You are here

Home » API reference » Examples for Developers 3.x » field_permission_example.module

function field_permission_example_entity_field_access in Examples for Developers 3.x

Same name and namespace in other branches
  1. 8 field_permission_example/field_permission_example.module \field_permission_example_entity_field_access()

Implements hook_entity_field_access().

We want to make sure that fields aren't being seen or edited by those who shouldn't.

Related topics

Example: Field Permissions
Example using permissions on a Field API field.

File

modules/field_permission_example/field_permission_example.module, line 96
An example field using the Field Types API.

Code

function field_permission_example_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
  $messenger = \Drupal::messenger();

  // Find out what field we're looking at.  If it isn't
  // our sticky note widget, tell Drupal we don't care about its access.
  if ($field_definition
    ->getType() != 'field_permission_example_fieldnote') {
    return AccessResult::neutral();
  }

  // First we'll check if the user has the 'superuser'
  // permissions that node provides. This way administrators
  // will be able to administer the content types.
  if ($account
    ->hasPermission('bypass node access')) {
    $messenger
      ->addMessage(t('User can bypass node access.'));
    return AccessResult::allowed();
  }
  if ($account
    ->hasPermission('administer content types', $account)) {
    $messenger
      ->addMessage(t('User can administer content types.'));
    return AccessResult::allowed();
  }
  if ($account
    ->hasPermission('administer the fieldnote field', $account)) {
    $messenger
      ->addMessage(t('User can administer this field.'));
    return AccessResult::allowed();
  }

  // For anyone else, it depends on the desired operation.
  if ($operation == 'view' and $account
    ->hasPermission('view any fieldnote')) {
    $messenger
      ->addMessage(t('User can view any field note.'));
    return AccessResult::allowed();
  }
  if ($operation == 'edit' and $account
    ->hasPermission('edit any fieldnote')) {
    $messenger
      ->addMessage(t('User can edit any field note.'));
    return AccessResult::allowed();
  }

  // At this point, we need to know if the user "owns" the entity we're attached
  // to. If it's a user, we'll use the account name to test. Otherwise rely on
  // the entity implementing the EntityOwnerInterface. Anything else can't be
  // owned, and we'll refuse access.
  if ($items) {
    $entity = $items
      ->getEntity();
    if ($entity instanceof EntityOwnerInterface and $entity
      ->getOwner()
      ->getAccountName() == $account
      ->getAccountName() or $entity instanceof UserInterface and $entity->name->value == $account
      ->getAccountName()) {
      if ($operation == 'view' and $account
        ->hasPermission('view own fieldnote')) {
        $messenger
          ->addMessage(t('User can view their own field note.'));
        return AccessResult::allowed();
      }
      if ($operation == 'edit' and $account
        ->hasPermission('edit own fieldnote')) {
        $messenger
          ->addMessage(t('User can edit their own field note.'));
        return AccessResult::allowed();
      }
    }
  }

  // Anything else on this field is forbidden.
  return AccessResult::forbidden();
}