You are here

class UserAccessControlHandler in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler

Defines the access control handler for the user entity type.

Hierarchy

Expanded class hierarchy of UserAccessControlHandler

See also

\Drupal\user\Entity\User

1 file declares its use of UserAccessControlHandler
UserAccessControlHandlerTest.php in core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php
Contains \Drupal\Tests\user\Unit\UserAccessControlHandlerTest.

File

core/modules/user/src/UserAccessControlHandler.php, line 22
Contains \Drupal\user\UserAccessControlHandler.

Namespace

Drupal\user
View source
class UserAccessControlHandler extends EntityAccessControlHandler {

  /**
   * {@inheritdoc}
   */
  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

    /** @var \Drupal\user\UserInterface $entity*/

    // The anonymous user's profile can neither be viewed, updated nor deleted.
    if ($entity
      ->isAnonymous()) {
      return AccessResult::forbidden();
    }

    // Administrators can view/update/delete all user profiles.
    if ($account
      ->hasPermission('administer users')) {
      return AccessResult::allowed()
        ->cachePerPermissions();
    }
    switch ($operation) {
      case 'view':

        // Only allow view access if the account is active.
        if ($account
          ->hasPermission('access user profiles') && $entity
          ->isActive()) {
          return AccessResult::allowed()
            ->cachePerPermissions()
            ->cacheUntilEntityChanges($entity);
        }
        else {
          if ($account
            ->id() == $entity
            ->id()) {
            return AccessResult::allowed()
              ->cachePerUser();
          }
        }
        break;
      case 'update':

        // Users can always edit their own account.
        return AccessResult::allowedIf($account
          ->id() == $entity
          ->id())
          ->cachePerUser();
      case 'delete':

        // Users with 'cancel account' permission can cancel their own account.
        return AccessResult::allowedIf($account
          ->id() == $entity
          ->id() && $account
          ->hasPermission('cancel account'))
          ->cachePerPermissions()
          ->cachePerUser();
    }

    // No opinion.
    return AccessResult::neutral();
  }

  /**
   * {@inheritdoc}
   */
  protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {

    // Fields that are not implicitly allowed to administrative users.
    $explicit_check_fields = array(
      'pass',
    );

    // Administrative users are allowed to edit and view all fields.
    if (!in_array($field_definition
      ->getName(), $explicit_check_fields) && $account
      ->hasPermission('administer users')) {
      return AccessResult::allowed()
        ->cachePerPermissions();
    }

    // Flag to indicate if this user entity is the own user account.
    $is_own_account = $items ? $items
      ->getEntity()
      ->id() == $account
      ->id() : FALSE;
    switch ($field_definition
      ->getName()) {
      case 'name':

        // Allow view access to anyone with access to the entity. Anonymous
        // users should be able to access the username field during the
        // registration process, otherwise the username and email constraints
        // are not checked.
        if ($operation == 'view' || $items && $account
          ->isAnonymous() && $items
          ->getEntity()
          ->isAnonymous()) {
          return AccessResult::allowed()
            ->cachePerPermissions();
        }

        // Allow edit access for the own user name if the permission is
        // satisfied.
        if ($is_own_account && $account
          ->hasPermission('change own username')) {
          return AccessResult::allowed()
            ->cachePerPermissions()
            ->cachePerUser();
        }
        else {
          return AccessResult::forbidden();
        }
      case 'preferred_langcode':
      case 'preferred_admin_langcode':
      case 'timezone':
      case 'mail':

        // Allow view access to own mail address and other personalization
        // settings.
        if ($operation == 'view') {
          return $is_own_account ? AccessResult::allowed()
            ->cachePerUser() : AccessResult::forbidden();
        }

        // Anyone that can edit the user can also edit this field.
        return AccessResult::allowed()
          ->cachePerPermissions();
      case 'pass':

        // Allow editing the password, but not viewing it.
        return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden();
      case 'created':

        // Allow viewing the created date, but not editing it.
        return $operation == 'view' ? AccessResult::allowed() : AccessResult::forbidden();
      case 'roles':
      case 'status':
      case 'access':
      case 'login':
      case 'init':
        return AccessResult::forbidden();
    }
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
  }

}

Members

Namesort descending Modifiers Type Description Overrides
DependencySerializationTrait::$_serviceIds protected property An array of service IDs keyed by property name used for serialization.
DependencySerializationTrait::__sleep public function 1
DependencySerializationTrait::__wakeup public function 2
EntityAccessControlHandler::$accessCache protected property Stores calculated access check results.
EntityAccessControlHandler::$entityType protected property Information about the entity type.
EntityAccessControlHandler::$entityTypeId protected property The entity type ID of the access control handler instance.
EntityAccessControlHandler::access public function Checks access to an operation on a given entity or entity translation. Overrides EntityAccessControlHandlerInterface::access 1
EntityAccessControlHandler::checkCreateAccess protected function Performs create access checks. 9
EntityAccessControlHandler::createAccess public function Checks access to create an entity. Overrides EntityAccessControlHandlerInterface::createAccess 1
EntityAccessControlHandler::fieldAccess public function Checks access to an operation on a given entity field. Overrides EntityAccessControlHandlerInterface::fieldAccess
EntityAccessControlHandler::getCache protected function Tries to retrieve a previously cached access value from the static cache.
EntityAccessControlHandler::prepareUser protected function Loads the current account object, if it does not exist yet.
EntityAccessControlHandler::processAccessHookResults protected function We grant access to the entity if both of these conditions are met:
EntityAccessControlHandler::resetCache public function Clears all cached access checks. Overrides EntityAccessControlHandlerInterface::resetCache
EntityAccessControlHandler::setCache protected function Statically caches whether the given user has access.
EntityAccessControlHandler::__construct public function Constructs an access control handler instance. 4
EntityHandlerBase::$moduleHandler protected property The module handler to invoke hooks on. 3
EntityHandlerBase::moduleHandler protected function Gets the module handler. 3
EntityHandlerBase::setModuleHandler public function Sets the module handler for this handler.
StringTranslationTrait::$stringTranslation protected property The string translation service.
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.
UserAccessControlHandler::checkAccess protected function Performs access checks. Overrides EntityAccessControlHandler::checkAccess
UserAccessControlHandler::checkFieldAccess protected function Default field access as determined by this access control handler. Overrides EntityAccessControlHandler::checkFieldAccess