function TemporaryQueryGuard::getAccessCondition

Same name in other branches
  1. 8.9.x core/modules/jsonapi/src/Access/TemporaryQueryGuard.php \Drupal\jsonapi\Access\TemporaryQueryGuard::getAccessCondition()
  2. 10 core/modules/jsonapi/src/Access/TemporaryQueryGuard.php \Drupal\jsonapi\Access\TemporaryQueryGuard::getAccessCondition()
  3. 11.x core/modules/jsonapi/src/Access/TemporaryQueryGuard.php \Drupal\jsonapi\Access\TemporaryQueryGuard::getAccessCondition()

Gets an EntityConditionGroup that filters out inaccessible entities.

Parameters

string $entity_type_id: The entity type ID for which to get an EntityConditionGroup.

\Drupal\Core\Cache\CacheableMetadata $cacheability: Collects cacheability for the query.

Return value

\Drupal\jsonapi\Query\EntityConditionGroup|null An EntityConditionGroup or NULL if no conditions need to be applied to secure an entity query.

2 calls to TemporaryQueryGuard::getAccessCondition()
TemporaryQueryGuard::applyAccessConditions in core/modules/jsonapi/src/Access/TemporaryQueryGuard.php
Applies access conditions to ensure 'view' access is respected.
TemporaryQueryGuard::getCommentAccessCondition in core/modules/jsonapi/src/Access/TemporaryQueryGuard.php
Gets an access condition for a comment entity.

File

core/modules/jsonapi/src/Access/TemporaryQueryGuard.php, line 237

Class

TemporaryQueryGuard
Adds sufficient access control to collection queries.

Namespace

Drupal\jsonapi\Access

Code

protected static function getAccessCondition($entity_type_id, CacheableMetadata $cacheability) {
    $current_user = \Drupal::currentUser();
    $entity_type = \Drupal::entityTypeManager()->getDefinition($entity_type_id);
    // Get the condition that handles generic restrictions, such as published
    // and owner.
    $generic_condition = static::getAccessConditionForKnownSubsets($entity_type, $current_user, $cacheability);
    // Some entity types require additional conditions. We don't know what
    // contrib entity types require, so they are responsible for implementing
    // hook_query_ENTITY_TYPE_access_alter(). Some core entity types have
    // logic in their access control handler that isn't mirrored in
    // hook_query_ENTITY_TYPE_access_alter(), so we duplicate that here until
    // that's resolved.
    $specific_condition = NULL;
    switch ($entity_type_id) {
        case 'block_content':
            // Allow access only to reusable blocks.
            // @see \Drupal\block_content\BlockContentAccessControlHandler::checkAccess()
            if (isset(static::$fieldManager->getBaseFieldDefinitions($entity_type_id)['reusable'])) {
                $specific_condition = new EntityCondition('reusable', 1);
                $cacheability->addCacheTags($entity_type->getListCacheTags());
            }
            break;
        case 'comment':
            // @see \Drupal\comment\CommentAccessControlHandler::checkAccess()
            $specific_condition = static::getCommentAccessCondition($entity_type, $current_user, $cacheability);
            break;
        case 'entity_test':
            // This case is only necessary for testing comment access controls.
            // @see \Drupal\jsonapi\Tests\Functional\CommentTest::testCollectionFilterAccess()
            $blacklist = \Drupal::state()->get('jsonapi__entity_test_filter_access_blacklist', []);
            $cacheability->addCacheTags([
                'state:jsonapi__entity_test_filter_access_blacklist',
            ]);
            $specific_conditions = [];
            foreach ($blacklist as $id) {
                $specific_conditions[] = new EntityCondition('id', $id, '<>');
            }
            if ($specific_conditions) {
                $specific_condition = new EntityConditionGroup('AND', $specific_conditions);
            }
            break;
        case 'file':
            // Allow access only to public files and files uploaded by the current
            // user.
            // @see \Drupal\file\FileAccessControlHandler::checkAccess()
            $specific_condition = new EntityConditionGroup('OR', [
                new EntityCondition('uri', 'public://', 'STARTS_WITH'),
                new EntityCondition('uid', $current_user->id()),
            ]);
            $cacheability->addCacheTags($entity_type->getListCacheTags());
            break;
        case 'shortcut':
            // Unless the user can administer shortcuts, allow access only to the
            // user's currently displayed shortcut set.
            // @see \Drupal\shortcut\ShortcutAccessControlHandler::checkAccess()
            if (!$current_user->hasPermission('administer shortcuts')) {
                $specific_condition = new EntityCondition('shortcut_set', shortcut_current_displayed_set()->id());
                $cacheability->addCacheContexts([
                    'user',
                ]);
                $cacheability->addCacheTags($entity_type->getListCacheTags());
            }
            break;
        case 'user':
            // Disallow querying values of the anonymous user.
            // @see \Drupal\user\UserAccessControlHandler::checkAccess()
            $specific_condition = new EntityCondition('uid', '0', '!=');
            break;
    }
    // Return a combined condition.
    if ($generic_condition && $specific_condition) {
        return new EntityConditionGroup('AND', [
            $generic_condition,
            $specific_condition,
        ]);
    }
    elseif ($generic_condition) {
        return $generic_condition instanceof EntityConditionGroup ? $generic_condition : new EntityConditionGroup('AND', [
            $generic_condition,
        ]);
    }
    elseif ($specific_condition) {
        return $specific_condition instanceof EntityConditionGroup ? $specific_condition : new EntityConditionGroup('AND', [
            $specific_condition,
        ]);
    }
    return NULL;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.