You are here

protected function UserAccessControlHandler::checkFieldAccess in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
  2. 9 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()

Default field access as determined by this access control handler.

Parameters

string $operation: The operation access should be checked for. Usually one of "view" or "edit".

\Drupal\Core\Field\FieldDefinitionInterface $field_definition: The field definition.

\Drupal\Core\Session\AccountInterface $account: The user session for which to check access.

\Drupal\Core\Field\FieldItemListInterface $items: (optional) The field values for which to check access, or NULL if access is checked for the field definition, without any specific value available. Defaults to NULL.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkFieldAccess

File

core/modules/user/src/UserAccessControlHandler.php, line 87

Class

UserAccessControlHandler
Defines the access control handler for the user entity type.

Namespace

Drupal\user

Code

protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {

  // Fields that are not implicitly allowed to administrative users.
  $explicit_check_fields = [
    'pass',
  ];

  // Administrative users are allowed to edit and view all fields.
  if (!in_array($field_definition
    ->getName(), $explicit_check_fields) && $account
    ->hasPermission('administer users')) {
    return AccessResult::allowed()
      ->cachePerPermissions();
  }

  // Flag to indicate if this user entity is the own user account.
  $is_own_account = $items ? $items
    ->getEntity()
    ->id() == $account
    ->id() : FALSE;
  switch ($field_definition
    ->getName()) {
    case 'name':

      // Allow view access to anyone with access to the entity.
      // The username field is editable during the registration process.
      if ($operation == 'view' || $items && $items
        ->getEntity()
        ->isAnonymous()) {
        return AccessResult::allowed()
          ->cachePerPermissions();
      }

      // Allow edit access for the own user name if the permission is
      // satisfied.
      if ($is_own_account && $account
        ->hasPermission('change own username')) {
        return AccessResult::allowed()
          ->cachePerPermissions()
          ->cachePerUser();
      }
      else {
        return AccessResult::neutral();
      }
    case 'mail':

      // Only check for the 'view user email addresses' permission and a view
      // operation. Use case fall-through for all other cases.
      if ($operation == 'view' && $account
        ->hasPermission('view user email addresses')) {
        return AccessResult::allowed()
          ->cachePerPermissions();
      }
    case 'preferred_langcode':
    case 'preferred_admin_langcode':
    case 'timezone':

      // Allow view access to own mail address and other personalization
      // settings.
      if ($operation == 'view') {
        return AccessResult::allowedIf($is_own_account)
          ->cachePerUser();
      }

      // Anyone that can edit the user can also edit this field.
      return AccessResult::allowed()
        ->cachePerPermissions();
    case 'pass':

      // Allow editing the password, but not viewing it.
      return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden();
    case 'created':

      // Allow viewing the created date, but not editing it.
      return $operation == 'view' ? AccessResult::allowed() : AccessResult::neutral();
    case 'roles':
    case 'status':
    case 'access':
    case 'login':
    case 'init':
      return AccessResult::neutral();
  }
  return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}