Mercurial > hg > isophonics-drupal-site

annotate core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php @ 13:5fb285c0d0e3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update Drupal core to 8.4.7 via Composer. Security update; I *think* we've been lucky to get away with this so far, as we don't support self-registration which seems to be used by the so-called "drupalgeddon 2" attack that 8.4.5 was vulnerable to.
author Chris Cannam
date Mon, 23 Apr 2018 09:33:26 +0100
parents 4c8ae668cc8c
children 129ea1e6d783
rev   line source
Chris@0 1 <?php
Chris@0 2
Chris@0 3 namespace Drupal\Core\Entity;
Chris@0 4
Chris@0 5 use Drupal\Core\Access\AccessResult;
Chris@0 6 use Drupal\Core\Routing\Access\AccessInterface;
Chris@0 7 use Drupal\Core\Routing\RouteMatchInterface;
Chris@0 8 use Drupal\Core\Session\AccountInterface;
Chris@0 9 use Symfony\Component\Routing\Route;
Chris@0 10
Chris@0 11 /**
Chris@0 12 * Defines an access checker for entity creation.
Chris@0 13 */
Chris@0 14 class EntityCreateAccessCheck implements AccessInterface {
Chris@0 15
Chris@0 16 /**
Chris@0 17 * The entity manager.
Chris@0 18 *
Chris@0 19 * @var \Drupal\Core\Entity\EntityManagerInterface
Chris@0 20 */
Chris@0 21 protected $entityManager;
Chris@0 22
Chris@0 23 /**
Chris@0 24 * The key used by the routing requirement.
Chris@0 25 *
Chris@0 26 * @var string
Chris@0 27 */
Chris@0 28 protected $requirementsKey = '_entity_create_access';
Chris@0 29
Chris@0 30 /**
Chris@0 31 * Constructs a EntityCreateAccessCheck object.
Chris@0 32 *
Chris@0 33 * @param \Drupal\Core\Entity\EntityManagerInterface $entity_manager
Chris@0 34 * The entity manager.
Chris@0 35 */
Chris@0 36 public function __construct(EntityManagerInterface $entity_manager) {
Chris@0 37 $this->entityManager = $entity_manager;
Chris@0 38 }
Chris@0 39
Chris@0 40 /**
Chris@0 41 * Checks access to create the entity type and bundle for the given route.
Chris@0 42 *
Chris@0 43 * @param \Symfony\Component\Routing\Route $route
Chris@0 44 * The route to check against.
Chris@0 45 * @param \Drupal\Core\Routing\RouteMatchInterface $route_match
Chris@0 46 * The parametrized route.
Chris@0 47 * @param \Drupal\Core\Session\AccountInterface $account
Chris@0 48 * The currently logged in account.
Chris@0 49 *
Chris@0 50 * @return \Drupal\Core\Access\AccessResultInterface
Chris@0 51 * The access result.
Chris@0 52 */
Chris@0 53 public function access(Route $route, RouteMatchInterface $route_match, AccountInterface $account) {
Chris@0 54 list($entity_type, $bundle) = explode(':', $route->getRequirement($this->requirementsKey) . ':');
Chris@0 55
Chris@0 56 // The bundle argument can contain request argument placeholders like
Chris@0 57 // {name}, loop over the raw variables and attempt to replace them in the
Chris@0 58 // bundle name. If a placeholder does not exist, it won't get replaced.
Chris@0 59 if ($bundle && strpos($bundle, '{') !== FALSE) {
Chris@0 60 foreach ($route_match->getRawParameters()->all() as $name => $value) {
Chris@0 61 $bundle = str_replace('{' . $name . '}', $value, $bundle);
Chris@0 62 }
Chris@0 63 // If we were unable to replace all placeholders, deny access.
Chris@0 64 if (strpos($bundle, '{') !== FALSE) {
Chris@0 65 return AccessResult::neutral();
Chris@0 66 }
Chris@0 67 }
Chris@0 68 return $this->entityManager->getAccessControlHandler($entity_type)->createAccess($bundle, $account, [], TRUE);
Chris@0 69 }
Chris@0 70
Chris@0 71 }