Chris@18
|
1 <?php
|
Chris@18
|
2
|
Chris@18
|
3 namespace Drupal\jsonapi\Access;
|
Chris@18
|
4
|
Chris@18
|
5 use Drupal\Core\Access\AccessResult;
|
Chris@18
|
6 use Drupal\Core\Access\AccessResultReasonInterface;
|
Chris@18
|
7 use Drupal\Core\Cache\CacheableMetadata;
|
Chris@18
|
8 use Drupal\Core\Entity\FieldableEntityInterface;
|
Chris@18
|
9 use Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException;
|
Chris@18
|
10 use Drupal\Core\Routing\Access\AccessInterface;
|
Chris@18
|
11 use Drupal\Core\Session\AccountInterface;
|
Chris@18
|
12 use Drupal\jsonapi\ResourceType\ResourceType;
|
Chris@18
|
13 use Drupal\jsonapi\Routing\Routes;
|
Chris@18
|
14 use Symfony\Component\HttpFoundation\Request;
|
Chris@18
|
15 use Symfony\Component\Routing\Route;
|
Chris@18
|
16
|
Chris@18
|
17 /**
|
Chris@18
|
18 * Defines a class to check access to related and relationship routes.
|
Chris@18
|
19 *
|
Chris@18
|
20 * @internal JSON:API maintains no PHP API. The API is the HTTP API. This class
|
Chris@18
|
21 * may change at any time and could break any dependencies on it.
|
Chris@18
|
22 *
|
Chris@18
|
23 * @see https://www.drupal.org/project/jsonapi/issues/3032787
|
Chris@18
|
24 * @see jsonapi.api.php
|
Chris@18
|
25 */
|
Chris@18
|
26 class RelationshipFieldAccess implements AccessInterface {
|
Chris@18
|
27
|
Chris@18
|
28 /**
|
Chris@18
|
29 * The route requirement key for this access check.
|
Chris@18
|
30 *
|
Chris@18
|
31 * @var string
|
Chris@18
|
32 */
|
Chris@18
|
33 const ROUTE_REQUIREMENT_KEY = '_jsonapi_relationship_field_access';
|
Chris@18
|
34
|
Chris@18
|
35 /**
|
Chris@18
|
36 * The JSON:API entity access checker.
|
Chris@18
|
37 *
|
Chris@18
|
38 * @var \Drupal\jsonapi\Access\EntityAccessChecker
|
Chris@18
|
39 */
|
Chris@18
|
40 protected $entityAccessChecker;
|
Chris@18
|
41
|
Chris@18
|
42 /**
|
Chris@18
|
43 * RelationshipFieldAccess constructor.
|
Chris@18
|
44 *
|
Chris@18
|
45 * @param \Drupal\jsonapi\Access\EntityAccessChecker $entity_access_checker
|
Chris@18
|
46 * The JSON:API entity access checker.
|
Chris@18
|
47 */
|
Chris@18
|
48 public function __construct(EntityAccessChecker $entity_access_checker) {
|
Chris@18
|
49 $this->entityAccessChecker = $entity_access_checker;
|
Chris@18
|
50 }
|
Chris@18
|
51
|
Chris@18
|
52 /**
|
Chris@18
|
53 * Checks access to the relationship field on the given route.
|
Chris@18
|
54 *
|
Chris@18
|
55 * @param \Symfony\Component\HttpFoundation\Request $request
|
Chris@18
|
56 * The incoming HTTP request object.
|
Chris@18
|
57 * @param \Symfony\Component\Routing\Route $route
|
Chris@18
|
58 * The route to check against.
|
Chris@18
|
59 * @param \Drupal\Core\Session\AccountInterface $account
|
Chris@18
|
60 * The currently logged in account.
|
Chris@18
|
61 *
|
Chris@18
|
62 * @return \Drupal\Core\Access\AccessResultInterface
|
Chris@18
|
63 * The access result.
|
Chris@18
|
64 */
|
Chris@18
|
65 public function access(Request $request, Route $route, AccountInterface $account) {
|
Chris@18
|
66 $relationship_field_name = $route->getRequirement(static::ROUTE_REQUIREMENT_KEY);
|
Chris@18
|
67 $field_operation = $request->isMethodCacheable() ? 'view' : 'edit';
|
Chris@18
|
68 $entity_operation = $request->isMethodCacheable() ? 'view' : 'update';
|
Chris@18
|
69 if ($resource_type = $request->get(Routes::RESOURCE_TYPE_KEY)) {
|
Chris@18
|
70 assert($resource_type instanceof ResourceType);
|
Chris@18
|
71 $entity = $request->get('entity');
|
Chris@18
|
72 $internal_name = $resource_type->getInternalName($relationship_field_name);
|
Chris@18
|
73 if ($entity instanceof FieldableEntityInterface && $entity->hasField($internal_name)) {
|
Chris@18
|
74 $entity_access = $this->entityAccessChecker->checkEntityAccess($entity, $entity_operation, $account);
|
Chris@18
|
75 $field_access = $entity->get($internal_name)->access($field_operation, $account, TRUE);
|
Chris@18
|
76 // Ensure that access is respected for different entity revisions.
|
Chris@18
|
77 $access_result = $entity_access->andIf($field_access);
|
Chris@18
|
78 if (!$access_result->isAllowed()) {
|
Chris@18
|
79 $reason = "The current user is not allowed to {$field_operation} this relationship.";
|
Chris@18
|
80 $access_reason = $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : NULL;
|
Chris@18
|
81 $detailed_reason = empty($access_reason) ? $reason : $reason . " {$access_reason}";
|
Chris@18
|
82 $access_result->setReason($detailed_reason);
|
Chris@18
|
83 if ($request->isMethodCacheable()) {
|
Chris@18
|
84 throw new CacheableAccessDeniedHttpException(CacheableMetadata::createFromObject($access_result), $detailed_reason);
|
Chris@18
|
85 }
|
Chris@18
|
86 }
|
Chris@18
|
87 return $access_result;
|
Chris@18
|
88 }
|
Chris@18
|
89 }
|
Chris@18
|
90 return AccessResult::neutral();
|
Chris@18
|
91 }
|
Chris@18
|
92
|
Chris@18
|
93 }
|