View source
<?php
namespace Drupal\comment;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Entity\EntityAccessControlHandler;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Field\FieldDefinitionInterface;
use Drupal\Core\Field\FieldItemListInterface;
use Drupal\Core\Session\AccountInterface;
class CommentAccessControlHandler extends EntityAccessControlHandler {
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
$comment_admin = $account
->hasPermission('administer comments');
if ($operation == 'approve') {
return AccessResult::allowedIf($comment_admin && !$entity
->isPublished())
->cachePerPermissions()
->addCacheableDependency($entity);
}
if ($comment_admin) {
$access = AccessResult::allowed()
->cachePerPermissions();
return $operation != 'view' ? $access : $access
->andIf($entity
->getCommentedEntity()
->access($operation, $account, TRUE));
}
switch ($operation) {
case 'view':
$access_result = AccessResult::allowedIf($account
->hasPermission('access comments') && $entity
->isPublished())
->cachePerPermissions()
->addCacheableDependency($entity)
->andIf($entity
->getCommentedEntity()
->access($operation, $account, TRUE));
if (!$access_result
->isAllowed()) {
$access_result
->setReason("The 'access comments' permission is required and the comment must be published.");
}
return $access_result;
case 'update':
$access_result = AccessResult::allowedIf($account
->id() && $account
->id() == $entity
->getOwnerId() && $entity
->isPublished() && $account
->hasPermission('edit own comments'))
->cachePerPermissions()
->cachePerUser()
->addCacheableDependency($entity);
if (!$access_result
->isAllowed()) {
$access_result
->setReason("The 'edit own comments' permission is required, the user must be the comment author, and the comment must be published.");
}
return $access_result;
default:
return AccessResult::neutral()
->cachePerPermissions();
}
}
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
return AccessResult::allowedIfHasPermission($account, 'post comments');
}
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
if ($operation == 'edit') {
$administrative_fields = [
'uid',
'status',
'created',
'date',
];
if (in_array($field_definition
->getName(), $administrative_fields, TRUE)) {
return AccessResult::allowedIfHasPermission($account, 'administer comments');
}
$read_only_fields = [
'hostname',
'changed',
'cid',
'thread',
];
$create_only_fields = [
'comment_type',
'uuid',
'entity_id',
'entity_type',
'field_name',
'pid',
];
if ($items && ($entity = $items
->getEntity()) && $entity
->isNew() && in_array($field_definition
->getName(), $create_only_fields, TRUE)) {
return AccessResult::allowedIfHasPermission($account, 'post comments')
->addCacheableDependency($entity);
}
$read_only_fields = array_merge($read_only_fields, $create_only_fields);
if (in_array($field_definition
->getName(), $read_only_fields, TRUE)) {
return AccessResult::forbidden();
}
if (in_array($field_definition
->getName(), [
'name',
'mail',
'homepage',
], TRUE)) {
if (!$items) {
return AccessResult::forbidden();
}
$is_name = $field_definition
->getName() === 'name';
$entity = $items
->getEntity();
$commented_entity = $entity
->getCommentedEntity();
$anonymous_contact = $commented_entity
->get($entity
->getFieldName())
->getFieldDefinition()
->getSetting('anonymous');
$admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
$anonymous_access = AccessResult::allowedIf($entity
->isNew() && $account
->isAnonymous() && ($anonymous_contact != CommentInterface::ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account
->hasPermission('post comments'))
->cachePerPermissions()
->addCacheableDependency($entity)
->addCacheableDependency($field_definition
->getConfig($commented_entity
->bundle()))
->addCacheableDependency($commented_entity);
return $admin_access
->orIf($anonymous_access);
}
}
if ($operation == 'view') {
if ($field_definition
->getName() == 'hostname') {
return AccessResult::forbidden();
}
if ($field_definition
->getName() == 'mail') {
return AccessResult::allowedIfHasPermission($account, 'administer comments');
}
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
}