class CommentAccessControlHandler
Same name in other branches
- 8.9.x core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler
- 10 core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler
- 11.x core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler
Defines the access control handler for the comment entity type.
Hierarchy
- class \Drupal\Core\Entity\EntityHandlerBase uses \Drupal\Core\StringTranslation\StringTranslationTrait, \Drupal\Core\DependencyInjection\DependencySerializationTrait
- class \Drupal\Core\Entity\EntityAccessControlHandler extends \Drupal\Core\Entity\EntityHandlerBase implements \Drupal\Core\Entity\EntityAccessControlHandlerInterface
- class \Drupal\comment\CommentAccessControlHandler extends \Drupal\Core\Entity\EntityAccessControlHandler
- class \Drupal\Core\Entity\EntityAccessControlHandler extends \Drupal\Core\Entity\EntityHandlerBase implements \Drupal\Core\Entity\EntityAccessControlHandlerInterface
Expanded class hierarchy of CommentAccessControlHandler
See also
\Drupal\comment\Entity\Comment
File
-
core/
modules/ comment/ src/ CommentAccessControlHandler.php, line 17
Namespace
Drupal\commentView source
class CommentAccessControlHandler extends EntityAccessControlHandler {
/**
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
/** @var \Drupal\comment\CommentInterface|\Drupal\user\EntityOwnerInterface $entity */
$comment_admin = $account->hasPermission('administer comments');
if ($operation == 'approve') {
return AccessResult::allowedIf($comment_admin && !$entity->isPublished())
->cachePerPermissions()
->addCacheableDependency($entity);
}
if ($comment_admin) {
$access = AccessResult::allowed()->cachePerPermissions();
return $operation != 'view' ? $access : $access->andIf($entity->getCommentedEntity()
->access($operation, $account, TRUE));
}
switch ($operation) {
case 'view':
$access_result = AccessResult::allowedIf($account->hasPermission('access comments') && $entity->isPublished())
->cachePerPermissions()
->addCacheableDependency($entity)
->andIf($entity->getCommentedEntity()
->access($operation, $account, TRUE));
if (!$access_result->isAllowed()) {
$access_result->setReason("The 'access comments' permission is required and the comment must be published.");
}
return $access_result;
case 'update':
$access_result = AccessResult::allowedIf($account->id() && $account->id() == $entity->getOwnerId() && $entity->isPublished() && $account->hasPermission('edit own comments'))
->cachePerPermissions()
->cachePerUser()
->addCacheableDependency($entity);
if (!$access_result->isAllowed()) {
$access_result->setReason("The 'edit own comments' permission is required, the user must be the comment author, and the comment must be published.");
}
return $access_result;
default:
// No opinion.
return AccessResult::neutral()->cachePerPermissions();
}
}
/**
* {@inheritdoc}
*/
protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
return AccessResult::allowedIfHasPermission($account, 'post comments');
}
/**
* {@inheritdoc}
*/
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
if ($operation == 'edit') {
// Only users with the "administer comments" permission can edit
// administrative fields.
$administrative_fields = [
'uid',
'status',
'created',
'date',
];
if (in_array($field_definition->getName(), $administrative_fields, TRUE)) {
return AccessResult::allowedIfHasPermission($account, 'administer comments');
}
// No user can change read-only fields.
$read_only_fields = [
'hostname',
'changed',
'cid',
'thread',
];
// These fields can be edited during comment creation.
$create_only_fields = [
'comment_type',
'uuid',
'entity_id',
'entity_type',
'field_name',
'pid',
];
if ($items && ($entity = $items->getEntity()) && $entity->isNew() && in_array($field_definition->getName(), $create_only_fields, TRUE)) {
// We are creating a new comment, user can edit create only fields.
return AccessResult::allowedIfHasPermission($account, 'post comments')->addCacheableDependency($entity);
}
// We are editing an existing comment - create only fields are now read
// only.
$read_only_fields = array_merge($read_only_fields, $create_only_fields);
if (in_array($field_definition->getName(), $read_only_fields, TRUE)) {
return AccessResult::forbidden();
}
// If the field is configured to accept anonymous contact details - admins
// can edit name, homepage and mail. Anonymous users can also fill in the
// fields on comment creation.
if (in_array($field_definition->getName(), [
'name',
'mail',
'homepage',
], TRUE)) {
if (!$items) {
// We cannot make a decision about access to edit these fields if we
// don't have any items and therefore cannot determine the Comment
// entity. In this case we err on the side of caution and prevent edit
// access.
return AccessResult::forbidden();
}
$is_name = $field_definition->getName() === 'name';
/** @var \Drupal\comment\CommentInterface $entity */
$entity = $items->getEntity();
$commented_entity = $entity->getCommentedEntity();
$anonymous_contact = $commented_entity->get($entity->getFieldName())
->getFieldDefinition()
->getSetting('anonymous');
$admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
$anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && ($anonymous_contact != CommentInterface::ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account->hasPermission('post comments'))
->cachePerPermissions()
->addCacheableDependency($entity)
->addCacheableDependency($field_definition->getConfig($commented_entity->bundle()))
->addCacheableDependency($commented_entity);
return $admin_access->orIf($anonymous_access);
}
}
if ($operation == 'view') {
// Nobody has access to the hostname.
if ($field_definition->getName() == 'hostname') {
return AccessResult::forbidden();
}
// The mail field is hidden from non-admins.
if ($field_definition->getName() == 'mail') {
return AccessResult::allowedIfHasPermission($account, 'administer comments');
}
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
}
Members
Title Sort descending | Modifiers | Object type | Summary | Overriden Title | Overrides |
---|---|---|---|---|---|
CommentAccessControlHandler::checkAccess | protected | function | Performs access checks. | Overrides EntityAccessControlHandler::checkAccess | |
CommentAccessControlHandler::checkCreateAccess | protected | function | Performs create access checks. | Overrides EntityAccessControlHandler::checkCreateAccess | |
CommentAccessControlHandler::checkFieldAccess | protected | function | Default field access as determined by this access control handler. | Overrides EntityAccessControlHandler::checkFieldAccess | |
DependencySerializationTrait::$_entityStorages | protected | property | |||
DependencySerializationTrait::$_serviceIds | protected | property | |||
DependencySerializationTrait::__sleep | public | function | 1 | ||
DependencySerializationTrait::__wakeup | public | function | 2 | ||
EntityAccessControlHandler::$accessCache | protected | property | Stores calculated access check results. | ||
EntityAccessControlHandler::$entityType | protected | property | Information about the entity type. | ||
EntityAccessControlHandler::$entityTypeId | protected | property | The entity type ID of the access control handler instance. | ||
EntityAccessControlHandler::$viewLabelOperation | protected | property | Allows to grant access to just the labels. | 5 | |
EntityAccessControlHandler::access | public | function | Checks access to an operation on a given entity or entity translation. | Overrides EntityAccessControlHandlerInterface::access | 1 |
EntityAccessControlHandler::createAccess | public | function | Checks access to create an entity. | Overrides EntityAccessControlHandlerInterface::createAccess | 1 |
EntityAccessControlHandler::fieldAccess | public | function | Checks access to an operation on a given entity field. | Overrides EntityAccessControlHandlerInterface::fieldAccess | |
EntityAccessControlHandler::getCache | protected | function | Tries to retrieve a previously cached access value from the static cache. | ||
EntityAccessControlHandler::prepareUser | protected | function | Loads the current account object, if it does not exist yet. | ||
EntityAccessControlHandler::processAccessHookResults | protected | function | Determines entity access. | ||
EntityAccessControlHandler::resetCache | public | function | Clears all cached access checks. | Overrides EntityAccessControlHandlerInterface::resetCache | |
EntityAccessControlHandler::setCache | protected | function | Statically caches whether the given user has access. | ||
EntityAccessControlHandler::__construct | public | function | Constructs an access control handler instance. | 7 | |
EntityHandlerBase::$moduleHandler | protected | property | The module handler to invoke hooks on. | 5 | |
EntityHandlerBase::moduleHandler | protected | function | Gets the module handler. | 5 | |
EntityHandlerBase::setModuleHandler | public | function | Sets the module handler for this handler. | ||
StringTranslationTrait::$stringTranslation | protected | property | The string translation service. | 3 | |
StringTranslationTrait::formatPlural | protected | function | Formats a string containing a count of items. | ||
StringTranslationTrait::getNumberOfPlurals | protected | function | Returns the number of plurals supported by a given language. | ||
StringTranslationTrait::getStringTranslation | protected | function | Gets the string translation service. | ||
StringTranslationTrait::setStringTranslation | public | function | Sets the string translation service to use. | 2 | |
StringTranslationTrait::t | protected | function | Translates a string to the current language or to a given language. |
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.