class UserAccessControlHandler in Zircon Profile 8
Same name and namespace in other branches
- 8.0 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler
Defines the access control handler for the user entity type.
Hierarchy
- class \Drupal\Core\Entity\EntityHandlerBase uses DependencySerializationTrait, StringTranslationTrait
- class \Drupal\Core\Entity\EntityAccessControlHandler implements EntityAccessControlHandlerInterface
- class \Drupal\user\UserAccessControlHandler
- class \Drupal\Core\Entity\EntityAccessControlHandler implements EntityAccessControlHandlerInterface
Expanded class hierarchy of UserAccessControlHandler
See also
1 file declares its use of UserAccessControlHandler
- UserAccessControlHandlerTest.php in core/
modules/ user/ tests/ src/ Unit/ UserAccessControlHandlerTest.php - Contains \Drupal\Tests\user\Unit\UserAccessControlHandlerTest.
File
- core/
modules/ user/ src/ UserAccessControlHandler.php, line 22 - Contains \Drupal\user\UserAccessControlHandler.
Namespace
Drupal\userView source
class UserAccessControlHandler extends EntityAccessControlHandler {
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\user\UserInterface $entity*/
// The anonymous user's profile can neither be viewed, updated nor deleted.
if ($entity
->isAnonymous()) {
return AccessResult::forbidden();
}
// Administrators can view/update/delete all user profiles.
if ($account
->hasPermission('administer users')) {
return AccessResult::allowed()
->cachePerPermissions();
}
switch ($operation) {
case 'view':
// Only allow view access if the account is active.
if ($account
->hasPermission('access user profiles') && $entity
->isActive()) {
return AccessResult::allowed()
->cachePerPermissions()
->cacheUntilEntityChanges($entity);
}
else {
if ($account
->id() == $entity
->id()) {
return AccessResult::allowed()
->cachePerUser();
}
}
break;
case 'update':
// Users can always edit their own account.
return AccessResult::allowedIf($account
->id() == $entity
->id())
->cachePerUser();
case 'delete':
// Users with 'cancel account' permission can cancel their own account.
return AccessResult::allowedIf($account
->id() == $entity
->id() && $account
->hasPermission('cancel account'))
->cachePerPermissions()
->cachePerUser();
}
// No opinion.
return AccessResult::neutral();
}
/**
* {@inheritdoc}
*/
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
// Fields that are not implicitly allowed to administrative users.
$explicit_check_fields = array(
'pass',
);
// Administrative users are allowed to edit and view all fields.
if (!in_array($field_definition
->getName(), $explicit_check_fields) && $account
->hasPermission('administer users')) {
return AccessResult::allowed()
->cachePerPermissions();
}
// Flag to indicate if this user entity is the own user account.
$is_own_account = $items ? $items
->getEntity()
->id() == $account
->id() : FALSE;
switch ($field_definition
->getName()) {
case 'name':
// Allow view access to anyone with access to the entity. Anonymous
// users should be able to access the username field during the
// registration process, otherwise the username and email constraints
// are not checked.
if ($operation == 'view' || $items && $account
->isAnonymous() && $items
->getEntity()
->isAnonymous()) {
return AccessResult::allowed()
->cachePerPermissions();
}
// Allow edit access for the own user name if the permission is
// satisfied.
if ($is_own_account && $account
->hasPermission('change own username')) {
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser();
}
else {
return AccessResult::forbidden();
}
case 'preferred_langcode':
case 'preferred_admin_langcode':
case 'timezone':
case 'mail':
// Allow view access to own mail address and other personalization
// settings.
if ($operation == 'view') {
return $is_own_account ? AccessResult::allowed()
->cachePerUser() : AccessResult::forbidden();
}
// Anyone that can edit the user can also edit this field.
return AccessResult::allowed()
->cachePerPermissions();
case 'pass':
// Allow editing the password, but not viewing it.
return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden();
case 'created':
// Allow viewing the created date, but not editing it.
return $operation == 'view' ? AccessResult::allowed() : AccessResult::forbidden();
case 'roles':
case 'status':
case 'access':
case 'login':
case 'init':
return AccessResult::forbidden();
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
}
Members
Name | Modifiers | Type | Description | Overrides |
---|---|---|---|---|
DependencySerializationTrait:: |
protected | property | An array of service IDs keyed by property name used for serialization. | |
DependencySerializationTrait:: |
public | function | 1 | |
DependencySerializationTrait:: |
public | function | 2 | |
EntityAccessControlHandler:: |
protected | property | Stores calculated access check results. | |
EntityAccessControlHandler:: |
protected | property | Information about the entity type. | |
EntityAccessControlHandler:: |
protected | property | The entity type ID of the access control handler instance. | |
EntityAccessControlHandler:: |
public | function |
Checks access to an operation on a given entity or entity translation. Overrides EntityAccessControlHandlerInterface:: |
1 |
EntityAccessControlHandler:: |
protected | function | Performs create access checks. | 9 |
EntityAccessControlHandler:: |
public | function |
Checks access to create an entity. Overrides EntityAccessControlHandlerInterface:: |
1 |
EntityAccessControlHandler:: |
public | function |
Checks access to an operation on a given entity field. Overrides EntityAccessControlHandlerInterface:: |
|
EntityAccessControlHandler:: |
protected | function | Tries to retrieve a previously cached access value from the static cache. | |
EntityAccessControlHandler:: |
protected | function | Loads the current account object, if it does not exist yet. | |
EntityAccessControlHandler:: |
protected | function | We grant access to the entity if both of these conditions are met: | |
EntityAccessControlHandler:: |
public | function |
Clears all cached access checks. Overrides EntityAccessControlHandlerInterface:: |
|
EntityAccessControlHandler:: |
protected | function | Statically caches whether the given user has access. | |
EntityAccessControlHandler:: |
public | function | Constructs an access control handler instance. | 4 |
EntityHandlerBase:: |
protected | property | The module handler to invoke hooks on. | 3 |
EntityHandlerBase:: |
protected | function | Gets the module handler. | 3 |
EntityHandlerBase:: |
public | function | Sets the module handler for this handler. | |
StringTranslationTrait:: |
protected | property | The string translation service. | |
StringTranslationTrait:: |
protected | function | Formats a string containing a count of items. | |
StringTranslationTrait:: |
protected | function | Returns the number of plurals supported by a given language. | |
StringTranslationTrait:: |
protected | function | Gets the string translation service. | |
StringTranslationTrait:: |
public | function | Sets the string translation service to use. | 2 |
StringTranslationTrait:: |
protected | function | Translates a string to the current language or to a given language. | |
UserAccessControlHandler:: |
protected | function |
Performs access checks. Overrides EntityAccessControlHandler:: |
|
UserAccessControlHandler:: |
protected | function |
Default field access as determined by this access control handler. Overrides EntityAccessControlHandler:: |