function role_delegation_entity_field_access in Role Delegation 8

Implements hook_entity_field_access().

File

./role_delegation.module, line 199

Allows admins to grant roles the authority to assign selected roles to users.

Code

function role_delegation_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
  if ($operation === 'edit' && $field_definition
    ->getName() === 'role_change' && $field_definition
    ->getTargetEntityTypeId() === 'user') {

    // Deny access if the user has access to the normal roles field.
    if ($account
      ->hasPermission('administer permissions')) {
      return AccessResult::forbidden()
        ->cachePerPermissions();
    }

    // Or if they don't have at least one role that allows them to delegate.
    $permissions = \Drupal::service('permission_generator.role_delegation')
      ->rolePermissions();
    $permissions = array_merge([
      'assign all roles',
    ], array_keys($permissions));
    foreach ($permissions as $permission) {
      if ($account
        ->hasPermission($permission)) {
        return AccessResult::allowed()
          ->cachePerPermissions();
      }
    }
    return AccessResult::forbidden()
      ->cachePerPermissions();
  }
  return AccessResult::neutral();
}