Same name in this branch

1. 8.9.x core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()

Same name in other branches

1. 9 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
2. 9 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
3. 10 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
4. 10 core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()
5. 11.x core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
6. 11.x core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()

Checks whether the given field should be PATCHed.

@internal

Parameters

\Drupal\Core\Field\FieldItemListInterface $original_field: The original (stored) value for the field.

\Drupal\Core\Field\FieldItemListInterface $received_field: The received value for the field.

Return value

bool Whether the field should be PATCHed or not.

Throws

\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException Thrown when the user sending the request is not allowed to update the field. Only thrown when the user could not abuse this information to determine the stored value.

1 call to EntityResource::checkPatchFieldAccess()

EntityResource::patch in core/modules/rest/src/Plugin/rest/resource/EntityResource.php

Responds to entity PATCH requests.

File

core/modules/rest/src/Plugin/rest/resource/EntityResource.php, line 280

Class

EntityResource

Represents entities as resources.

Namespace

Drupal\rest\Plugin\rest\resource

Code

protected function checkPatchFieldAccess(FieldItemListInterface $original_field, FieldItemListInterface $received_field) {
    // The user might not have access to edit the field, but still needs to
    // submit the current field value as part of the PATCH request. For
    // example, the entity keys required by denormalizers. Therefore, if the
    // received value equals the stored value, return FALSE without throwing an
    // exception. But only for fields that the user has access to view, because
    // the user has no legitimate way of knowing the current value of fields
    // that they are not allowed to view, and we must not make the presence or
    // absence of a 403 response a way to find that out.
    if ($original_field->access('view') && $original_field->equals($received_field)) {
        return FALSE;
    }
    // If the user is allowed to edit the field, it is always safe to set the
    // received value. We may be setting an unchanged value, but that is ok.
    $field_edit_access = $original_field->access('edit', NULL, TRUE);
    if ($field_edit_access->isAllowed()) {
        return TRUE;
    }
    // It's helpful and safe to let the user know when they are not allowed to
    // update a field.
    $field_name = $received_field->getName();
    $error_message = "Access denied on updating field '{$field_name}'.";
    if ($field_edit_access instanceof AccessResultReasonInterface) {
        $reason = $field_edit_access->getReason();
        if ($reason) {
            $error_message .= ' ' . $reason;
        }
    }
    throw new AccessDeniedHttpException($error_message);
}

---