You are here

Home » API reference » File Entity (fieldable files) 8.2 » FileEntityAccessControlHandler.php » FileEntityAccessControlHandler

protected function FileEntityAccessControlHandler::checkAccess in File Entity (fieldable files) 8.2

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides FileAccessControlHandler::checkAccess

File

src/FileEntityAccessControlHandler.php, line 48

Class

FileEntityAccessControlHandler
Defines the access control handler for the file entity type.

Namespace

Drupal\file_entity

Code

protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var FileEntity $entity */
  $is_owner = $entity
    ->getOwnerId() === $account
    ->id();
  if ($operation == 'view') {
    $schemes = file_entity_get_public_and_private_stream_wrapper_names();
    if (isset($schemes['private'][StreamWrapperManager::getScheme($entity
      ->getFileUri())])) {
      return AccessResult::allowedIfHasPermission($account, 'view private files')
        ->orIf(AccessResult::allowedIf($account
        ->isAuthenticated() && $is_owner)
        ->addCacheableDependency($entity)
        ->andIf(AccessResult::allowedIfHasPermission($account, 'view own private files')));
    }
    elseif ($entity
      ->isPermanent()) {
      return AccessResult::allowedIfHasPermission($account, 'view files')
        ->orIf(AccessResult::allowedIf($is_owner)
        ->addCacheableDependency($entity)
        ->andIf(AccessResult::allowedIfHasPermission($account, 'view own files')));
    }
  }

  // Public files can always be downloaded, fix for regression after
  // SA-CORE-2020-011.
  if ($operation == 'download' && StreamWrapperManager::getScheme($entity
    ->getFileUri()) == 'public') {
    return AccessResult::allowed();
  }

  // User can perform these operations if they have the "any" permission or if
  // they own it and have the "own" permission.
  if (in_array($operation, array(
    'download',
    'update',
    'delete',
  ))) {
    $permission_action = $operation == 'update' ? 'edit' : $operation;
    $type = $entity
      ->get('type')->target_id;
    return AccessResult::allowedIfHasPermission($account, "{$permission_action} any {$type} files")
      ->orIf(AccessResult::allowedIf($is_owner)
      ->addCacheableDependency($entity)
      ->andIf(AccessResult::allowedIfHasPermission($account, "{$permission_action} own {$type} files")));
  }

  // Fall back to the parent implementation so that file uploads work.
  // @todo Merge that in here somehow?
  return parent::checkAccess($entity, $operation, $account);
}