Chris@0: isAnonymous()) { Chris@0: return AccessResult::forbidden(); Chris@0: } Chris@0: Chris@0: // Administrators can view/update/delete all user profiles. Chris@0: if ($account->hasPermission('administer users')) { Chris@0: return AccessResult::allowed()->cachePerPermissions(); Chris@0: } Chris@0: Chris@0: switch ($operation) { Chris@0: case 'view': Chris@0: // Only allow view access if the account is active. Chris@0: if ($account->hasPermission('access user profiles') && $entity->isActive()) { Chris@0: return AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity); Chris@0: } Chris@0: // Users can view own profiles at all times. Chris@0: elseif ($account->id() == $entity->id()) { Chris@0: return AccessResult::allowed()->cachePerUser(); Chris@0: } Chris@0: else { Chris@14: return AccessResultNeutral::neutral("The 'access user profiles' permission is required and the user must be active.")->cachePerPermissions()->addCacheableDependency($entity); Chris@0: } Chris@0: break; Chris@0: Chris@0: case 'update': Chris@0: // Users can always edit their own account. Chris@17: $access_result = AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser(); Chris@17: if (!$access_result->isAllowed() && $access_result instanceof AccessResultReasonInterface) { Chris@17: $access_result->setReason("Users can only update their own account, unless they have the 'administer users' permission."); Chris@17: } Chris@17: return $access_result; Chris@0: Chris@0: case 'delete': Chris@0: // Users with 'cancel account' permission can cancel their own account. Chris@17: return AccessResult::allowedIfHasPermission($account, 'cancel account') Chris@17: ->andIf(AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser()); Chris@0: } Chris@0: Chris@0: // No opinion. Chris@0: return AccessResult::neutral(); Chris@0: } Chris@0: Chris@0: /** Chris@0: * {@inheritdoc} Chris@0: */ Chris@0: protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { Chris@0: // Fields that are not implicitly allowed to administrative users. Chris@0: $explicit_check_fields = [ Chris@0: 'pass', Chris@0: ]; Chris@0: Chris@0: // Administrative users are allowed to edit and view all fields. Chris@0: if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) { Chris@0: return AccessResult::allowed()->cachePerPermissions(); Chris@0: } Chris@0: Chris@0: // Flag to indicate if this user entity is the own user account. Chris@0: $is_own_account = $items ? $items->getEntity()->id() == $account->id() : FALSE; Chris@0: switch ($field_definition->getName()) { Chris@0: case 'name': Chris@18: // Allow view access to anyone with access to the entity. Chris@18: // The username field is editable during the registration process. Chris@18: if ($operation == 'view' || ($items && $items->getEntity()->isAnonymous())) { Chris@0: return AccessResult::allowed()->cachePerPermissions(); Chris@0: } Chris@0: // Allow edit access for the own user name if the permission is Chris@0: // satisfied. Chris@0: if ($is_own_account && $account->hasPermission('change own username')) { Chris@0: return AccessResult::allowed()->cachePerPermissions()->cachePerUser(); Chris@0: } Chris@0: else { Chris@17: return AccessResult::neutral(); Chris@0: } Chris@0: Chris@0: case 'preferred_langcode': Chris@0: case 'preferred_admin_langcode': Chris@0: case 'timezone': Chris@0: case 'mail': Chris@0: // Allow view access to own mail address and other personalization Chris@0: // settings. Chris@0: if ($operation == 'view') { Chris@18: return AccessResult::allowedIf($is_own_account)->cachePerUser(); Chris@0: } Chris@0: // Anyone that can edit the user can also edit this field. Chris@0: return AccessResult::allowed()->cachePerPermissions(); Chris@0: Chris@0: case 'pass': Chris@0: // Allow editing the password, but not viewing it. Chris@0: return ($operation == 'edit') ? AccessResult::allowed() : AccessResult::forbidden(); Chris@0: Chris@0: case 'created': Chris@0: // Allow viewing the created date, but not editing it. Chris@17: return ($operation == 'view') ? AccessResult::allowed() : AccessResult::neutral(); Chris@0: Chris@0: case 'roles': Chris@0: case 'status': Chris@0: case 'access': Chris@0: case 'login': Chris@0: case 'init': Chris@17: return AccessResult::neutral(); Chris@0: } Chris@0: Chris@0: return parent::checkFieldAccess($operation, $field_definition, $account, $items); Chris@0: } Chris@0: Chris@0: }