (empty($grants) && $node->isPublished()) {
      $grants[] = array('realm' => 'all', 'gid' => 0, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0);
163
    }
164 165
    return $grants;
  }
166

167 168 169 170 171 172 173
  /**
   * {@inheritdoc}
   */
  public function writeGrants(NodeInterface $node, $delete = TRUE) {
    $grants = $this->acquireGrants($node);
    $this->grantStorage->write($node, $grants, NULL, $delete);
  }
174

175 176 177 178 179 180
  /**
   * {@inheritdoc}
   */
  public function writeDefaultGrant() {
    $this->grantStorage->writeDefault();
  }
181

182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200
  /**
   * {@inheritdoc}
   */
  public function deleteGrants() {
    $this->grantStorage->delete();
  }

  /**
   * {@inheritdoc}
   */
  public function countGrants() {
    return $this->grantStorage->count();
  }

  /**
   * {@inheritdoc}
   */
  public function checkAllGrants(AccountInterface $account) {
    return $this->grantStorage->checkAll($account);
201 202 203
  }

}