protected function EntityResource::checkPatchFieldAccess in Drupal 10
Same name in this branch
- 10 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
- 10 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
Same name and namespace in other branches
- 8 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
- 9 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
Checks whether the given field should be PATCHed.
@internal
Parameters
\Drupal\Core\Field\FieldItemListInterface $original_field: The original (stored) value for the field.
\Drupal\Core\Field\FieldItemListInterface $received_field: The received value for the field.
Return value
bool Whether the field should be PATCHed or not.
Throws
\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException Thrown when the user sending the request is not allowed to update the field. Only thrown when the user could not abuse this information to determine the stored value.
1 call to EntityResource::checkPatchFieldAccess()
- EntityResource::patch in core/
modules/ rest/ src/ Plugin/ rest/ resource/ EntityResource.php - Responds to entity PATCH requests.
File
- core/
modules/ rest/ src/ Plugin/ rest/ resource/ EntityResource.php, line 280
Class
- EntityResource
- Represents entities as resources.
Namespace
Drupal\rest\Plugin\rest\resourceCode
protected function checkPatchFieldAccess(FieldItemListInterface $original_field, FieldItemListInterface $received_field) {
// The user might not have access to edit the field, but still needs to
// submit the current field value as part of the PATCH request. For
// example, the entity keys required by denormalizers. Therefore, if the
// received value equals the stored value, return FALSE without throwing an
// exception. But only for fields that the user has access to view, because
// the user has no legitimate way of knowing the current value of fields
// that they are not allowed to view, and we must not make the presence or
// absence of a 403 response a way to find that out.
if ($original_field
->access('view') && $original_field
->equals($received_field)) {
return FALSE;
}
// If the user is allowed to edit the field, it is always safe to set the
// received value. We may be setting an unchanged value, but that is ok.
$field_edit_access = $original_field
->access('edit', NULL, TRUE);
if ($field_edit_access
->isAllowed()) {
return TRUE;
}
// It's helpful and safe to let the user know when they are not allowed to
// update a field.
$field_name = $received_field
->getName();
$error_message = "Access denied on updating field '{$field_name}'.";
if ($field_edit_access instanceof AccessResultReasonInterface) {
$reason = $field_edit_access
->getReason();
if ($reason) {
$error_message .= ' ' . $reason;
}
}
throw new AccessDeniedHttpException($error_message);
}