class NodeAccessControlHandler

Same name in other branches
  1. 9 core/modules/node/src/NodeAccessControlHandler.php \Drupal\node\NodeAccessControlHandler
  2. 10 core/modules/node/src/NodeAccessControlHandler.php \Drupal\node\NodeAccessControlHandler
  3. 11.x core/modules/node/src/NodeAccessControlHandler.php \Drupal\node\NodeAccessControlHandler

Defines the access control handler for the node entity type.

Hierarchy

Expanded class hierarchy of NodeAccessControlHandler

See also

\Drupal\node\Entity\Node

Related topics

Node access rights
The node access system determines who can do what to which nodes.

File

core/modules/node/src/NodeAccessControlHandler.php, line 22

Namespace

Drupal\node
View source 
class NodeAccessControlHandler extends EntityAccessControlHandler implements NodeAccessControlHandlerInterface, EntityHandlerInterface {
    
    /**
     * The node grant storage.
     *
     * @var \Drupal\node\NodeGrantDatabaseStorageInterface
     */
    protected $grantStorage;
    
    /**
     * Constructs a NodeAccessControlHandler object.
     *
     * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
     *   The entity type definition.
     * @param \Drupal\node\NodeGrantDatabaseStorageInterface $grant_storage
     *   The node grant storage.
     */
    public function __construct(EntityTypeInterface $entity_type, NodeGrantDatabaseStorageInterface $grant_storage) {
        parent::__construct($entity_type);
        $this->grantStorage = $grant_storage;
    }
    
    /**
     * {@inheritdoc}
     */
    public static function createInstance(ContainerInterface $container, EntityTypeInterface $entity_type) {
        return new static($entity_type, $container->get('node.grant_storage'));
    }
    
    /**
     * {@inheritdoc}
     */
    public function access(EntityInterface $entity, $operation, AccountInterface $account = NULL, $return_as_object = FALSE) {
        $account = $this->prepareUser($account);
        if ($account->hasPermission('bypass node access')) {
            $result = AccessResult::allowed()->cachePerPermissions();
            return $return_as_object ? $result : $result->isAllowed();
        }
        if (!$account->hasPermission('access content')) {
            $result = AccessResult::forbidden("The 'access content' permission is required.")->cachePerPermissions();
            return $return_as_object ? $result : $result->isAllowed();
        }
        $result = parent::access($entity, $operation, $account, TRUE)->cachePerPermissions();
        return $return_as_object ? $result : $result->isAllowed();
    }
    
    /**
     * {@inheritdoc}
     */
    public function createAccess($entity_bundle = NULL, AccountInterface $account = NULL, array $context = [], $return_as_object = FALSE) {
        $account = $this->prepareUser($account);
        if ($account->hasPermission('bypass node access')) {
            $result = AccessResult::allowed()->cachePerPermissions();
            return $return_as_object ? $result : $result->isAllowed();
        }
        if (!$account->hasPermission('access content')) {
            $result = AccessResult::forbidden("The 'access content' permission is required.")->cachePerPermissions();
            return $return_as_object ? $result : $result->isAllowed();
        }
        $result = parent::createAccess($entity_bundle, $account, $context, TRUE)->cachePerPermissions();
        return $return_as_object ? $result : $result->isAllowed();
    }
    
    /**
     * {@inheritdoc}
     */
    protected function checkAccess(EntityInterface $node, $operation, AccountInterface $account) {
        
        /** @var \Drupal\node\NodeInterface $node */
        // Fetch information from the node object if possible.
        $status = $node->isPublished();
        $uid = $node->getOwnerId();
        // Check if authors can view their own unpublished nodes.
        if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) {
            return AccessResult::allowed()->cachePerPermissions()
                ->cachePerUser()
                ->addCacheableDependency($node);
        }
        // Evaluate node grants.
        $access_result = $this->grantStorage
            ->access($node, $operation, $account);
        if ($operation === 'view' && $access_result instanceof RefinableCacheableDependencyInterface) {
            // Node variations can affect the access to the node. For instance, the
            // access result cache varies on the node's published status. Only the
            // 'view' node grant can currently be cached. The 'update' and 'delete'
            // grants are already marked as uncacheable in the node grant storage.
            // @see \Drupal\node\NodeGrantDatabaseStorage::access()
            $access_result->addCacheableDependency($node);
        }
        return $access_result;
    }
    
    /**
     * {@inheritdoc}
     */
    protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
        return AccessResult::allowedIf($account->hasPermission('create ' . $entity_bundle . ' content'))
            ->cachePerPermissions();
    }
    
    /**
     * {@inheritdoc}
     */
    protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
        // Only users with the administer nodes permission can edit administrative
        // fields.
        $administrative_fields = [
            'uid',
            'status',
            'created',
            'promote',
            'sticky',
        ];
        if ($operation == 'edit' && in_array($field_definition->getName(), $administrative_fields, TRUE)) {
            return AccessResult::allowedIfHasPermission($account, 'administer nodes');
        }
        // No user can change read only fields.
        $read_only_fields = [
            'revision_timestamp',
            'revision_uid',
        ];
        if ($operation == 'edit' && in_array($field_definition->getName(), $read_only_fields, TRUE)) {
            return AccessResult::forbidden();
        }
        // Users have access to the revision_log field either if they have
        // administrative permissions or if the new revision option is enabled.
        if ($operation == 'edit' && $field_definition->getName() == 'revision_log') {
            if ($account->hasPermission('administer nodes')) {
                return AccessResult::allowed()->cachePerPermissions();
            }
            return AccessResult::allowedIf($items->getEntity()->type->entity
                ->shouldCreateNewRevision())
                ->cachePerPermissions();
        }
        return parent::checkFieldAccess($operation, $field_definition, $account, $items);
    }
    
    /**
     * {@inheritdoc}
     */
    public function acquireGrants(NodeInterface $node) {
        $grants = $this->moduleHandler
            ->invokeAll('node_access_records', [
            $node,
        ]);
        // Let modules alter the grants.
        $this->moduleHandler
            ->alter('node_access_records', $grants, $node);
        // If no grants are set and the node is published, then use the default grant.
        if (empty($grants) && $node->isPublished()) {
            $grants[] = [
                'realm' => 'all',
                'gid' => 0,
                'grant_view' => 1,
                'grant_update' => 0,
                'grant_delete' => 0,
            ];
        }
        return $grants;
    }
    
    /**
     * {@inheritdoc}
     */
    public function writeGrants(NodeInterface $node, $delete = TRUE) {
        $grants = $this->acquireGrants($node);
        $this->grantStorage
            ->write($node, $grants, NULL, $delete);
    }
    
    /**
     * {@inheritdoc}
     */
    public function writeDefaultGrant() {
        $this->grantStorage
            ->writeDefault();
    }
    
    /**
     * {@inheritdoc}
     */
    public function deleteGrants() {
        $this->grantStorage
            ->delete();
    }
    
    /**
     * {@inheritdoc}
     */
    public function countGrants() {
        return $this->grantStorage
            ->count();
    }
    
    /**
     * {@inheritdoc}
     */
    public function checkAllGrants(AccountInterface $account) {
        return $this->grantStorage
            ->checkAll($account);
    }

}

Members

Title Modifiers Object type Summary Overriden Title Overrides
DependencySerializationTrait::$_entityStorages protected property An array of entity type IDs keyed by the property name of their storages.
DependencySerializationTrait::$_serviceIds protected property An array of service IDs keyed by property name used for serialization.
DependencySerializationTrait::__sleep public function 1
DependencySerializationTrait::__wakeup public function 2
EntityAccessControlHandler::$accessCache protected property Stores calculated access check results.
EntityAccessControlHandler::$entityType protected property Information about the entity type.
EntityAccessControlHandler::$entityTypeId protected property The entity type ID of the access control handler instance.
EntityAccessControlHandler::$viewLabelOperation protected property Allows to grant access to just the labels. 5
EntityAccessControlHandler::fieldAccess public function Checks access to an operation on a given entity field. Overrides EntityAccessControlHandlerInterface::fieldAccess
EntityAccessControlHandler::getCache protected function Tries to retrieve a previously cached access value from the static cache.
EntityAccessControlHandler::prepareUser protected function Loads the current account object, if it does not exist yet.
EntityAccessControlHandler::processAccessHookResults protected function We grant access to the entity if both of these conditions are met:
EntityAccessControlHandler::resetCache public function Clears all cached access checks. Overrides EntityAccessControlHandlerInterface::resetCache
EntityAccessControlHandler::setCache protected function Statically caches whether the given user has access.
EntityHandlerBase::$moduleHandler protected property The module handler to invoke hooks on. 2
EntityHandlerBase::moduleHandler protected function Gets the module handler. 2
EntityHandlerBase::setModuleHandler public function Sets the module handler for this handler.
NodeAccessControlHandler::$grantStorage protected property The node grant storage.
NodeAccessControlHandler::access public function Checks access to an operation on a given entity or entity translation. Overrides EntityAccessControlHandler::access
NodeAccessControlHandler::acquireGrants public function Gets the list of node access grants. Overrides NodeAccessControlHandlerInterface::acquireGrants
NodeAccessControlHandler::checkAccess protected function Performs access checks. Overrides EntityAccessControlHandler::checkAccess
NodeAccessControlHandler::checkAllGrants public function Checks all grants for a given account. Overrides NodeAccessControlHandlerInterface::checkAllGrants
NodeAccessControlHandler::checkCreateAccess protected function Performs create access checks. Overrides EntityAccessControlHandler::checkCreateAccess
NodeAccessControlHandler::checkFieldAccess protected function Default field access as determined by this access control handler. Overrides EntityAccessControlHandler::checkFieldAccess
NodeAccessControlHandler::countGrants public function Counts available node grants. Overrides NodeAccessControlHandlerInterface::countGrants
NodeAccessControlHandler::createAccess public function Checks access to create an entity. Overrides EntityAccessControlHandler::createAccess
NodeAccessControlHandler::createInstance public static function Instantiates a new instance of this entity handler. Overrides EntityHandlerInterface::createInstance
NodeAccessControlHandler::deleteGrants public function Deletes all node access entries. Overrides NodeAccessControlHandlerInterface::deleteGrants
NodeAccessControlHandler::writeDefaultGrant public function Creates the default node access grant entry on the grant storage. Overrides NodeAccessControlHandlerInterface::writeDefaultGrant
NodeAccessControlHandler::writeGrants public function Writes a list of grants to the database, deleting any previously saved ones. Overrides NodeAccessControlHandlerInterface::writeGrants
NodeAccessControlHandler::__construct public function Constructs a NodeAccessControlHandler object. Overrides EntityAccessControlHandler::__construct
StringTranslationTrait::$stringTranslation protected property The string translation service.
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.