You are here

Home » API reference » Search API 8 » RoleAccess.php

class RoleAccess in Search API 8

Adds access checks based on user roles.

Plugin annotation


@SearchApiProcessor(
  id = "role_access",
  label = @Translation("Role-based access"),
  description = @Translation("Adds an access check based on a user's roles. This may be sufficient for sites where access is primarily granted or denied based on roles and permissions. For grants-based access checks on ""Content"" or ""Comment"" entities the ""Content access"" processor may be a suitable alternative."),
  stages = {
    "add_properties" = 0,
    "pre_index_save" = -10,
    "preprocess_query" = -30,
  },
)

Hierarchy

Expanded class hierarchy of RoleAccess

File

src/Plugin/search_api/processor/RoleAccess.php, line 32

Namespace

Drupal\search_api\Plugin\search_api\processor
View source 
class RoleAccess extends ProcessorPluginBase {
  use LoggerTrait;

  /**
   * The property added for the role-based access data.
   */

  // @todo Make protected once we depend on PHP 7.1+.
  const ROLE_ACCESS_FIELD = 'search_api_role_access';

  /**
   * The current user service used by this plugin.
   *
   * @var \Drupal\Core\Session\AccountProxyInterface|null
   */
  protected $currentUser;

  /**
   * The last UID assigned to a dummy account.
   *
   * @var int
   */
  protected static $lastUsedUid = PHP_INT_MAX;

  /**
   * The dummy accounts created so far, keyed by role ID.
   *
   * @var \Drupal\Core\Session\AccountInterface[]
   */
  protected static $roleDummyAccounts = [];

  /**
   * {@inheritdoc}
   */
  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {

    /** @var static $processor */
    $processor = parent::create($container, $configuration, $plugin_id, $plugin_definition);
    $processor
      ->setCurrentUser($container
      ->get('current_user'));
    $processor
      ->setLogger($container
      ->get('logger.channel.search_api'));
    return $processor;
  }

  /**
   * Retrieves the current user.
   *
   * @return \Drupal\Core\Session\AccountProxyInterface
   *   The current user.
   */
  public function getCurrentUser() {
    return $this->currentUser ?: \Drupal::currentUser();
  }

  /**
   * Sets the current user.
   *
   * @param \Drupal\Core\Session\AccountProxyInterface $current_user
   *   The current user.
   *
   * @return $this
   */
  public function setCurrentUser(AccountProxyInterface $current_user) {
    $this->currentUser = $current_user;
    return $this;
  }

  /**
   * {@inheritdoc}
   */
  public function getPropertyDefinitions(DatasourceInterface $datasource = NULL) {
    $properties = [];
    if (!$datasource) {
      $definition = [
        'label' => $this
          ->t('Role-based access information'),
        'description' => $this
          ->t('Data needed to apply role-based item access'),
        'type' => 'string',
        'processor_id' => $this
          ->getPluginId(),
        'hidden' => TRUE,
        'is_list' => TRUE,
      ];
      $properties[static::ROLE_ACCESS_FIELD] = new ProcessorProperty($definition);
    }
    return $properties;
  }

  /**
   * {@inheritdoc}
   */
  public function addFieldValues(ItemInterface $item) {
    $role_has_access = function (RoleInterface $role) use ($item) {
      $transient_account = $this
        ->createTransientAccountWithRole($role);
      return $item
        ->getDatasource()
        ->getItemAccessResult($item
        ->getOriginalObject(), $transient_account)
        ->isAllowed();
    };
    $allowed_roles = array_filter(user_roles(), $role_has_access);
    $allowed_roles = array_map(function (RoleInterface $role) {
      return $role
        ->id();
    }, $allowed_roles);
    $fields = $item
      ->getFields();
    $fields = $this
      ->getFieldsHelper()
      ->filterForPropertyPath($fields, NULL, static::ROLE_ACCESS_FIELD);
    foreach ($fields as $field) {
      $field
        ->setValues($allowed_roles);
    }
  }

  /**
   * Creates a transient user with the given role for access checking.
   *
   * No user entity will be created or saved.
   *
   * @param \Drupal\user\RoleInterface $role
   *   The ID of the role for which to create a user session.
   *
   * @return \Drupal\Core\Session\AccountInterface
   *   A representation of a user account with the given role.
   */
  protected function createTransientAccountWithRole(RoleInterface $role) : AccountInterface {
    $role_id = $role
      ->id();
    if (empty(static::$roleDummyAccounts[$role_id])) {
      if ($role_id === AccountInterface::ANONYMOUS_ROLE) {
        $uid = 0;
      }
      else {
        $uid = --static::$lastUsedUid;
      }
      static::$roleDummyAccounts[$role_id] = new UserSession([
        'roles' => [
          $role_id,
        ],
        'uid' => $uid,
      ]);
    }
    return static::$roleDummyAccounts[$role_id];
  }

  /**
   * {@inheritdoc}
   */
  public function preIndexSave() {
    $this
      ->ensureField(NULL, static::ROLE_ACCESS_FIELD, 'string')
      ->setHidden();
  }

  /**
   * {@inheritdoc}
   */
  public function preprocessSearchQuery(QueryInterface $query) {
    if ($query
      ->getOption('search_api_bypass_access')) {
      return;
    }
    $account = $query
      ->getOption('search_api_access_account', $this
      ->getCurrentUser());
    if (is_numeric($account)) {
      $account = User::load($account);
    }
    $role_field = $this
      ->findField(NULL, static::ROLE_ACCESS_FIELD, 'string');
    if ($role_field) {
      $query
        ->addCondition($role_field
        ->getFieldIdentifier(), $account
        ->getRoles(), 'IN');
    }
    else {
      $query
        ->abort();
      $this
        ->getLogger()
        ->warning('Role-based access checks could not be added to a search query on index %index since the required field is not available. Please re-save the index.', [
        '%index' => $query
          ->getIndex()
          ->label(),
      ]);
    }
  }

}

Members

Namesort descending Modifiers Type Description Overrides
ConfigurablePluginBase::calculateDependencies public function Calculates dependencies for the configured plugin. Overrides DependentPluginInterface::calculateDependencies 6
ConfigurablePluginBase::calculatePluginDependencies Deprecated protected function Calculates and adds dependencies of a specific plugin instance.
ConfigurablePluginBase::defaultConfiguration public function Gets default configuration for this plugin. Overrides ConfigurableInterface::defaultConfiguration 11
ConfigurablePluginBase::getConfiguration public function Gets this plugin's configuration. Overrides ConfigurableInterface::getConfiguration
ConfigurablePluginBase::getDescription public function Returns the plugin's description. Overrides ConfigurablePluginInterface::getDescription
ConfigurablePluginBase::getPluginDependencies Deprecated protected function Calculates and returns dependencies of a specific plugin instance.
ConfigurablePluginBase::label public function Returns the label for use on the administration pages. Overrides ConfigurablePluginInterface::label
ConfigurablePluginBase::moduleHandler Deprecated protected function Wraps the module handler.
ConfigurablePluginBase::onDependencyRemoval public function Informs the plugin that some of its dependencies are being removed. Overrides ConfigurablePluginInterface::onDependencyRemoval 5
ConfigurablePluginBase::setConfiguration public function Sets the configuration for this plugin instance. Overrides ConfigurableInterface::setConfiguration 3
ConfigurablePluginBase::themeHandler Deprecated protected function Wraps the theme handler.
DependencySerializationTrait::$_entityStorages protected property An array of entity type IDs keyed by the property name of their storages.
DependencySerializationTrait::$_serviceIds protected property An array of service IDs keyed by property name used for serialization.
DependencySerializationTrait::__sleep public function 1
DependencySerializationTrait::__wakeup public function 2
DependencyTrait::$dependencies protected property The object's dependencies.
DependencyTrait::addDependencies protected function Adds multiple dependencies.
DependencyTrait::addDependency protected function Adds a dependency.
IndexPluginBase::$index protected property The index this processor is configured for.
IndexPluginBase::getIndex public function Retrieves the index this plugin is configured for. Overrides IndexPluginInterface::getIndex
IndexPluginBase::setIndex public function Sets the index this plugin is configured for. Overrides IndexPluginInterface::setIndex
IndexPluginBase::__construct public function Constructs a \Drupal\Component\Plugin\PluginBase object. Overrides ConfigurablePluginBase::__construct 2
LoggerTrait::$logger protected property The logging channel to use.
LoggerTrait::getLogger public function Retrieves the logger.
LoggerTrait::logException protected function Logs an exception.
LoggerTrait::setLogger public function Sets the logger.
MessengerTrait::$messenger protected property The messenger. 29
MessengerTrait::messenger public function Gets the messenger. 29
MessengerTrait::setMessenger public function Sets the messenger.
PluginBase::$configuration protected property Configuration information passed into the plugin. 1
PluginBase::$pluginDefinition protected property The plugin implementation definition. 1
PluginBase::$pluginId protected property The plugin_id.
PluginBase::DERIVATIVE_SEPARATOR constant A string which is used to separate base plugin IDs from the derivative ID.
PluginBase::getBaseId public function Gets the base_plugin_id of the plugin instance. Overrides DerivativeInspectionInterface::getBaseId
PluginBase::getDerivativeId public function Gets the derivative_id of the plugin instance. Overrides DerivativeInspectionInterface::getDerivativeId
PluginBase::getPluginDefinition public function Gets the definition of the plugin implementation. Overrides PluginInspectionInterface::getPluginDefinition 3
PluginBase::getPluginId public function Gets the plugin_id of the plugin instance. Overrides PluginInspectionInterface::getPluginId
PluginBase::isConfigurable public function Determines if the plugin is configurable.
PluginDependencyTrait::calculatePluginDependencies protected function Calculates and adds dependencies of a specific plugin instance. Aliased as: traitCalculatePluginDependencies 1
PluginDependencyTrait::getPluginDependencies protected function Calculates and returns dependencies of a specific plugin instance. Aliased as: traitGetPluginDependencies
PluginDependencyTrait::moduleHandler protected function Wraps the module handler. Aliased as: traitModuleHandler 1
PluginDependencyTrait::themeHandler protected function Wraps the theme handler. Aliased as: traitThemeHandler 1
ProcessorInterface::STAGE_ADD_PROPERTIES constant Processing stage: add properties.
ProcessorInterface::STAGE_ALTER_ITEMS constant Processing stage: alter indexed items.
ProcessorInterface::STAGE_POSTPROCESS_QUERY constant Processing stage: postprocess query.
ProcessorInterface::STAGE_PREPROCESS_INDEX constant Processing stage: preprocess index.
ProcessorInterface::STAGE_PREPROCESS_QUERY constant Processing stage: preprocess query.
ProcessorInterface::STAGE_PRE_INDEX_SAVE constant Processing stage: preprocess index.
ProcessorPluginBase::$fieldsHelper protected property The fields helper. 1
ProcessorPluginBase::alterIndexedItems public function Alter the items to be indexed. Overrides ProcessorInterface::alterIndexedItems 3
ProcessorPluginBase::ensureField protected function Ensures that a field with certain properties is indexed on the index.
ProcessorPluginBase::findField protected function Finds a certain field in the index.
ProcessorPluginBase::getFieldsHelper public function Retrieves the fields helper. 1
ProcessorPluginBase::getWeight public function Returns the weight for a specific processing stage. Overrides ProcessorInterface::getWeight
ProcessorPluginBase::isHidden public function Determines whether this plugin should be hidden in the UI. Overrides HideablePluginBase::isHidden
ProcessorPluginBase::isLocked public function Determines whether this processor should always be enabled. Overrides ProcessorInterface::isLocked
ProcessorPluginBase::postprocessSearchResults public function Postprocess search results before they are returned by the query. Overrides ProcessorInterface::postprocessSearchResults 2
ProcessorPluginBase::preprocessIndexItems public function Preprocesses search items for indexing. Overrides ProcessorInterface::preprocessIndexItems 5
ProcessorPluginBase::requiresReindexing public function Determines whether re-indexing is required after a settings change. Overrides ProcessorInterface::requiresReindexing
ProcessorPluginBase::setFieldsHelper public function Sets the fields helper. 1
ProcessorPluginBase::setWeight public function Sets the weight for a specific processing stage. Overrides ProcessorInterface::setWeight
ProcessorPluginBase::supportsIndex public static function Checks whether this processor is applicable for a certain index. Overrides ProcessorInterface::supportsIndex 8
ProcessorPluginBase::supportsStage public function Checks whether this processor implements a particular stage. Overrides ProcessorInterface::supportsStage 2
RoleAccess::$currentUser protected property The current user service used by this plugin.
RoleAccess::$lastUsedUid protected static property The last UID assigned to a dummy account.
RoleAccess::$roleDummyAccounts protected static property The dummy accounts created so far, keyed by role ID.
RoleAccess::addFieldValues public function Adds the values of properties defined by this processor to the item. Overrides ProcessorPluginBase::addFieldValues
RoleAccess::create public static function Creates an instance of the plugin. Overrides ProcessorPluginBase::create
RoleAccess::createTransientAccountWithRole protected function Creates a transient user with the given role for access checking.
RoleAccess::getCurrentUser public function Retrieves the current user.
RoleAccess::getPropertyDefinitions public function Retrieves the properties this processor defines for the given datasource. Overrides ProcessorPluginBase::getPropertyDefinitions
RoleAccess::preIndexSave public function Preprocesses the search index entity before it is saved. Overrides ProcessorPluginBase::preIndexSave
RoleAccess::preprocessSearchQuery public function Preprocesses a search query. Overrides ProcessorPluginBase::preprocessSearchQuery
RoleAccess::ROLE_ACCESS_FIELD constant
RoleAccess::setCurrentUser public function Sets the current user.
StringTranslationTrait::$stringTranslation protected property The string translation service. 1
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.