You are here

protected function EntityResource::checkPatchFieldAccess in Drupal 10

Same name in this branch
  1. 10 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
  2. 10 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
Same name and namespace in other branches
  1. 8 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
  2. 9 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()

Checks whether the given field should be PATCHed.

@internal

Parameters

\Drupal\Core\Field\FieldItemListInterface $original_field: The original (stored) value for the field.

\Drupal\Core\Field\FieldItemListInterface $received_field: The received value for the field.

Return value

bool Whether the field should be PATCHed or not.

Throws

\Drupal\jsonapi\Exception\EntityAccessDeniedHttpException Thrown when the user sending the request is not allowed to update the field. Only thrown when the user could not abuse this information to determine the stored value.

See also

\Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()

File

core/modules/jsonapi/src/Controller/EntityResource.php, line 1154

Class

EntityResource
Process all entity requests.

Namespace

Drupal\jsonapi\Controller

Code

protected function checkPatchFieldAccess(FieldItemListInterface $original_field, FieldItemListInterface $received_field) {

  // If the user is allowed to edit the field, it is always safe to set the
  // received value. We may be setting an unchanged value, but that is ok.
  $field_edit_access = $original_field
    ->access('edit', NULL, TRUE);
  if ($field_edit_access
    ->isAllowed()) {
    return TRUE;
  }

  // The user might not have access to edit the field, but still needs to
  // submit the current field value as part of the PATCH request. For
  // example, the entity keys required by denormalizers. Therefore, if the
  // received value equals the stored value, return FALSE without throwing an
  // exception. But only for fields that the user has access to view, because
  // the user has no legitimate way of knowing the current value of fields
  // that they are not allowed to view, and we must not make the presence or
  // absence of a 403 response a way to find that out.
  if ($original_field
    ->access('view') && $original_field
    ->equals($received_field)) {
    return FALSE;
  }

  // It's helpful and safe to let the user know when they are not allowed to
  // update a field.
  $field_name = $received_field
    ->getName();
  throw new EntityAccessDeniedHttpException($original_field
    ->getEntity(), $field_edit_access, '/data/attributes/' . $field_name, sprintf('The current user is not allowed to PATCH the selected field (%s).', $field_name));
}