Mercurial > hg > isophonics-drupal-site
diff core/modules/comment/src/CommentAccessControlHandler.php @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children | 129ea1e6d783 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/core/modules/comment/src/CommentAccessControlHandler.php Wed Nov 29 16:09:58 2017 +0000 @@ -0,0 +1,146 @@ +<?php + +namespace Drupal\comment; + +use Drupal\Core\Access\AccessResult; +use Drupal\Core\Entity\EntityAccessControlHandler; +use Drupal\Core\Entity\EntityInterface; +use Drupal\Core\Field\FieldDefinitionInterface; +use Drupal\Core\Field\FieldItemListInterface; +use Drupal\Core\Session\AccountInterface; + +/** + * Defines the access control handler for the comment entity type. + * + * @see \Drupal\comment\Entity\Comment + */ +class CommentAccessControlHandler extends EntityAccessControlHandler { + + /** + * {@inheritdoc} + */ + protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) { + /** @var \Drupal\comment\CommentInterface|\Drupal\user\EntityOwnerInterface $entity */ + + $comment_admin = $account->hasPermission('administer comments'); + if ($operation == 'approve') { + return AccessResult::allowedIf($comment_admin && !$entity->isPublished()) + ->cachePerPermissions() + ->addCacheableDependency($entity); + } + + if ($comment_admin) { + $access = AccessResult::allowed()->cachePerPermissions(); + return ($operation != 'view') ? $access : $access->andIf($entity->getCommentedEntity()->access($operation, $account, TRUE)); + } + + switch ($operation) { + case 'view': + $access_result = AccessResult::allowedIf($account->hasPermission('access comments') && $entity->isPublished())->cachePerPermissions()->addCacheableDependency($entity) + ->andIf($entity->getCommentedEntity()->access($operation, $account, TRUE)); + if (!$access_result->isAllowed()) { + $access_result->setReason("The 'access comments' permission is required and the comment must be published."); + } + + return $access_result; + + case 'update': + return AccessResult::allowedIf($account->id() && $account->id() == $entity->getOwnerId() && $entity->isPublished() && $account->hasPermission('edit own comments'))->cachePerPermissions()->cachePerUser()->addCacheableDependency($entity); + + default: + // No opinion. + return AccessResult::neutral()->cachePerPermissions(); + } + } + + /** + * {@inheritdoc} + */ + protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) { + return AccessResult::allowedIfHasPermission($account, 'post comments'); + } + + /** + * {@inheritdoc} + */ + protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { + if ($operation == 'edit') { + // Only users with the "administer comments" permission can edit + // administrative fields. + $administrative_fields = [ + 'uid', + 'status', + 'created', + 'date', + ]; + if (in_array($field_definition->getName(), $administrative_fields, TRUE)) { + return AccessResult::allowedIfHasPermission($account, 'administer comments'); + } + + // No user can change read-only fields. + $read_only_fields = [ + 'hostname', + 'changed', + 'cid', + 'thread', + ]; + // These fields can be edited during comment creation. + $create_only_fields = [ + 'comment_type', + 'uuid', + 'entity_id', + 'entity_type', + 'field_name', + 'pid', + ]; + if ($items && ($entity = $items->getEntity()) && $entity->isNew() && in_array($field_definition->getName(), $create_only_fields, TRUE)) { + // We are creating a new comment, user can edit create only fields. + return AccessResult::allowedIfHasPermission($account, 'post comments')->addCacheableDependency($entity); + } + // We are editing an existing comment - create only fields are now read + // only. + $read_only_fields = array_merge($read_only_fields, $create_only_fields); + if (in_array($field_definition->getName(), $read_only_fields, TRUE)) { + return AccessResult::forbidden(); + } + + // If the field is configured to accept anonymous contact details - admins + // can edit name, homepage and mail. Anonymous users can also fill in the + // fields on comment creation. + if (in_array($field_definition->getName(), ['name', 'mail', 'homepage'], TRUE)) { + if (!$items) { + // We cannot make a decision about access to edit these fields if we + // don't have any items and therefore cannot determine the Comment + // entity. In this case we err on the side of caution and prevent edit + // access. + return AccessResult::forbidden(); + } + $is_name = $field_definition->getName() === 'name'; + /** @var \Drupal\comment\CommentInterface $entity */ + $entity = $items->getEntity(); + $commented_entity = $entity->getCommentedEntity(); + $anonymous_contact = $commented_entity->get($entity->getFieldName())->getFieldDefinition()->getSetting('anonymous'); + $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments'); + $anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && ($anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account->hasPermission('post comments')) + ->cachePerPermissions() + ->addCacheableDependency($entity) + ->addCacheableDependency($field_definition->getConfig($commented_entity->bundle())) + ->addCacheableDependency($commented_entity); + return $admin_access->orIf($anonymous_access); + } + } + + if ($operation == 'view') { + // Nobody has access to the hostname. + if ($field_definition->getName() == 'hostname') { + return AccessResult::forbidden(); + } + // The mail field is hidden from non-admins. + if ($field_definition->getName() == 'mail') { + return AccessResult::allowedIfHasPermission($account, 'administer comments'); + } + } + return parent::checkFieldAccess($operation, $field_definition, $account, $items); + } + +}