You are here

class CommentAccessControlHandler in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler

Defines the access control handler for the comment entity type.

Hierarchy

Expanded class hierarchy of CommentAccessControlHandler

See also

\Drupal\comment\Entity\Comment

File

core/modules/comment/src/CommentAccessControlHandler.php, line 17

Namespace

Drupal\comment
View source
class CommentAccessControlHandler extends EntityAccessControlHandler {

  /**
   * {@inheritdoc}
   */
  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

    /** @var \Drupal\comment\CommentInterface|\Drupal\user\EntityOwnerInterface $entity */
    $comment_admin = $account
      ->hasPermission('administer comments');
    if ($operation == 'approve') {
      return AccessResult::allowedIf($comment_admin && !$entity
        ->isPublished())
        ->cachePerPermissions()
        ->addCacheableDependency($entity);
    }
    if ($comment_admin) {
      $access = AccessResult::allowed()
        ->cachePerPermissions();
      return $operation != 'view' ? $access : $access
        ->andIf($entity
        ->getCommentedEntity()
        ->access($operation, $account, TRUE));
    }
    switch ($operation) {
      case 'view':
        $access_result = AccessResult::allowedIf($account
          ->hasPermission('access comments') && $entity
          ->isPublished())
          ->cachePerPermissions()
          ->addCacheableDependency($entity)
          ->andIf($entity
          ->getCommentedEntity()
          ->access($operation, $account, TRUE));
        if (!$access_result
          ->isAllowed()) {
          $access_result
            ->setReason("The 'access comments' permission is required and the comment must be published.");
        }
        return $access_result;
      case 'update':
        $access_result = AccessResult::allowedIf($account
          ->id() && $account
          ->id() == $entity
          ->getOwnerId() && $entity
          ->isPublished() && $account
          ->hasPermission('edit own comments'))
          ->cachePerPermissions()
          ->cachePerUser()
          ->addCacheableDependency($entity);
        if (!$access_result
          ->isAllowed()) {
          $access_result
            ->setReason("The 'edit own comments' permission is required, the user must be the comment author, and the comment must be published.");
        }
        return $access_result;
      default:

        // No opinion.
        return AccessResult::neutral()
          ->cachePerPermissions();
    }
  }

  /**
   * {@inheritdoc}
   */
  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
    return AccessResult::allowedIfHasPermission($account, 'post comments');
  }

  /**
   * {@inheritdoc}
   */
  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
    if ($operation == 'edit') {

      // Only users with the "administer comments" permission can edit
      // administrative fields.
      $administrative_fields = [
        'uid',
        'status',
        'created',
        'date',
      ];
      if (in_array($field_definition
        ->getName(), $administrative_fields, TRUE)) {
        return AccessResult::allowedIfHasPermission($account, 'administer comments');
      }

      // No user can change read-only fields.
      $read_only_fields = [
        'hostname',
        'changed',
        'cid',
        'thread',
      ];

      // These fields can be edited during comment creation.
      $create_only_fields = [
        'comment_type',
        'uuid',
        'entity_id',
        'entity_type',
        'field_name',
        'pid',
      ];
      if ($items && ($entity = $items
        ->getEntity()) && $entity
        ->isNew() && in_array($field_definition
        ->getName(), $create_only_fields, TRUE)) {

        // We are creating a new comment, user can edit create only fields.
        return AccessResult::allowedIfHasPermission($account, 'post comments')
          ->addCacheableDependency($entity);
      }

      // We are editing an existing comment - create only fields are now read
      // only.
      $read_only_fields = array_merge($read_only_fields, $create_only_fields);
      if (in_array($field_definition
        ->getName(), $read_only_fields, TRUE)) {
        return AccessResult::forbidden();
      }

      // If the field is configured to accept anonymous contact details - admins
      // can edit name, homepage and mail. Anonymous users can also fill in the
      // fields on comment creation.
      if (in_array($field_definition
        ->getName(), [
        'name',
        'mail',
        'homepage',
      ], TRUE)) {
        if (!$items) {

          // We cannot make a decision about access to edit these fields if we
          // don't have any items and therefore cannot determine the Comment
          // entity. In this case we err on the side of caution and prevent edit
          // access.
          return AccessResult::forbidden();
        }
        $is_name = $field_definition
          ->getName() === 'name';

        /** @var \Drupal\comment\CommentInterface $entity */
        $entity = $items
          ->getEntity();
        $commented_entity = $entity
          ->getCommentedEntity();
        $anonymous_contact = $commented_entity
          ->get($entity
          ->getFieldName())
          ->getFieldDefinition()
          ->getSetting('anonymous');
        $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
        $anonymous_access = AccessResult::allowedIf($entity
          ->isNew() && $account
          ->isAnonymous() && ($anonymous_contact != CommentInterface::ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account
          ->hasPermission('post comments'))
          ->cachePerPermissions()
          ->addCacheableDependency($entity)
          ->addCacheableDependency($field_definition
          ->getConfig($commented_entity
          ->bundle()))
          ->addCacheableDependency($commented_entity);
        return $admin_access
          ->orIf($anonymous_access);
      }
    }
    if ($operation == 'view') {

      // Nobody has access to the hostname.
      if ($field_definition
        ->getName() == 'hostname') {
        return AccessResult::forbidden();
      }

      // The mail field is hidden from non-admins.
      if ($field_definition
        ->getName() == 'mail') {
        return AccessResult::allowedIfHasPermission($account, 'administer comments');
      }
    }
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
  }

}

Members

Namesort descending Modifiers Type Description Overrides
CommentAccessControlHandler::checkAccess protected function Performs access checks. Overrides EntityAccessControlHandler::checkAccess
CommentAccessControlHandler::checkCreateAccess protected function Performs create access checks. Overrides EntityAccessControlHandler::checkCreateAccess
CommentAccessControlHandler::checkFieldAccess protected function Default field access as determined by this access control handler. Overrides EntityAccessControlHandler::checkFieldAccess
DependencySerializationTrait::$_entityStorages protected property
DependencySerializationTrait::$_serviceIds protected property
DependencySerializationTrait::__sleep public function 2
DependencySerializationTrait::__wakeup public function 2
EntityAccessControlHandler::$accessCache protected property Stores calculated access check results.
EntityAccessControlHandler::$entityType protected property Information about the entity type.
EntityAccessControlHandler::$entityTypeId protected property The entity type ID of the access control handler instance.
EntityAccessControlHandler::$viewLabelOperation protected property Allows to grant access to just the labels. 5
EntityAccessControlHandler::access public function Checks access to an operation on a given entity or entity translation. Overrides EntityAccessControlHandlerInterface::access 1
EntityAccessControlHandler::createAccess public function Checks access to create an entity. Overrides EntityAccessControlHandlerInterface::createAccess 1
EntityAccessControlHandler::fieldAccess public function Checks access to an operation on a given entity field. Overrides EntityAccessControlHandlerInterface::fieldAccess
EntityAccessControlHandler::getCache protected function Tries to retrieve a previously cached access value from the static cache.
EntityAccessControlHandler::prepareUser protected function Loads the current account object, if it does not exist yet.
EntityAccessControlHandler::processAccessHookResults protected function We grant access to the entity if both of these conditions are met:
EntityAccessControlHandler::resetCache public function Clears all cached access checks. Overrides EntityAccessControlHandlerInterface::resetCache
EntityAccessControlHandler::setCache protected function Statically caches whether the given user has access.
EntityAccessControlHandler::__construct public function Constructs an access control handler instance. 6
EntityHandlerBase::$moduleHandler protected property The module handler to invoke hooks on. 5
EntityHandlerBase::moduleHandler protected function Gets the module handler. 5
EntityHandlerBase::setModuleHandler public function Sets the module handler for this handler.
StringTranslationTrait::$stringTranslation protected property The string translation service. 4
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.