You are here

Home » API reference » Drupal 8 » RelationshipFieldAccess.php » RelationshipFieldAccess

public function RelationshipFieldAccess::access in Drupal 8

Same name and namespace in other branches
  1. 9 core/modules/jsonapi/src/Access/RelationshipFieldAccess.php \Drupal\jsonapi\Access\RelationshipFieldAccess::access()

Checks access to the relationship field on the given route.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The incoming HTTP request object.

\Symfony\Component\Routing\Route $route: The route to check against.

\Drupal\Core\Session\AccountInterface $account: The currently logged in account.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

File

core/modules/jsonapi/src/Access/RelationshipFieldAccess.php, line 65

Class

RelationshipFieldAccess
Defines a class to check access to related and relationship routes.

Namespace

Drupal\jsonapi\Access

Code

public function access(Request $request, Route $route, AccountInterface $account) {
  $relationship_field_name = $route
    ->getRequirement(static::ROUTE_REQUIREMENT_KEY);
  $field_operation = $request
    ->isMethodCacheable() ? 'view' : 'edit';
  $entity_operation = $request
    ->isMethodCacheable() ? 'view' : 'update';
  if ($resource_type = $request
    ->get(Routes::RESOURCE_TYPE_KEY)) {
    assert($resource_type instanceof ResourceType);
    $entity = $request
      ->get('entity');
    $internal_name = $resource_type
      ->getInternalName($relationship_field_name);
    if ($entity instanceof FieldableEntityInterface && $entity
      ->hasField($internal_name)) {
      $entity_access = $this->entityAccessChecker
        ->checkEntityAccess($entity, $entity_operation, $account);
      $field_access = $entity
        ->get($internal_name)
        ->access($field_operation, $account, TRUE);

      // Ensure that access is respected for different entity revisions.
      $access_result = $entity_access
        ->andIf($field_access);
      if (!$access_result
        ->isAllowed()) {
        $reason = "The current user is not allowed to {$field_operation} this relationship.";
        $access_reason = $access_result instanceof AccessResultReasonInterface ? $access_result
          ->getReason() : NULL;
        $detailed_reason = empty($access_reason) ? $reason : $reason . " {$access_reason}";
        $access_result
          ->setReason($detailed_reason);
        if ($request
          ->isMethodCacheable()) {
          throw new CacheableAccessDeniedHttpException(CacheableMetadata::createFromObject($access_result), $detailed_reason);
        }
      }
      return $access_result;
    }
  }
  return AccessResult::neutral();
}