You are here

Home » API reference » Drupal 9 » FileAccessControlHandler.php » FileAccessControlHandler

protected function FileAccessControlHandler::checkFieldAccess in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/file/src/FileAccessControlHandler.php \Drupal\file\FileAccessControlHandler::checkFieldAccess()

Default field access as determined by this access control handler.

Parameters

string $operation: The operation access should be checked for. Usually one of "view" or "edit".

\Drupal\Core\Field\FieldDefinitionInterface $field_definition: The field definition.

\Drupal\Core\Session\AccountInterface $account: The user session for which to check access.

\Drupal\Core\Field\FieldItemListInterface $items: (optional) The field values for which to check access, or NULL if access is checked for the field definition, without any specific value available. Defaults to NULL.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkFieldAccess

File

core/modules/file/src/FileAccessControlHandler.php, line 97

Class

FileAccessControlHandler
Provides a File access control handler.

Namespace

Drupal\file

Code

protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {

  // Deny access to fields that should only be set on file creation, and
  // "status" which should only be changed based on a file's usage.
  $create_only_fields = [
    'uri',
    'filemime',
    'filesize',
  ];

  // The operation is 'edit' when the entity is being created or updated.
  // Determine if the entity is being updated by checking if it is new.
  $field_name = $field_definition
    ->getName();
  if ($operation === 'edit' && $items && ($entity = $items
    ->getEntity()) && !$entity
    ->isNew() && in_array($field_name, $create_only_fields, TRUE)) {
    return AccessResult::forbidden();
  }

  // Regardless of whether the entity exists access should be denied to the
  // status field as this is managed via other APIs, for example:
  // - \Drupal\file\FileUsage\FileUsageBase::add()
  // - \Drupal\file\Plugin\EntityReferenceSelection\FileSelection::createNewEntity()
  if ($operation === 'edit' && $field_name === 'status') {
    return AccessResult::forbidden();
  }
  return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}