You are here

protected function CommentAccessControlHandler::checkFieldAccess in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler::checkFieldAccess()
  2. 9 core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler::checkFieldAccess()

Default field access as determined by this access control handler.

Parameters

string $operation: The operation access should be checked for. Usually one of "view" or "edit".

\Drupal\Core\Field\FieldDefinitionInterface $field_definition: The field definition.

\Drupal\Core\Session\AccountInterface $account: The user session for which to check access.

\Drupal\Core\Field\FieldItemListInterface $items: (optional) The field values for which to check access, or NULL if access is checked for the field definition, without any specific value available. Defaults to NULL.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkFieldAccess

File

core/modules/comment/src/CommentAccessControlHandler.php, line 71

Class

CommentAccessControlHandler
Defines the access control handler for the comment entity type.

Namespace

Drupal\comment

Code

protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
  if ($operation == 'edit') {

    // Only users with the "administer comments" permission can edit
    // administrative fields.
    $administrative_fields = [
      'uid',
      'status',
      'created',
      'date',
    ];
    if (in_array($field_definition
      ->getName(), $administrative_fields, TRUE)) {
      return AccessResult::allowedIfHasPermission($account, 'administer comments');
    }

    // No user can change read-only fields.
    $read_only_fields = [
      'hostname',
      'changed',
      'cid',
      'thread',
    ];

    // These fields can be edited during comment creation.
    $create_only_fields = [
      'comment_type',
      'uuid',
      'entity_id',
      'entity_type',
      'field_name',
      'pid',
    ];
    if ($items && ($entity = $items
      ->getEntity()) && $entity
      ->isNew() && in_array($field_definition
      ->getName(), $create_only_fields, TRUE)) {

      // We are creating a new comment, user can edit create only fields.
      return AccessResult::allowedIfHasPermission($account, 'post comments')
        ->addCacheableDependency($entity);
    }

    // We are editing an existing comment - create only fields are now read
    // only.
    $read_only_fields = array_merge($read_only_fields, $create_only_fields);
    if (in_array($field_definition
      ->getName(), $read_only_fields, TRUE)) {
      return AccessResult::forbidden();
    }

    // If the field is configured to accept anonymous contact details - admins
    // can edit name, homepage and mail. Anonymous users can also fill in the
    // fields on comment creation.
    if (in_array($field_definition
      ->getName(), [
      'name',
      'mail',
      'homepage',
    ], TRUE)) {
      if (!$items) {

        // We cannot make a decision about access to edit these fields if we
        // don't have any items and therefore cannot determine the Comment
        // entity. In this case we err on the side of caution and prevent edit
        // access.
        return AccessResult::forbidden();
      }
      $is_name = $field_definition
        ->getName() === 'name';

      /** @var \Drupal\comment\CommentInterface $entity */
      $entity = $items
        ->getEntity();
      $commented_entity = $entity
        ->getCommentedEntity();
      $anonymous_contact = $commented_entity
        ->get($entity
        ->getFieldName())
        ->getFieldDefinition()
        ->getSetting('anonymous');
      $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
      $anonymous_access = AccessResult::allowedIf($entity
        ->isNew() && $account
        ->isAnonymous() && ($anonymous_contact != CommentInterface::ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account
        ->hasPermission('post comments'))
        ->cachePerPermissions()
        ->addCacheableDependency($entity)
        ->addCacheableDependency($field_definition
        ->getConfig($commented_entity
        ->bundle()))
        ->addCacheableDependency($commented_entity);
      return $admin_access
        ->orIf($anonymous_access);
    }
  }
  if ($operation == 'view') {

    // Nobody has access to the hostname.
    if ($field_definition
      ->getName() == 'hostname') {
      return AccessResult::forbidden();
    }

    // The mail field is hidden from non-admins.
    if ($field_definition
      ->getName() == 'mail') {
      return AccessResult::allowedIfHasPermission($account, 'administer comments');
    }
  }
  return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}