You are here

protected function EntityResource::checkPatchFieldAccess in Drupal 10

Same name in this branch
  1. 10 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
  2. 10 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
Same name and namespace in other branches
  1. 8 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
  2. 9 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()

Checks whether the given field should be PATCHed.

@internal

Parameters

\Drupal\Core\Field\FieldItemListInterface $original_field: The original (stored) value for the field.

\Drupal\Core\Field\FieldItemListInterface $received_field: The received value for the field.

Return value

bool Whether the field should be PATCHed or not.

Throws

\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException Thrown when the user sending the request is not allowed to update the field. Only thrown when the user could not abuse this information to determine the stored value.

1 call to EntityResource::checkPatchFieldAccess()
EntityResource::patch in core/modules/rest/src/Plugin/rest/resource/EntityResource.php
Responds to entity PATCH requests.

File

core/modules/rest/src/Plugin/rest/resource/EntityResource.php, line 280

Class

EntityResource
Represents entities as resources.

Namespace

Drupal\rest\Plugin\rest\resource

Code

protected function checkPatchFieldAccess(FieldItemListInterface $original_field, FieldItemListInterface $received_field) {

  // The user might not have access to edit the field, but still needs to
  // submit the current field value as part of the PATCH request. For
  // example, the entity keys required by denormalizers. Therefore, if the
  // received value equals the stored value, return FALSE without throwing an
  // exception. But only for fields that the user has access to view, because
  // the user has no legitimate way of knowing the current value of fields
  // that they are not allowed to view, and we must not make the presence or
  // absence of a 403 response a way to find that out.
  if ($original_field
    ->access('view') && $original_field
    ->equals($received_field)) {
    return FALSE;
  }

  // If the user is allowed to edit the field, it is always safe to set the
  // received value. We may be setting an unchanged value, but that is ok.
  $field_edit_access = $original_field
    ->access('edit', NULL, TRUE);
  if ($field_edit_access
    ->isAllowed()) {
    return TRUE;
  }

  // It's helpful and safe to let the user know when they are not allowed to
  // update a field.
  $field_name = $received_field
    ->getName();
  $error_message = "Access denied on updating field '{$field_name}'.";
  if ($field_edit_access instanceof AccessResultReasonInterface) {
    $reason = $field_edit_access
      ->getReason();
    if ($reason) {
      $error_message .= ' ' . $reason;
    }
  }
  throw new AccessDeniedHttpException($error_message);
}