You are here

Home » API reference » User protect 8 » userprotect.module

function userprotect_user_access in User protect 8

Implements hook_ENTITY_TYPE_access() for entity type "user".

File

./userprotect.module, line 31
Allows admins to protect users from being edited or cancelled.

Code

function userprotect_user_access(UserInterface $entity, $op, AccountInterface $account) {

  // User Protect doesn't limit view access in any way, so bail out early to
  // save time.
  if (in_array($op, [
    'view',
    'view label',
  ])) {
    return AccessResult::neutral();
  }

  // Check if the account has the permission "userprotect.bypass_all".
  // If so, all protections rules should be ignored.
  if (!$account
    ->hasPermission('userprotect.bypass_all')) {

    // Users editing their own accounts have the permissions for e-mail
    // and password determined by the role-based setting in the userprotect
    // section at admin/config/people/permissions. This is done for consistency
    // with the way core handles the self-editing of usernames.
    if ($entity
      ->id() == $account
      ->id()) {
      switch ($op) {
        case 'user_name':
          if (!$account
            ->hasPermission('change own username')) {
            return AccessResult::forbidden();
          }
          break;
        case 'user_mail':
          if (!$account
            ->hasPermission('userprotect.mail.edit')) {
            return AccessResult::forbidden();
          }
          break;
        case 'user_pass':
          if (!$account
            ->hasPermission('userprotect.pass.edit')) {
            return AccessResult::forbidden();
          }
          break;
        case 'user_edit':
        case 'update':
          if (!$account
            ->hasPermission('userprotect.account.edit')) {
            return AccessResult::forbidden();
          }
          break;
        case 'user_delete':
          if (!$account
            ->hasPermission('cancel account')) {
            return AccessResult::forbidden();
          }
          break;
      }
    }
    else {
      $protection_rules = userprotect_get_user_protection_rules($entity);
      foreach ($protection_rules as $rule) {

        // Check if the given account may bypass this rule.
        if ($account
          ->hasPermission($rule
          ->getPermissionName())) {

          // The given account has the permission to bypass this rule.
          continue;
        }
        if ($rule
          ->isProtected($entity, $op, $account)) {
          return AccessResult::forbidden();
        }
      }
    }
  }

  // Fallback to other operation checks for operations defined by this module.
  switch ($op) {
    case 'user_name':
    case 'user_mail':
    case 'user_pass':
    case 'user_status':
    case 'user_roles':
    case 'user_edit':
      return $entity
        ->access('update', $account) ? AccessResult::allowed() : AccessResult::forbidden();
    case 'user_delete':
      return $entity
        ->access('delete', $account) ? AccessResult::allowed() : AccessResult::forbidden();
  }
  return AccessResult::neutral();
}