Commit 4f8b8a50 authored by alexpott's avatar alexpott

Issue #1995048 by twistor, tim.plunkett, damiankloip, Berdir:...

Issue #1995048 by twistor, tim.plunkett, damiankloip, Berdir: EntityListController::getOperations() should respect access checks.
parent 46973e74
......@@ -25,15 +25,18 @@ public function load() {
}
/**
* Overrides \Drupal\Core\Entity\EntityListController::getOperations();
* {@inheritdoc}
*/
public function getOperations(EntityInterface $entity) {
$operations = parent::getOperations($entity);
$uri = $entity->uri();
// For configuration entities edit path is the MENU_DEFAULT_LOCAL_TASK and
// therefore should be accessed by the short route.
$operations['edit']['href'] = $uri['path'];
// Ensure the edit operation exists since it is access controlled.
if (isset($operations['edit'])) {
// For configuration entities edit path is the MENU_DEFAULT_LOCAL_TASK and
// therefore should be accessed by the short route.
$operations['edit']['href'] = $uri['path'];
}
if (isset($this->entityInfo['entity_keys']['status'])) {
if (!$entity->status()) {
......
......@@ -67,11 +67,11 @@ public function access(EntityInterface $entity, $operation, $langcode = Language
* @param \Drupal\Core\Entity\EntityInterface $entity
* The entity for which to check 'create' access.
* @param string $operation
* The entity operation. Usually one of 'view', 'edit', 'create' or
* The entity operation. Usually one of 'view', 'update', 'create' or
* 'delete'.
* @param string $langcode
* The language code for which to check access.
* @param \Drupal\Core\Session\AccountInterface; $account
* @param \Drupal\Core\Session\AccountInterface $account
* The user for which to check access.
*
* @return bool|null
......@@ -88,7 +88,7 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
* @param \Drupal\Core\Entity\EntityInterface $entity
* The entity for which to check 'create' access.
* @param string $operation
* The entity operation. Usually one of 'view', 'edit', 'create' or
* The entity operation. Usually one of 'view', 'update', 'create' or
* 'delete'.
* @param string $langcode
* The language code for which to check access.
......@@ -113,10 +113,12 @@ protected function getCache(EntityInterface $entity, $operation, $langcode, Acco
/**
* Statically caches whether the given user has access.
*
* @param bool $access
* TRUE if the user has access, FALSE otherwise.
* @param \Drupal\Core\Entity\EntityInterface $entity
* The entity for which to check 'create' access.
* @param string $operation
* The entity operation. Usually one of 'view', 'edit', 'create' or
* The entity operation. Usually one of 'view', 'update', 'create' or
* 'delete'.
* @param string $langcode
* The language code for which to check access.
......
......@@ -91,22 +91,29 @@ public function load() {
}
/**
* Implements \Drupal\Core\Entity\EntityListControllerInterface::getOperations().
* {@inheritdoc}
*/
public function getOperations(EntityInterface $entity) {
$uri = $entity->uri();
$operations['edit'] = array(
'title' => t('Edit'),
'href' => $uri['path'] . '/edit',
'options' => $uri['options'],
'weight' => 10,
);
$operations['delete'] = array(
'title' => t('Delete'),
'href' => $uri['path'] . '/delete',
'options' => $uri['options'],
'weight' => 100,
);
$operations = array();
if ($entity->access('update')) {
$operations['edit'] = array(
'title' => t('Edit'),
'href' => $uri['path'] . '/edit',
'options' => $uri['options'],
'weight' => 10,
);
}
if ($entity->access('delete')) {
$operations['delete'] = array(
'title' => t('Delete'),
'href' => $uri['path'] . '/delete',
'options' => $uri['options'],
'weight' => 100,
);
}
return $operations;
}
......
<?php
/**
* @file
* Contains \Drupal\action\ActionAccessController.
*/
namespace Drupal\action;
use Drupal\Core\Entity\EntityAccessController;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Language\Language;
use Drupal\Core\Session\AccountInterface;
class ActionAccessController extends EntityAccessController {
/**
* {@inheritdoc}
*/
public function access(EntityInterface $entity, $operation, $langcode = Language::LANGUAGE_DEFAULT, AccountInterface $account = NULL) {
return user_access('administer actions', $account);
}
}
......@@ -109,9 +109,8 @@ public function buildHeader() {
* {@inheritdoc}
*/
public function getOperations(EntityInterface $entity) {
$operations = array();
if ($entity->isConfigurable()) {
$operations = parent::getOperations($entity);
$operations = $entity->isConfigurable() ? parent::getOperations($entity) : array();
if (isset($operations['edit'])) {
$operations['edit']['title'] = t('Configure');
}
return $operations;
......
<?php
/**
* @file
* Contains \Drupal\custom_block\CustomBlockTypeAccessController.
*/
namespace Drupal\custom_block;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityAccessController;
use Drupal\Core\Session\AccountInterface;
/**
* Defines the access controller for the custom block type entity type.
*/
class CustomBlockTypeAccessController extends EntityAccessController {
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
if ($operation === 'view') {
return TRUE;
}
elseif (in_array($operation, array('create', 'update', 'delete'))) {
return user_access('administer blocks', $account);
}
}
}
......@@ -16,7 +16,7 @@
class CustomBlockTypeListController extends ConfigEntityListController {
/**
* Overrides \Drupal\Core\Entity\EntityListController::getOperations().
* {@inheritdoc}
*/
public function getOperations(EntityInterface $entity) {
$operations = parent::getOperations($entity);
......
......@@ -22,6 +22,7 @@
* module = "custom_block",
* controllers = {
* "storage" = "Drupal\Core\Config\Entity\ConfigStorageController",
* "access" = "Drupal\custom_block\CustomBlockTypeAccessController",
* "form" = {
* "default" = "Drupal\custom_block\CustomBlockTypeFormController",
* "delete" = "Drupal\custom_block\Form\CustomBlockTypeDeleteForm"
......
<?php
/**
* @file
* Contains \Drupal\config_test\ConfigTestAccessController.
*/
namespace Drupal\config_test;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Entity\EntityAccessController;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Language\Language;
/**
* Defines the access controller for the config_test entity type.
*/
class ConfigTestAccessController extends EntityAccessController {
/**
* {@inheritdoc}
*/
public function access(EntityInterface $entity, $operation, $langcode = Language::LANGUAGE_DEFAULT, AccountInterface $account = NULL) {
return TRUE;
}
}
......@@ -25,7 +25,8 @@
* "form" = {
* "default" = "Drupal\config_test\ConfigTestFormController",
* "delete" = "Drupal\config_test\Form\ConfigTestDeleteForm"
* }
* },
* "access" = "Drupal\config_test\ConfigTestAccessController"
* },
* uri_callback = "config_test_uri",
* config_prefix = "config_test.dynamic",
......
......@@ -34,13 +34,6 @@ public function getOperations(EntityInterface $entity) {
'weight' => 12,
);
}
if (!$entity->access('delete')) {
unset($operations['delete']);
}
if (!$entity->access('update')) {
unset($operations['edit']);
}
return $operations;
}
......
<?php
/**
* @file
* Contains \Drupal\menu\MenuAccessController.
*/
namespace Drupal\menu;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityAccessController;
use Drupal\Core\Session\AccountInterface;
/**
* Defines the access controller for the menu entity type.
*/
class MenuAccessController extends EntityAccessController {
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
if ($operation === 'view') {
return TRUE;
}
elseif ($operation == 'delete') {
// System menus could not be deleted.
$system_menus = menu_list_system_menus();
if (isset($system_menus[$entity->id()])) {
return FALSE;
}
}
if (in_array($operation, array('create', 'update', 'delete'))) {
return user_access('administer menu', $account);
}
}
}
......@@ -41,27 +41,24 @@ public function buildRow(EntityInterface $entity) {
}
/**
* Overrides \Drupal\Core\Entity\EntityListController::getOperations();
* {@inheritdoc}
*/
public function getOperations(EntityInterface $entity) {
$operations = parent::getOperations($entity);
$uri = $entity->uri();
$operations['edit']['title'] = t('Edit menu');
if (isset($operations['edit'])) {
$operations['edit']['title'] = t('Edit menu');
}
if (isset($operations['delete'])) {
$operations['delete']['title'] = t('Delete menu');
}
$operations['add'] = array(
'title' => t('Add link'),
'href' => $uri['path'] . '/add',
'options' => $uri['options'],
'weight' => 20,
);
// System menus could not be deleted.
$system_menus = menu_list_system_menus();
if (isset($system_menus[$entity->id()])) {
unset($operations['delete']);
}
else {
$operations['delete']['title'] = t('Delete menu');
}
return $operations;
}
......
......@@ -146,6 +146,7 @@ function menu_menu() {
*/
function menu_entity_info(&$entity_info) {
$entity_info['menu']['controllers']['list'] = 'Drupal\menu\MenuListController';
$entity_info['menu']['controllers']['access'] = 'Drupal\menu\MenuAccessController';
$entity_info['menu']['uri_callback'] = 'menu_uri';
$entity_info['menu']['controllers']['form'] = array(
'default' => 'Drupal\menu\MenuFormController',
......
<?php
/**
* @file
* Contains \Drupal\picture\PictureMappingAccessController.
*/
namespace Drupal\picture;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\EntityAccessController;
use Drupal\Core\Session\AccountInterface;
/**
* Defines the access controller for the picture mapping entity type.
*/
class PictureMappingAccessController extends EntityAccessController {
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
if ($operation === 'view') {
return TRUE;
}
elseif (in_array($operation, array('create', 'update', 'delete'))) {
return user_access('administer pictures', $account);
}
}
}
......@@ -32,7 +32,7 @@ public function hookMenu() {
}
/**
* Overrides Drupal\config\ConfigEntityListController::getOperations();
* {@inheritdoc}
*/
public function getOperations(EntityInterface $entity) {
$operations = parent::getOperations($entity);
......
......@@ -21,6 +21,7 @@
* module = "picture",
* controllers = {
* "storage" = "Drupal\Core\Config\Entity\ConfigStorageController",
* "access" = "Drupal\picture\PictureMappingAccessController",
* "list" = "Drupal\picture\PictureMappingListController",
* "form" = {
* "edit" = "Drupal\picture\PictureMappingFormController",
......
......@@ -21,7 +21,7 @@ class ShortcutAccessController extends EntityAccessController {
*/
protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
switch ($operation) {
case 'edit':
case 'update':
if (user_access('administer shortcuts', $account)) {
return TRUE;
}
......
......@@ -24,22 +24,21 @@ public function buildHeader() {
}
/**
* Overrides \Drupal\Core\Entity\EntityListController::getOperations().
* {@inheritdoc}
*/
public function getOperations(EntityInterface $entity) {
$operations = parent::getOperations($entity);
$uri = $entity->uri();
$operations['edit']['title'] = t('Edit menu');
$operations['edit']['href'] = $uri['path'] . '/edit';
if (isset($operations['edit'])) {
$operations['edit']['title'] = t('Edit menu');
$operations['edit']['href'] = $uri['path'] . '/edit';
}
$operations['list'] = array(
'title' => t('List links'),
'href' => $uri['path'],
);
if (!$entity->access('delete')) {
unset($operations['delete']);
}
return $operations;
}
......
......@@ -24,11 +24,11 @@ shortcut_set_edit:
defaults:
_entity_form: 'shortcut.edit'
requirements:
_entity_access: 'shortcut.edit'
_entity_access: 'shortcut.update'
shortcut_link_add_inline:
pattern: '/admin/config/user-interface/shortcut/manage/{shortcut}/add-link-inline'
defaults:
_controller: 'Drupal\shortcut\Controller\ShortcutController::addShortcutLinkInline'
requirements:
_entity_access: 'shortcut.edit'
_entity_access: 'shortcut.update'
......@@ -23,7 +23,8 @@
* label = @Translation("Action"),
* module = "system",
* controllers = {
* "storage" = "Drupal\Core\Config\Entity\ConfigStorageController"
* "storage" = "Drupal\Core\Config\Entity\ConfigStorageController",
* "access" = "Drupal\action\ActionAccessController"
* },
* config_prefix = "action.action",
* entity_keys = {
......
......@@ -30,8 +30,10 @@ public function getOperations(EntityInterface $entity) {
$operations = parent::getOperations($entity);
$uri = $entity->uri();
$operations['edit']['title'] = t('edit vocabulary');
$operations['edit']['href'] = $uri['path'] . '/edit';
if (isset($operations['edit'])) {
$operations['edit']['title'] = t('edit vocabulary');
$operations['edit']['href'] = $uri['path'] . '/edit';
}
$operations['list'] = array(
'title' => t('list terms'),
......
......@@ -24,7 +24,8 @@
* label = @Translation("View"),
* module = "views",
* controllers = {
* "storage" = "Drupal\views\ViewStorageController"
* "storage" = "Drupal\views\ViewStorageController",
* "access" = "Drupal\views\ViewAccessController"
* },
* config_prefix = "views.view",
* entity_keys = {
......
<?php
/**
* @file
* Contains \Drupal\views\ViewAccessController.
*/
namespace Drupal\views;
use Drupal\Core\Entity\EntityAccessController;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Language\Language;
use Drupal\Core\Session\AccountInterface;
/**
* Defines the access controller for the view entity type.
*/
class ViewAccessController extends EntityAccessController {
/**
* {@inheritdoc}
*/
public function access(EntityInterface $entity, $operation, $langcode = Language::LANGUAGE_DEFAULT, AccountInterface $account = NULL) {
return $operation == 'view' || user_access('administer views', $account);
}
}
......@@ -133,13 +133,13 @@ public function buildHeader() {
}
/**
* Implements \Drupal\Core\Entity\EntityListController::getOperations().
* {@inheritdoc}
*/
public function getOperations(EntityInterface $view) {
$definition = parent::getOperations($view);
$uri = $view->uri();
public function getOperations(EntityInterface $entity) {
$operations = parent::getOperations($entity);
$uri = $entity->uri();
$definition['clone'] = array(
$operations['clone'] = array(
'title' => t('Clone'),
'href' => $uri['path'] . '/clone',
'options' => $uri['options'],
......@@ -148,12 +148,12 @@ public function getOperations(EntityInterface $view) {
// Add AJAX functionality to enable/disable operations.
foreach (array('enable', 'disable') as $op) {
if (isset($definition[$op])) {
$definition[$op]['ajax'] = TRUE;
if (isset($operations[$op])) {
$operations[$op]['ajax'] = TRUE;
}
}
return $definition;
return $operations;
}
/**
......@@ -169,10 +169,6 @@ public function buildOperations(EntityInterface $entity) {
}
}
// Use the dropbutton #type.
unset($build['#theme']);
$build['#type'] = 'dropbutton';
return $build;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment