protected function UserAccessControlHandler::checkFieldAccess in Zircon Profile 8
Same name and namespace in other branches
- 8.0 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
Default field access as determined by this access control handler.
Parameters
string $operation: The operation access should be checked for. Usually one of "view" or "edit".
\Drupal\Core\Field\FieldDefinitionInterface $field_definition: The field definition.
\Drupal\Core\Session\AccountInterface $account: The user session for which to check access.
\Drupal\Core\Field\FieldItemListInterface $items: (optional) The field values for which to check access, or NULL if access is checked for the field definition, without any specific value available. Defaults to NULL.
Return value
bool TRUE if access is allowed, FALSE otherwise.
Overrides EntityAccessControlHandler::checkFieldAccess
File
- core/
modules/ user/ src/ UserAccessControlHandler.php, line 68 - Contains \Drupal\user\UserAccessControlHandler.
Class
- UserAccessControlHandler
- Defines the access control handler for the user entity type.
Namespace
Drupal\userCode
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
// Fields that are not implicitly allowed to administrative users.
$explicit_check_fields = array(
'pass',
);
// Administrative users are allowed to edit and view all fields.
if (!in_array($field_definition
->getName(), $explicit_check_fields) && $account
->hasPermission('administer users')) {
return AccessResult::allowed()
->cachePerPermissions();
}
// Flag to indicate if this user entity is the own user account.
$is_own_account = $items ? $items
->getEntity()
->id() == $account
->id() : FALSE;
switch ($field_definition
->getName()) {
case 'name':
// Allow view access to anyone with access to the entity. Anonymous
// users should be able to access the username field during the
// registration process, otherwise the username and email constraints
// are not checked.
if ($operation == 'view' || $items && $account
->isAnonymous() && $items
->getEntity()
->isAnonymous()) {
return AccessResult::allowed()
->cachePerPermissions();
}
// Allow edit access for the own user name if the permission is
// satisfied.
if ($is_own_account && $account
->hasPermission('change own username')) {
return AccessResult::allowed()
->cachePerPermissions()
->cachePerUser();
}
else {
return AccessResult::forbidden();
}
case 'preferred_langcode':
case 'preferred_admin_langcode':
case 'timezone':
case 'mail':
// Allow view access to own mail address and other personalization
// settings.
if ($operation == 'view') {
return $is_own_account ? AccessResult::allowed()
->cachePerUser() : AccessResult::forbidden();
}
// Anyone that can edit the user can also edit this field.
return AccessResult::allowed()
->cachePerPermissions();
case 'pass':
// Allow editing the password, but not viewing it.
return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden();
case 'created':
// Allow viewing the created date, but not editing it.
return $operation == 'view' ? AccessResult::allowed() : AccessResult::forbidden();
case 'roles':
case 'status':
case 'access':
case 'login':
case 'init':
return AccessResult::forbidden();
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}