function hook_jsonapi_entity_field_filter_access

Same name in other branches
  1. 8.9.x core/modules/jsonapi/jsonapi.api.php \hook_jsonapi_entity_field_filter_access()
  2. 10 core/modules/jsonapi/jsonapi.api.php \hook_jsonapi_entity_field_filter_access()
  3. 11.x core/modules/jsonapi/jsonapi.api.php \hook_jsonapi_entity_field_filter_access()

Restricts filtering access to the given field.

Some fields may contain sensitive information. In these cases, modules are supposed to implement hook_entity_field_access(). However, this hook receives an optional `$items` argument and often must return AccessResult::neutral() when `$items === NULL`. This is because access may or may not be allowed based on the field items or based on the entity on which the field is attached (if the user is the entity owner, for example).

Since JSON:API must check field access prior to having a field item list instance available (access must be checked before a database query is made), it is not sufficiently secure to check field 'view' access alone.

This hook exists so that modules which cannot return AccessResult::forbidden() from hook_entity_field_access() can still secure JSON:API requests where necessary.

If a corresponding implementation of hook_entity_field_access() *can* be forbidden for one or more values of the `$items` argument, this hook *MUST* return AccessResult::forbidden().

Parameters

\Drupal\Core\Field\FieldDefinitionInterface $field_definition: The field definition of the field to be filtered upon.

\Drupal\Core\Session\AccountInterface $account: The account for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Related topics

1 function implements hook_jsonapi_entity_field_filter_access()

Note: this list is generated by pattern matching, so it may include some functions that are not actually implementations of this hook.

jsonapi_test_field_filter_access_jsonapi_entity_field_filter_access in core/modules/jsonapi/tests/modules/jsonapi_test_field_filter_access/jsonapi_test_field_filter_access.module
Implements hook_jsonapi_entity_field_field_access().
1 invocation of hook_jsonapi_entity_field_filter_access()
FieldResolver::getFieldAccess in core/modules/jsonapi/src/Context/FieldResolver.php
Gets the field access result for the 'view' operation.

File

core/modules/jsonapi/jsonapi.api.php, line 341

Code

function hook_jsonapi_entity_field_filter_access(\Drupal\Core\Field\FieldDefinitionInterface $field_definition, \Drupal\Core\Session\AccountInterface $account) {
    if ($field_definition->getTargetEntityTypeId() === 'node' && $field_definition->getName() === 'field_sensitive_data') {
        $has_sufficient_access = FALSE;
        foreach ([
            'administer nodes',
            'view all sensitive field data',
        ] as $permission) {
            $has_sufficient_access = $has_sufficient_access ?: $account->hasPermission($permission);
        }
        return AccessResult::forbiddenIf(!$has_sufficient_access)->cachePerPermissions();
    }
    return AccessResult::neutral();
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.