protected function UserAccessControlHandler::checkAccess in Drupal 9
Same name and namespace in other branches
- 8 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkAccess()
Performs access checks.
This method is supposed to be overwritten by extending classes that do their own custom access checking.
Parameters
\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.
string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.
\Drupal\Core\Session\AccountInterface $account: The user for which to check access.
Return value
\Drupal\Core\Access\AccessResultInterface The access result.
Overrides EntityAccessControlHandler::checkAccess
File
- core/
modules/ user/ src/ UserAccessControlHandler.php, line 31
Class
- UserAccessControlHandler
- Defines the access control handler for the user entity type.
Namespace
Drupal\userCode
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\user\UserInterface $entity*/
// We don't treat the user label as privileged information, so this check
// has to be the first one in order to allow labels for all users to be
// viewed, including the special anonymous user.
if ($operation === 'view label') {
return AccessResult::allowed();
}
// The anonymous user's profile can neither be viewed, updated nor deleted.
if ($entity
->isAnonymous()) {
return AccessResult::forbidden();
}
// Administrators can view/update/delete all user profiles.
if ($account
->hasPermission('administer users')) {
return AccessResult::allowed()
->cachePerPermissions();
}
switch ($operation) {
case 'view':
// Only allow view access if the account is active.
if ($account
->hasPermission('access user profiles') && $entity
->isActive()) {
return AccessResult::allowed()
->cachePerPermissions()
->addCacheableDependency($entity);
}
elseif ($account
->id() == $entity
->id()) {
return AccessResult::allowed()
->cachePerUser();
}
else {
return AccessResultNeutral::neutral("The 'access user profiles' permission is required and the user must be active.")
->cachePerPermissions()
->addCacheableDependency($entity);
}
break;
case 'update':
// Users can always edit their own account.
$access_result = AccessResult::allowedIf($account
->id() == $entity
->id())
->cachePerUser();
if (!$access_result
->isAllowed() && $access_result instanceof AccessResultReasonInterface) {
$access_result
->setReason("Users can only update their own account, unless they have the 'administer users' permission.");
}
return $access_result;
case 'delete':
// Users with 'cancel account' permission can cancel their own account.
return AccessResult::allowedIfHasPermission($account, 'cancel account')
->andIf(AccessResult::allowedIf($account
->id() == $entity
->id())
->cachePerUser());
}
// No opinion.
return AccessResult::neutral();
}