Commit e7f061d5 authored by catch's avatar catch

Issue #2773645 by AdamPS, Xilis, yogeshmpawar, Wim Leers, Berdir: Allow...

Issue #2773645 by AdamPS, Xilis, yogeshmpawar, Wim Leers, Berdir: Allow hook_entity_field_access() to grant field-level access to User fields: 'forbidden' -> 'neutral'
parent 59833538
......@@ -106,7 +106,7 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
return AccessResult::allowed()->cachePerPermissions()->cachePerUser();
}
else {
return AccessResult::forbidden();
return AccessResult::neutral();
}
case 'preferred_langcode':
......@@ -116,7 +116,7 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
// Allow view access to own mail address and other personalization
// settings.
if ($operation == 'view') {
return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::forbidden();
return $is_own_account ? AccessResult::allowed()->cachePerUser() : AccessResult::neutral();
}
// Anyone that can edit the user can also edit this field.
return AccessResult::allowed()->cachePerPermissions();
......@@ -127,14 +127,14 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
case 'created':
// Allow viewing the created date, but not editing it.
return ($operation == 'view') ? AccessResult::allowed() : AccessResult::forbidden();
return ($operation == 'view') ? AccessResult::allowed() : AccessResult::neutral();
case 'roles':
case 'status':
case 'access':
case 'login':
case 'init':
return AccessResult::forbidden();
return AccessResult::neutral();
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
......
......@@ -6,6 +6,9 @@
*/
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\user\Entity\User;
/**
......@@ -22,3 +25,16 @@ function user_access_test_user_access(User $entity, $operation, $account) {
}
return AccessResult::neutral();
}
/**
* Implements hook_entity_field_access().
*/
function user_access_test_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
// Account with role sub-admin can view the status, init and mail fields for user with no roles.
if ($operation === 'view' && in_array($field_definition->getName(), ['status', 'init', 'mail'])) {
if (($items == NULL) || (count($items->getEntity()->getRoles()) == 1)) {
return AccessResult::allowedIfHasPermission($account, 'sub-admin');
}
}
return AccessResult::neutral();
}
<?php
namespace Drupal\Tests\user\Functional\Views;
/**
* Checks if user fields access permissions can be modified by other modules.
*
* @group user
*/
class UserFieldsAccessChangeTest extends UserTestBase {
/**
* Modules to enable.
*
* @var array
*/
public static $modules = ['user_access_test'];
/**
* Views used by this test.
*
* @var array
*/
public static $testViews = ['test_user_fields_access'];
/**
* Tests if another module can change field access.
*/
public function testUserFieldAccess() {
$path = 'test_user_fields_access';
$this->drupalGet($path);
// User has access to name and created date by default.
$this->assertText(t('Name'));
$this->assertText(t('Created'));
// User does not by default have access to init, mail and status.
$this->assertNoText(t('Init'));
$this->assertNoText(t('Email'));
$this->assertNoText(t('Status'));
// Assign sub-admin role to grant extra access.
$user = $this->drupalCreateUser(['sub-admin']);
$this->drupalLogin($user);
$this->drupalGet($path);
// Access for init, mail and status is added in hook_entity_field_access().
$this->assertText(t('Init'));
$this->assertText(t('Email'));
$this->assertText(t('Status'));
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment