Chris@0: database = $database; Chris@0: $this->moduleHandler = $module_handler; Chris@0: $this->languageManager = $language_manager; Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function access(NodeInterface $node, $operation, AccountInterface $account) { Chris@0: // Grants only support these operations. Chris@0: if (!in_array($operation, ['view', 'update', 'delete'])) { Chris@0: return AccessResult::neutral(); Chris@0: } Chris@0: Chris@0: // If no module implements the hook or the node does not have an id there is Chris@0: // no point in querying the database for access grants. Chris@0: if (!$this->moduleHandler->getImplementations('node_grants') || !$node->id()) { Chris@0: // Return the equivalent of the default grant, defined by Chris@0: // self::writeDefault(). Chris@0: if ($operation === 'view') { Chris@0: return AccessResult::allowedIf($node->isPublished())->addCacheableDependency($node); Chris@0: } Chris@0: else { Chris@0: return AccessResult::neutral(); Chris@0: } Chris@0: } Chris@0: Chris@0: // Check the database for potential access grants. Chris@0: $query = $this->database->select('node_access'); Chris@0: $query->addExpression('1'); Chris@0: // Only interested for granting in the current operation. Chris@0: $query->condition('grant_' . $operation, 1, '>='); Chris@0: // Check for grants for this node and the correct langcode. Chris@0: $nids = $query->andConditionGroup() Chris@0: ->condition('nid', $node->id()) Chris@0: ->condition('langcode', $node->language()->getId()); Chris@0: // If the node is published, also take the default grant into account. The Chris@0: // default is saved with a node ID of 0. Chris@0: $status = $node->isPublished(); Chris@0: if ($status) { Chris@0: $nids = $query->orConditionGroup() Chris@0: ->condition($nids) Chris@0: ->condition('nid', 0); Chris@0: } Chris@0: $query->condition($nids); Chris@0: $query->range(0, 1); Chris@0: Chris@0: $grants = static::buildGrantsQueryCondition(node_access_grants($operation, $account)); Chris@0: Chris@0: if (count($grants) > 0) { Chris@0: $query->condition($grants); Chris@0: } Chris@0: Chris@0: // Only the 'view' node grant can currently be cached; the others currently Chris@0: // don't have any cacheability metadata. Hopefully, we can add that in the Chris@0: // future, which would allow this access check result to be cacheable in all Chris@0: // cases. For now, this must remain marked as uncacheable, even when it is Chris@0: // theoretically cacheable, because we don't have the necessary metadata to Chris@0: // know it for a fact. Chris@0: $set_cacheability = function (AccessResult $access_result) use ($operation) { Chris@0: $access_result->addCacheContexts(['user.node_grants:' . $operation]); Chris@0: if ($operation !== 'view') { Chris@0: $access_result->setCacheMaxAge(0); Chris@0: } Chris@0: return $access_result; Chris@0: }; Chris@0: Chris@0: if ($query->execute()->fetchField()) { Chris@0: return $set_cacheability(AccessResult::allowed()); Chris@0: } Chris@0: else { Chris@0: return $set_cacheability(AccessResult::neutral()); Chris@0: } Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function checkAll(AccountInterface $account) { Chris@0: $query = $this->database->select('node_access'); Chris@0: $query->addExpression('COUNT(*)'); Chris@0: $query Chris@0: ->condition('nid', 0) Chris@0: ->condition('grant_view', 1, '>='); Chris@0: Chris@0: $grants = static::buildGrantsQueryCondition(node_access_grants('view', $account)); Chris@0: Chris@0: if (count($grants) > 0) { Chris@0: $query->condition($grants); Chris@0: } Chris@0: return $query->execute()->fetchField(); Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function alterQuery($query, array $tables, $op, AccountInterface $account, $base_table) { Chris@0: if (!$langcode = $query->getMetaData('langcode')) { Chris@0: $langcode = FALSE; Chris@0: } Chris@0: Chris@0: // Find all instances of the base table being joined -- could appear Chris@0: // more than once in the query, and could be aliased. Join each one to Chris@0: // the node_access table. Chris@0: $grants = node_access_grants($op, $account); Chris@0: foreach ($tables as $nalias => $tableinfo) { Chris@0: $table = $tableinfo['table']; Chris@0: if (!($table instanceof SelectInterface) && $table == $base_table) { Chris@0: // Set the subquery. Chris@0: $subquery = $this->database->select('node_access', 'na') Chris@0: ->fields('na', ['nid']); Chris@0: Chris@0: // If any grant exists for the specified user, then user has access to the Chris@0: // node for the specified operation. Chris@0: $grant_conditions = static::buildGrantsQueryCondition($grants); Chris@0: Chris@0: // Attach conditions to the subquery for nodes. Chris@0: if (count($grant_conditions->conditions())) { Chris@0: $subquery->condition($grant_conditions); Chris@0: } Chris@0: $subquery->condition('na.grant_' . $op, 1, '>='); Chris@0: Chris@0: // Add langcode-based filtering if this is a multilingual site. Chris@0: if (\Drupal::languageManager()->isMultilingual()) { Chris@0: // If no specific langcode to check for is given, use the grant entry Chris@0: // which is set as a fallback. Chris@0: // If a specific langcode is given, use the grant entry for it. Chris@0: if ($langcode === FALSE) { Chris@0: $subquery->condition('na.fallback', 1, '='); Chris@0: } Chris@0: else { Chris@0: $subquery->condition('na.langcode', $langcode, '='); Chris@0: } Chris@0: } Chris@0: Chris@0: $field = 'nid'; Chris@0: // Now handle entities. Chris@0: $subquery->where("$nalias.$field = na.nid"); Chris@0: Chris@0: $query->exists($subquery); Chris@0: } Chris@0: } Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function write(NodeInterface $node, array $grants, $realm = NULL, $delete = TRUE) { Chris@0: if ($delete) { Chris@0: $query = $this->database->delete('node_access')->condition('nid', $node->id()); Chris@0: if ($realm) { Chris@0: $query->condition('realm', [$realm, 'all'], 'IN'); Chris@0: } Chris@0: $query->execute(); Chris@0: } Chris@0: // Only perform work when node_access modules are active. Chris@0: if (!empty($grants) && count($this->moduleHandler->getImplementations('node_grants'))) { Chris@0: $query = $this->database->insert('node_access')->fields(['nid', 'langcode', 'fallback', 'realm', 'gid', 'grant_view', 'grant_update', 'grant_delete']); Chris@0: // If we have defined a granted langcode, use it. But if not, add a grant Chris@0: // for every language this node is translated to. Chris@12: $fallback_langcode = $node->getUntranslated()->language()->getId(); Chris@0: foreach ($grants as $grant) { Chris@0: if ($realm && $realm != $grant['realm']) { Chris@0: continue; Chris@0: } Chris@0: if (isset($grant['langcode'])) { Chris@0: $grant_languages = [$grant['langcode'] => $this->languageManager->getLanguage($grant['langcode'])]; Chris@0: } Chris@0: else { Chris@0: $grant_languages = $node->getTranslationLanguages(TRUE); Chris@0: } Chris@0: foreach ($grant_languages as $grant_langcode => $grant_language) { Chris@0: // Only write grants; denies are implicit. Chris@0: if ($grant['grant_view'] || $grant['grant_update'] || $grant['grant_delete']) { Chris@0: $grant['nid'] = $node->id(); Chris@0: $grant['langcode'] = $grant_langcode; Chris@0: // The record with the original langcode is used as the fallback. Chris@12: if ($grant['langcode'] == $fallback_langcode) { Chris@0: $grant['fallback'] = 1; Chris@0: } Chris@0: else { Chris@0: $grant['fallback'] = 0; Chris@0: } Chris@0: $query->values($grant); Chris@0: } Chris@0: } Chris@0: } Chris@0: $query->execute(); Chris@0: } Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function delete() { Chris@0: $this->database->truncate('node_access')->execute(); Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function writeDefault() { Chris@0: $this->database->insert('node_access') Chris@0: ->fields([ Chris@0: 'nid' => 0, Chris@0: 'realm' => 'all', Chris@0: 'gid' => 0, Chris@0: 'grant_view' => 1, Chris@0: 'grant_update' => 0, Chris@0: 'grant_delete' => 0, Chris@0: ]) Chris@0: ->execute(); Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function count() { Chris@0: return $this->database->query('SELECT COUNT(*) FROM {node_access}')->fetchField(); Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: public function deleteNodeRecords(array $nids) { Chris@0: $this->database->delete('node_access') Chris@0: ->condition('nid', $nids, 'IN') Chris@0: ->execute(); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Creates a query condition from an array of node access grants. Chris@0: * Chris@0: * @param array $node_access_grants Chris@0: * An array of grants, as returned by node_access_grants(). Chris@0: * @return \Drupal\Core\Database\Query\Condition Chris@0: * A condition object to be passed to $query->condition(). Chris@0: * Chris@0: * @see node_access_grants() Chris@0: */ Chris@0: protected static function buildGrantsQueryCondition(array $node_access_grants) { Chris@0: $grants = new Condition("OR"); Chris@0: foreach ($node_access_grants as $realm => $gids) { Chris@0: if (!empty($gids)) { Chris@0: $and = new Condition('AND'); Chris@0: $grants->condition($and Chris@0: ->condition('gid', $gids, 'IN') Chris@0: ->condition('realm', $realm) Chris@0: ); Chris@0: } Chris@0: } Chris@0: Chris@0: return $grants; Chris@0: } Chris@0: Chris@0: }