Chris@0: <?php
Chris@0: 
Chris@0: namespace Drupal\user;
Chris@0: 
Chris@0: use Drupal\Core\Access\AccessResult;
Chris@0: use Drupal\Core\Access\AccessResultNeutral;
Chris@17: use Drupal\Core\Access\AccessResultReasonInterface;
Chris@0: use Drupal\Core\Entity\EntityInterface;
Chris@0: use Drupal\Core\Entity\EntityAccessControlHandler;
Chris@0: use Drupal\Core\Field\FieldDefinitionInterface;
Chris@0: use Drupal\Core\Field\FieldItemListInterface;
Chris@0: use Drupal\Core\Session\AccountInterface;
Chris@0: 
Chris@0: /**
Chris@0:  * Defines the access control handler for the user entity type.
Chris@0:  *
Chris@0:  * @see \Drupal\user\Entity\User
Chris@0:  */
Chris@0: class UserAccessControlHandler extends EntityAccessControlHandler {
Chris@0: 
Chris@0:   /**
Chris@0:    * Allow access to user label.
Chris@0:    *
Chris@0:    * @var bool
Chris@0:    */
Chris@0:   protected $viewLabelOperation = TRUE;
Chris@0: 
Chris@0:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
Chris@0:     /** @var \Drupal\user\UserInterface $entity*/
Chris@0: 
Chris@0:     // We don't treat the user label as privileged information, so this check
Chris@0:     // has to be the first one in order to allow labels for all users to be
Chris@0:     // viewed, including the special anonymous user.
Chris@0:     if ($operation === 'view label') {
Chris@0:       return AccessResult::allowed();
Chris@0:     }
Chris@0: 
Chris@0:     // The anonymous user's profile can neither be viewed, updated nor deleted.
Chris@0:     if ($entity->isAnonymous()) {
Chris@0:       return AccessResult::forbidden();
Chris@0:     }
Chris@0: 
Chris@0:     // Administrators can view/update/delete all user profiles.
Chris@0:     if ($account->hasPermission('administer users')) {
Chris@0:       return AccessResult::allowed()->cachePerPermissions();
Chris@0:     }
Chris@0: 
Chris@0:     switch ($operation) {
Chris@0:       case 'view':
Chris@0:         // Only allow view access if the account is active.
Chris@0:         if ($account->hasPermission('access user profiles') && $entity->isActive()) {
Chris@0:           return AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
Chris@0:         }
Chris@0:         // Users can view own profiles at all times.
Chris@0:         elseif ($account->id() == $entity->id()) {
Chris@0:           return AccessResult::allowed()->cachePerUser();
Chris@0:         }
Chris@0:         else {
Chris@14:           return AccessResultNeutral::neutral("The 'access user profiles' permission is required and the user must be active.")->cachePerPermissions()->addCacheableDependency($entity);
Chris@0:         }
Chris@0:         break;
Chris@0: 
Chris@0:       case 'update':
Chris@0:         // Users can always edit their own account.
Chris@17:         $access_result = AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser();
Chris@17:         if (!$access_result->isAllowed() && $access_result instanceof AccessResultReasonInterface) {
Chris@17:           $access_result->setReason("Users can only update their own account, unless they have the 'administer users' permission.");
Chris@17:         }
Chris@17:         return $access_result;
Chris@0: 
Chris@0:       case 'delete':
Chris@0:         // Users with 'cancel account' permission can cancel their own account.
Chris@17:         return AccessResult::allowedIfHasPermission($account, 'cancel account')
Chris@17:           ->andIf(AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser());
Chris@0:     }
Chris@0: 
Chris@0:     // No opinion.
Chris@0:     return AccessResult::neutral();
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
Chris@0:     // Fields that are not implicitly allowed to administrative users.
Chris@0:     $explicit_check_fields = [
Chris@0:       'pass',
Chris@0:     ];
Chris@0: 
Chris@0:     // Administrative users are allowed to edit and view all fields.
Chris@0:     if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
Chris@0:       return AccessResult::allowed()->cachePerPermissions();
Chris@0:     }
Chris@0: 
Chris@0:     // Flag to indicate if this user entity is the own user account.
Chris@0:     $is_own_account = $items ? $items->getEntity()->id() == $account->id() : FALSE;
Chris@0:     switch ($field_definition->getName()) {
Chris@0:       case 'name':
Chris@18:         // Allow view access to anyone with access to the entity.
Chris@18:         // The username field is editable during the registration process.
Chris@18:         if ($operation == 'view' || ($items && $items->getEntity()->isAnonymous())) {
Chris@0:           return AccessResult::allowed()->cachePerPermissions();
Chris@0:         }
Chris@0:         // Allow edit access for the own user name if the permission is
Chris@0:         // satisfied.
Chris@0:         if ($is_own_account && $account->hasPermission('change own username')) {
Chris@0:           return AccessResult::allowed()->cachePerPermissions()->cachePerUser();
Chris@0:         }
Chris@0:         else {
Chris@17:           return AccessResult::neutral();
Chris@0:         }
Chris@0: 
Chris@0:       case 'preferred_langcode':
Chris@0:       case 'preferred_admin_langcode':
Chris@0:       case 'timezone':
Chris@0:       case 'mail':
Chris@0:         // Allow view access to own mail address and other personalization
Chris@0:         // settings.
Chris@0:         if ($operation == 'view') {
Chris@18:           return AccessResult::allowedIf($is_own_account)->cachePerUser();
Chris@0:         }
Chris@0:         // Anyone that can edit the user can also edit this field.
Chris@0:         return AccessResult::allowed()->cachePerPermissions();
Chris@0: 
Chris@0:       case 'pass':
Chris@0:         // Allow editing the password, but not viewing it.
Chris@0:         return ($operation == 'edit') ? AccessResult::allowed() : AccessResult::forbidden();
Chris@0: 
Chris@0:       case 'created':
Chris@0:         // Allow viewing the created date, but not editing it.
Chris@17:         return ($operation == 'view') ? AccessResult::allowed() : AccessResult::neutral();
Chris@0: 
Chris@0:       case 'roles':
Chris@0:       case 'status':
Chris@0:       case 'access':
Chris@0:       case 'login':
Chris@0:       case 'init':
Chris@17:         return AccessResult::neutral();
Chris@0:     }
Chris@0: 
Chris@0:     return parent::checkFieldAccess($operation, $field_definition, $account, $items);
Chris@0:   }
Chris@0: 
Chris@0: }