Commit 84c8b1e1 authored by catch's avatar catch
Browse files

Issue #2799049 by AaronBauman, jungle, hussainweb, Neograph734, a_mitch,...

Issue #2799049 by AaronBauman, jungle, hussainweb, Neograph734, a_mitch, anmolgoyal74, Hardik_Patel_12, geek-merlin, cilefen, eblue, fmueller_previon, Anas_maw, rensingh99, Abhijith S, yepa, Ruchi Joshi, Stephen Ollman, dww, alexpott, catch, benjifisher, Wim Leers: Add new permission to view user email field
parent 90f67d09
...@@ -412,6 +412,18 @@ public function testGetMailFieldOnlyVisibleToOwner() { ...@@ -412,6 +412,18 @@ public function testGetMailFieldOnlyVisibleToOwner() {
$this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']); $this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
$this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']); $this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
$this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']); $this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
// Now grant permission to access user mail and verify.
$this->grantPermissionsToTestedRole(['access user mail']);
// Viewing user A as user B: "mail" field should be accessible.
$response = $this->request('GET', $user_a_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertArrayHasKey('mail', $doc['data']['attributes']);
// Also when looking at the collection.
$response = $this->request('GET', $collection_url, $request_options);
$doc = Json::decode((string) $response->getBody());
$this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
$this->assertArrayHasKey('mail', $doc['data'][2]['attributes']);
} }
/** /**
......
...@@ -113,10 +113,15 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_ ...@@ -113,10 +113,15 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
return AccessResult::neutral(); return AccessResult::neutral();
} }
case 'mail':
// Only check for the access user mail permission and a view operation.
// Use case fall-through for all other cases.
if ($operation == 'view' && $account->hasPermission('access user mail')) {
return AccessResult::allowed()->cachePerPermissions();
}
case 'preferred_langcode': case 'preferred_langcode':
case 'preferred_admin_langcode': case 'preferred_admin_langcode':
case 'timezone': case 'timezone':
case 'mail':
// Allow view access to own mail address and other personalization // Allow view access to own mail address and other personalization
// settings. // settings.
if ($operation == 'view') { if ($operation == 'view') {
......
...@@ -32,6 +32,13 @@ class UserAccessControlHandlerTest extends UnitTestCase { ...@@ -32,6 +32,13 @@ class UserAccessControlHandlerTest extends UnitTestCase {
*/ */
protected $viewer; protected $viewer;
/**
* The mock user account with 'access user mail' permission.
*
* @var \Drupal\Core\Session\AccountInterface
*/
protected $emailViewer;
/** /**
* The mock user account that is able to change their own account name. * The mock user account that is able to change their own account name.
* *
...@@ -96,6 +103,18 @@ protected function setUp(): void { ...@@ -96,6 +103,18 @@ protected function setUp(): void {
->method('hasPermission') ->method('hasPermission')
->will($this->returnValue(TRUE)); ->will($this->returnValue(TRUE));
$this->emailViewer = $this->createMock('\Drupal\Core\Session\AccountInterface');
$this->emailViewer
->expects($this->any())
->method('hasPermission')
->will($this->returnValueMap([
['access user mail', TRUE],
]));
$this->emailViewer
->expects($this->any())
->method('id')
->will($this->returnValue(3));
$entity_type = $this->createMock('Drupal\Core\Entity\EntityTypeInterface'); $entity_type = $this->createMock('Drupal\Core\Entity\EntityTypeInterface');
$this->accessControlHandler = new UserAccessControlHandler($entity_type); $this->accessControlHandler = new UserAccessControlHandler($entity_type);
...@@ -240,6 +259,14 @@ public function hiddenUserSettingsProvider() { ...@@ -240,6 +259,14 @@ public function hiddenUserSettingsProvider() {
'view' => TRUE, 'view' => TRUE,
'edit' => TRUE, 'edit' => TRUE,
]; ];
$access_info[] = [
'field' => $field,
'viewer' => 'emailViewer',
'target' => 'owner',
'view' => $field === 'mail',
// See note above.
'edit' => TRUE,
];
} }
return $access_info; return $access_info;
......
...@@ -11,6 +11,9 @@ administer users: ...@@ -11,6 +11,9 @@ administer users:
restrict access: true restrict access: true
access user profiles: access user profiles:
title: 'View user information' title: 'View user information'
access user mail:
title: 'View user email addresses'
description: 'Users without this permission will not have access to email addresses on user pages or other places where they might be shown, such as Views and JSON:API responses.'
change own username: change own username:
title: 'Change own username' title: 'Change own username'
select account cancellation method: select account cancellation method:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment