diff --git a/core/modules/block_content/block_content.permissions.yml b/core/modules/block_content/block_content.permissions.yml
new file mode 100644
index 0000000000000000000000000000000000000000..18bcddd1993bd1ac3f2c31bf7ad102757972b590
--- /dev/null
+++ b/core/modules/block_content/block_content.permissions.yml
@@ -0,0 +1,2 @@
+permission_callbacks:
+ - \Drupal\block_content\BlockContentPermissions::blockTypePermissions
diff --git a/core/modules/block_content/src/BlockContentAccessControlHandler.php b/core/modules/block_content/src/BlockContentAccessControlHandler.php
index 5ea6cfce1f65508450b677a901a890907acc3197..1a6a31abd08e5d7a8cd0dbac49b4b7050926cfad 100644
--- a/core/modules/block_content/src/BlockContentAccessControlHandler.php
+++ b/core/modules/block_content/src/BlockContentAccessControlHandler.php
@@ -54,13 +54,22 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
+ // Allow view and update access to user with the 'edit any (type) block
+ // content' permission or the 'administer blocks' permission.
+ $edit_any_permission = 'edit any ' . $entity->bundle() . ' block content';
if ($operation === 'view') {
$access = AccessResult::allowedIf($entity->isPublished())
- ->orIf(AccessResult::allowedIfHasPermission($account, 'administer blocks'));
+ ->orIf(AccessResult::allowedIfHasPermission($account, 'administer blocks'))
+ ->orIf(AccessResult::allowedIfHasPermission($account, $edit_any_permission));
+ }
+ elseif ($operation === 'update') {
+ $access = AccessResult::allowedIfHasPermission($account, 'administer blocks')
+ ->orIf(AccessResult::allowedIfHasPermission($account, $edit_any_permission));
}
else {
$access = parent::checkAccess($entity, $operation, $account);
}
+
// Add the entity as a cacheable dependency because access will at least be
// determined by whether the block is reusable.
$access->addCacheableDependency($entity);
diff --git a/core/modules/block_content/src/BlockContentPermissions.php b/core/modules/block_content/src/BlockContentPermissions.php
new file mode 100644
index 0000000000000000000000000000000000000000..e6be17d0aad4a76e3b9849a932c326578c4e301d
--- /dev/null
+++ b/core/modules/block_content/src/BlockContentPermissions.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Drupal\block_content;
+
+use Drupal\block_content\Entity\BlockContentType;
+use Drupal\Core\Entity\BundlePermissionHandlerTrait;
+use Drupal\Core\StringTranslation\StringTranslationTrait;
+
+/**
+ * Provide dynamic permissions for blocks of different types.
+ */
+class BlockContentPermissions {
+
+ use StringTranslationTrait;
+ use BundlePermissionHandlerTrait;
+
+ /**
+ * Build permissions for each block type.
+ *
+ * @return array
+ * The block type permissions.
+ */
+ public function blockTypePermissions() {
+ return $this->generatePermissions(BlockContentType::loadMultiple(), [$this, 'buildPermissions']);
+ }
+
+ /**
+ * Return all the permissions available for a custom block type.
+ *
+ * @param \Drupal\block_content\Entity\BlockContentType $type
+ * The block type.
+ *
+ * @return array
+ * Permissions available for the given block type.
+ */
+ protected function buildPermissions(BlockContentType $type) {
+ $type_id = $type->id();
+ $type_params = ['%type_name' => $type->label()];
+ return [
+ "edit any $type_id block content" => [
+ 'title' => $this->t('%type_name: Edit any block content', $type_params),
+ ],
+ ];
+ }
+
+}
diff --git a/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php b/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
index d8a1f9a53f5b15d7c374d8fdbfa5f0f2cf3bead6..62f63b5f7ad4777a9cfdfe8894492667923dedd2 100644
--- a/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
+++ b/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
@@ -61,7 +61,15 @@ protected function setUp(): void {
$this->installEntitySchema('user');
$this->installEntitySchema('block_content');
- // Create a block content type.
+ // Create a basic block content type.
+ $block_content_type = BlockContentType::create([
+ 'id' => 'basic',
+ 'label' => 'A basic block type',
+ 'description' => "Provides a block type that is basic.",
+ ]);
+ $block_content_type->save();
+
+ // Create a square block content type.
$block_content_type = BlockContentType::create([
'id' => 'square',
'label' => 'A square block type',
@@ -184,6 +192,22 @@ public function providerTestAccess() {
NULL,
'allowed',
],
+ 'view:unpublished:reusable:per-block-editor:basic' => [
+ 'view',
+ FALSE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
+ 'view:unpublished:reusable:per-block-editor:square' => [
+ 'view',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
'view:published:reusable:admin' => [
'view',
TRUE,
@@ -192,6 +216,22 @@ public function providerTestAccess() {
NULL,
'allowed',
],
+ 'view:published:reusable:per-block-editor:basic' => [
+ 'view',
+ TRUE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'allowed',
+ ],
+ 'view:published:reusable:per-block-editor:square' => [
+ 'view',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
'view:published:non_reusable' => [
'view',
TRUE,
@@ -291,8 +331,62 @@ public function providerTestAccess() {
'forbidden',
'forbidden',
],
+ $operation . ':unpublished:reusable:per-block-editor:basic' => [
+ $operation,
+ FALSE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
+ $operation . ':published:reusable:per-block-editor:basic' => [
+ $operation,
+ TRUE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
];
}
+
+ $cases += [
+ 'update:unpublished:reusable:per-block-editor:square' => [
+ 'update',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
+ 'update:published:reusable:per-block-editor:square' => [
+ 'update',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
+ ];
+
+ $cases += [
+ 'delete:unpublished:reusable:per-block-editor:square' => [
+ 'delete',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'neutral',
+ ],
+ 'delete:published:reusable:per-block-editor:square' => [
+ 'delete',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'neutral',
+ ],
+ ];
return $cases;
}
diff --git a/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php b/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php
new file mode 100644
index 0000000000000000000000000000000000000000..eba2cf4d1c1c25f24e0e096794ab6435517a4972
--- /dev/null
+++ b/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php
@@ -0,0 +1,86 @@
+<?php
+
+namespace Drupal\Tests\block_content\Kernel;
+
+use Drupal\KernelTests\KernelTestBase;
+use Drupal\block_content\Entity\BlockContentType;
+
+/**
+ * Tests the permissions of content blocks.
+ *
+ * @coversDefaultClass \Drupal\block_content\BlockContentPermissions
+ *
+ * @group block_content
+ */
+class BlockContentPermissionsTest extends KernelTestBase {
+
+ /**
+ * {@inheritdoc}
+ */
+ protected static $modules = [
+ 'block',
+ 'block_content',
+ 'block_content_test',
+ 'system',
+ 'user',
+ ];
+
+ /**
+ * The permission handler.
+ *
+ * @var \Drupal\user\PermissionHandlerInterface
+ */
+ protected $permissionHandler;
+
+ /**
+ * {@inheritdoc}
+ */
+ public function setUp(): void {
+ parent::setUp();
+ $this->installSchema('system', ['sequences']);
+ $this->installEntitySchema('user');
+ $this->installEntitySchema('block_content');
+
+ $this->permissionHandler = $this->container->get('user.permissions');
+ }
+
+ /**
+ * @covers ::blockTypePermissions
+ */
+ public function testDynamicPermissions() {
+ $permissions = $this->permissionHandler->getPermissions();
+ $this->assertArrayNotHasKey('edit any basic block content', $permissions, 'The per-block-type permission does not exist.');
+ $this->assertArrayNotHasKey('edit any square block content', $permissions, 'The per-block-type permission does not exist.');
+
+ // Create a basic block content type.
+ BlockContentType::create([
+ 'id' => 'basic',
+ 'label' => 'A basic block type',
+ 'description' => 'Provides a basic block type',
+ ])->save();
+
+ // Create a square block content type.
+ BlockContentType::create([
+ 'id' => 'square',
+ 'label' => 'A square block type',
+ 'description' => 'Provides a block type that is square',
+ ])->save();
+
+ $permissions = $this->permissionHandler->getPermissions();
+
+ // Assert the basic permission has been created.
+ $this->assertArrayHasKey('edit any basic block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ '<em class="placeholder">A basic block type</em>: Edit any block content',
+ $permissions['edit any basic block content']['title']->render()
+ );
+
+ // Assert the square permission has been created.
+ $this->assertArrayHasKey('edit any square block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ '<em class="placeholder">A square block type</em>: Edit any block content',
+ $permissions['edit any square block content']['title']->render()
+ );
+ }
+
+}
diff --git a/core/modules/user/tests/src/Functional/UserPermissionsTest.php b/core/modules/user/tests/src/Functional/UserPermissionsTest.php
index a52f654584971c24f0c1d6f252c125fa2dd7c086..1c5be8689d07fd6d5013ea0cff7cf70334de4ef8 100644
--- a/core/modules/user/tests/src/Functional/UserPermissionsTest.php
+++ b/core/modules/user/tests/src/Functional/UserPermissionsTest.php
@@ -256,16 +256,18 @@ public function testAccessModulePermission() {
public function testAccessBundlePermission() {
$this->drupalLogin($this->adminUser);
- \Drupal::service('module_installer')->install(['block_content', 'taxonomy']);
- $this->grantPermissions(Role::load($this->rid), ['administer blocks', 'administer taxonomy']);
+ \Drupal::service('module_installer')->install(['contact', 'taxonomy']);
+ $this->grantPermissions(Role::load($this->rid), ['administer contact forms', 'administer taxonomy']);
// Bundles that do not have permissions have no permissions pages.
$edit = [];
- $edit['label'] = 'Test block type';
- $edit['id'] = 'test_block_type';
- $this->drupalGet('admin/structure/block/block-content/types/add');
+ $edit['label'] = 'Test contact type';
+ $edit['id'] = 'test_contact_type';
+ $edit['recipients'] = 'webmaster@example.com';
+ $this->drupalGet('admin/structure/contact/add');
$this->submitForm($edit, 'Save');
- $this->drupalGet('admin/structure/block/block-content/manage/test_block_type/permissions');
+ $this->assertSession()->pageTextContains('Contact form ' . $edit['label'] . ' has been added.');
+ $this->drupalGet('admin/structure/contact/manage/test_contact_type/permissions');
$this->assertSession()->statusCodeEquals(403);
// Permissions can be changed using the bundle-specific pages.
@@ -290,7 +292,7 @@ public function testAccessBundlePermission() {
$this->drupalLogout();
$this->drupalGet('admin/structure/taxonomy/manage/test_vocabulary/overview/permissions');
$this->assertSession()->statusCodeEquals(403);
- $this->drupalGet('admin/structure/block/block-content/manage/test_block_type/permissions');
+ $this->drupalGet('admin/structure/contact/manage/test_contact_type/permissions');
$this->assertSession()->statusCodeEquals(403);
}