NodeAccessControlHandler.php 6.89 KB
Newer Older
1 2 3 4
<?php

/**
 * @file
5
 * Contains \Drupal\node\NodeAccessControlHandler.
6 7 8 9
 */

namespace Drupal\node;

10
use Drupal\Core\Access\AccessResult;
11
use Drupal\Core\Entity\EntityHandlerInterface;
12
use Drupal\Core\Entity\EntityTypeInterface;
13 14
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
15
use Drupal\Core\Language\LanguageInterface;
16
use Drupal\Core\Entity\EntityAccessControlHandler;
17
use Drupal\Core\Entity\EntityInterface;
18
use Drupal\Core\Session\AccountInterface;
19
use Symfony\Component\DependencyInjection\ContainerInterface;
20 21

/**
22 23 24
 * Defines the access control handler for the node entity type.
 *
 * @see \Drupal\node\Entity\Node
25
 * @ingroup node_access
26
 */
27
class NodeAccessControlHandler extends EntityAccessControlHandler implements NodeAccessControlHandlerInterface, EntityHandlerInterface {
28 29 30 31

  /**
   * The node grant storage.
   *
32
   * @var \Drupal\node\NodeGrantDatabaseStorageInterface
33 34 35 36
   */
  protected $grantStorage;

  /**
37
   * Constructs a NodeAccessControlHandler object.
38
   *
39 40
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type definition.
41 42 43
   * @param \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage
   *   The node grant storage.
   */
44 45
  public function __construct(EntityTypeInterface $entity_type, NodeGrantDatabaseStorageInterface $grant_storage) {
    parent::__construct($entity_type);
46
    $this->grantStorage = $grant_storage;
47 48 49 50 51
  }

  /**
   * {@inheritdoc}
   */
52
  public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
53
    return new static(
54
      $entity_type,
55
      $container->get('node.grant_storage')
56 57 58
    );
  }

59 60

  /**
61
   * {@inheritdoc}
62
   */
63
  public function access(EntityInterface $entity, $operation, $langcode = LanguageInterface::LANGCODE_DEFAULT, AccountInterface $account = NULL, $return_as_object = FALSE) {
64 65 66
    $account = $this->prepareUser($account);

    if ($account->hasPermission('bypass node access')) {
67
      $result = AccessResult::allowed()->cachePerPermissions();
68
      return $return_as_object ? $result : $result->isAllowed();
69
    }
70
    if (!$account->hasPermission('access content')) {
71
      $result = AccessResult::forbidden()->cachePerPermissions();
72
      return $return_as_object ? $result : $result->isAllowed();
73
    }
74
    $result = parent::access($entity, $operation, $langcode, $account, TRUE)->cachePerPermissions();
75
    return $return_as_object ? $result : $result->isAllowed();
76
  }
77

78 79 80
  /**
   * {@inheritdoc}
   */
81
  public function createAccess($entity_bundle = NULL, AccountInterface $account = NULL, array $context = array(), $return_as_object = FALSE) {
82 83
    $account = $this->prepareUser($account);

84
    if ($account->hasPermission('bypass node access')) {
85
      $result = AccessResult::allowed()->cachePerPermissions();
86
      return $return_as_object ? $result : $result->isAllowed();
87
    }
88
    if (!$account->hasPermission('access content')) {
89
      $result = AccessResult::forbidden()->cachePerPermissions();
90
      return $return_as_object ? $result : $result->isAllowed();
91 92
    }

93
    $result = parent::createAccess($entity_bundle, $account, $context, TRUE)->cachePerPermissions();
94
    return $return_as_object ? $result : $result->isAllowed();
95 96
  }

97 98 99
  /**
   * {@inheritdoc}
   */
100
  protected function checkAccess(EntityInterface $node, $operation, $langcode, AccountInterface $account) {
101
    /** @var \Drupal\node\NodeInterface $node */
102 103
    /** @var \Drupal\node\NodeInterface $translation */
    $translation = $node->getTranslation($langcode);
104 105
    // Fetch information from the node object if possible.
    $status = $translation->isPublished();
106
    $uid = $translation->getOwnerId();
107 108

    // Check if authors can view their own unpublished nodes.
109
    if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) {
110
      return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($node);
111 112
    }

113 114
    // Evaluate node grants.
    return $this->grantStorage->access($node, $operation, $langcode, $account);
115 116
  }

117 118 119 120
  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
121
    return AccessResult::allowedIf($account->hasPermission('create ' . $entity_bundle . ' content'))->cachePerPermissions();
122 123
  }

124 125 126 127
  /**
   * {@inheritdoc}
   */
  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
128 129 130
    // Only users with the administer nodes permission can edit administrative
    // fields.
    $administrative_fields = array('uid', 'status', 'created', 'promote', 'sticky');
131
    if ($operation == 'edit' && in_array($field_definition->getName(), $administrative_fields, TRUE)) {
132
      return AccessResult::allowedIfHasPermission($account, 'administer nodes');
133
    }
134 135

    // No user can change read only fields.
136
    $read_only_fields = array('revision_timestamp', 'revision_uid');
137
    if ($operation == 'edit' && in_array($field_definition->getName(), $read_only_fields, TRUE)) {
138
      return AccessResult::forbidden();
139
    }
140 141 142 143 144

    // Users have access to the revision_log field either if they have
    // administrative permissions or if the new revision option is enabled.
    if ($operation == 'edit' && $field_definition->getName() == 'revision_log') {
      if ($account->hasPermission('administer nodes')) {
145
        return AccessResult::allowed()->cachePerPermissions();
146
      }
147
      return AccessResult::allowedIf($items->getEntity()->type->entity->isNewRevision())->cachePerPermissions();
148
    }
149 150 151
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
  }

152
  /**
153
   * {@inheritdoc}
154
   */
155 156 157 158 159 160 161
  public function acquireGrants(NodeInterface $node) {
    $grants = $this->moduleHandler->invokeAll('node_access_records', array($node));
    // Let modules alter the grants.
    $this->moduleHandler->alter('node_access_records', $grants, $node);
    // If no grants are set and the node is published, then use the default grant.
    if (empty($grants) && $node->isPublished()) {
      $grants[] = array('realm' => 'all', 'gid' => 0, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0);
162
    }
163 164
    return $grants;
  }
165

166 167 168 169 170 171 172
  /**
   * {@inheritdoc}
   */
  public function writeGrants(NodeInterface $node, $delete = TRUE) {
    $grants = $this->acquireGrants($node);
    $this->grantStorage->write($node, $grants, NULL, $delete);
  }
173

174 175 176 177 178 179
  /**
   * {@inheritdoc}
   */
  public function writeDefaultGrant() {
    $this->grantStorage->writeDefault();
  }
180

181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199
  /**
   * {@inheritdoc}
   */
  public function deleteGrants() {
    $this->grantStorage->delete();
  }

  /**
   * {@inheritdoc}
   */
  public function countGrants() {
    return $this->grantStorage->count();
  }

  /**
   * {@inheritdoc}
   */
  public function checkAllGrants(AccountInterface $account) {
    return $this->grantStorage->checkAll($account);
200 201 202
  }

}