NodeAccessControlHandler.php 7.27 KB
Newer Older
1 2 3 4
<?php

/**
 * @file
5
 * Contains \Drupal\node\NodeAccessControlHandler.
6 7 8 9
 */

namespace Drupal\node;

10
use Drupal\Core\Access\AccessResult;
11
use Drupal\Core\Entity\EntityHandlerInterface;
12
use Drupal\Core\Entity\EntityTypeInterface;
13 14
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
15
use Drupal\Core\Language\LanguageInterface;
16
use Drupal\Core\Entity\EntityAccessControlHandler;
17
use Drupal\Core\Entity\EntityInterface;
18
use Drupal\Core\Session\AccountInterface;
19
use Symfony\Component\DependencyInjection\ContainerInterface;
20 21

/**
22 23 24
 * Defines the access control handler for the node entity type.
 *
 * @see \Drupal\node\Entity\Node
25
 */
26
class NodeAccessControlHandler extends EntityAccessControlHandler implements NodeAccessControlHandlerInterface, EntityHandlerInterface {
27 28 29 30

  /**
   * The node grant storage.
   *
31
   * @var \Drupal\node\NodeGrantDatabaseStorageInterface
32 33 34 35
   */
  protected $grantStorage;

  /**
36
   * Constructs a NodeAccessControlHandler object.
37
   *
38 39
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type definition.
40 41 42
   * @param \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage
   *   The node grant storage.
   */
43 44
  public function __construct(EntityTypeInterface $entity_type, NodeGrantDatabaseStorageInterface $grant_storage) {
    parent::__construct($entity_type);
45
    $this->grantStorage = $grant_storage;
46 47 48 49 50
  }

  /**
   * {@inheritdoc}
   */
51
  public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
52
    return new static(
53
      $entity_type,
54
      $container->get('node.grant_storage')
55 56 57
    );
  }

58 59

  /**
60
   * {@inheritdoc}
61
   */
62
  public function access(EntityInterface $entity, $operation, $langcode = LanguageInterface::LANGCODE_DEFAULT, AccountInterface $account = NULL, $return_as_object = FALSE) {
63 64 65
    $account = $this->prepareUser($account);

    if ($account->hasPermission('bypass node access')) {
66 67
      $result = AccessResult::allowed()->cachePerRole();
      return $return_as_object ? $result : $result->isAllowed();
68
    }
69
    if (!$account->hasPermission('access content')) {
70 71
      $result = AccessResult::forbidden()->cachePerRole();
      return $return_as_object ? $result : $result->isAllowed();
72
    }
73 74
    $result = parent::access($entity, $operation, $langcode, $account, TRUE)->cachePerRole();
    return $return_as_object ? $result : $result->isAllowed();
75
  }
76

77 78 79
  /**
   * {@inheritdoc}
   */
80
  public function createAccess($entity_bundle = NULL, AccountInterface $account = NULL, array $context = array(), $return_as_object = FALSE) {
81 82
    $account = $this->prepareUser($account);

83
    if ($account->hasPermission('bypass node access')) {
84 85
      $result = AccessResult::allowed()->cachePerRole();
      return $return_as_object ? $result : $result->isAllowed();
86
    }
87
    if (!$account->hasPermission('access content')) {
88 89
      $result = AccessResult::forbidden()->cachePerRole();
      return $return_as_object ? $result : $result->isAllowed();
90 91
    }

92 93
    $result = parent::createAccess($entity_bundle, $account, $context, TRUE)->cachePerRole();
    return $return_as_object ? $result : $result->isAllowed();
94 95
  }

96 97 98
  /**
   * {@inheritdoc}
   */
99
  protected function checkAccess(EntityInterface $node, $operation, $langcode, AccountInterface $account) {
100
    /** @var \Drupal\node\NodeInterface $node */
101 102
    /** @var \Drupal\node\NodeInterface $translation */
    $translation = $node->getTranslation($langcode);
103 104
    // Fetch information from the node object if possible.
    $status = $translation->isPublished();
105
    $uid = $translation->getOwnerId();
106 107

    // Check if authors can view their own unpublished nodes.
108 109
    if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) {
      return AccessResult::allowed()->cachePerRole()->cachePerUser()->cacheUntilEntityChanges($node);
110 111
    }

112
    // If no module specified either ALLOW or KILL, we fall back to the
113
    // node_access table.
114 115
    $grants = $this->grantStorage->access($node, $operation, $langcode, $account);
    if ($grants->isAllowed() || $grants->isForbidden()) {
116 117 118 119 120 121
      return $grants;
    }

    // If no modules implement hook_node_grants(), the default behavior is to
    // allow all users to view published nodes, so reflect that here.
    if ($operation === 'view') {
122
      return AccessResult::allowedIf($status)->cacheUntilEntityChanges($node);
123
    }
124 125 126

    // No opinion.
    return AccessResult::create();
127 128
  }

129 130 131 132
  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
133
    return AccessResult::allowedIf($account->hasPermission('create ' . $entity_bundle . ' content'))->cachePerRole();
134 135
  }

136 137 138 139
  /**
   * {@inheritdoc}
   */
  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
140 141 142
    // Only users with the administer nodes permission can edit administrative
    // fields.
    $administrative_fields = array('uid', 'status', 'created', 'promote', 'sticky');
143
    if ($operation == 'edit' && in_array($field_definition->getName(), $administrative_fields)) {
144
      return AccessResult::allowedIfHasPermission($account, 'administer nodes');
145
    }
146 147 148

    // No user can change read only fields.
    $read_only_fields = array('changed', 'revision_timestamp', 'revision_uid');
149
    if ($operation == 'edit' && in_array($field_definition->getName(), $read_only_fields)) {
150
      return AccessResult::forbidden();
151
    }
152 153 154 155 156

    // Users have access to the revision_log field either if they have
    // administrative permissions or if the new revision option is enabled.
    if ($operation == 'edit' && $field_definition->getName() == 'revision_log') {
      if ($account->hasPermission('administer nodes')) {
157
        return AccessResult::allowed()->cachePerRole();
158
      }
159
      return AccessResult::allowedIf($items->getEntity()->type->entity->isNewRevision())->cachePerRole();
160
    }
161 162 163
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
  }

164
  /**
165
   * {@inheritdoc}
166
   */
167 168 169 170 171 172 173
  public function acquireGrants(NodeInterface $node) {
    $grants = $this->moduleHandler->invokeAll('node_access_records', array($node));
    // Let modules alter the grants.
    $this->moduleHandler->alter('node_access_records', $grants, $node);
    // If no grants are set and the node is published, then use the default grant.
    if (empty($grants) && $node->isPublished()) {
      $grants[] = array('realm' => 'all', 'gid' => 0, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0);
174
    }
175 176
    return $grants;
  }
177

178 179 180 181 182 183 184
  /**
   * {@inheritdoc}
   */
  public function writeGrants(NodeInterface $node, $delete = TRUE) {
    $grants = $this->acquireGrants($node);
    $this->grantStorage->write($node, $grants, NULL, $delete);
  }
185

186 187 188 189 190 191
  /**
   * {@inheritdoc}
   */
  public function writeDefaultGrant() {
    $this->grantStorage->writeDefault();
  }
192

193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
  /**
   * {@inheritdoc}
   */
  public function deleteGrants() {
    $this->grantStorage->delete();
  }

  /**
   * {@inheritdoc}
   */
  public function countGrants() {
    return $this->grantStorage->count();
  }

  /**
   * {@inheritdoc}
   */
  public function checkAllGrants(AccountInterface $account) {
    return $this->grantStorage->checkAll($account);
212 213 214
  }

}