function EntityResource::checkPatchFieldAccess

Same name in this branch
  1. 9 core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
Same name and namespace in other branches
  1. 11.x core/modules/jsonapi/src/Controller/EntityResource.php \Drupal\jsonapi\Controller\EntityResource::checkPatchFieldAccess()
  2. 11.x core/modules/rest/src/Plugin/rest/resource/EntityResource.php \Drupal\rest\Plugin\rest\resource\EntityResource::checkPatchFieldAccess()

Checks whether the given field should be PATCHed.

@internal

Parameters

\Drupal\Core\Field\FieldItemListInterface $original_field: The original (stored) value for the field.

\Drupal\Core\Field\FieldItemListInterface $received_field: The received value for the field.

Return value

bool Whether the field should be PATCHed or not.

Throws

\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException Thrown when the user sending the request is not allowed to update the field. Only thrown when the user could not abuse this information to determine the stored value.

File

core/modules/rest/src/Plugin/rest/resource/EntityResource.php, line 280

Class

EntityResource
Represents entities as resources.

Namespace

Drupal\rest\Plugin\rest\resource

Code

protected function checkPatchFieldAccess(FieldItemListInterface $original_field, FieldItemListInterface $received_field) {
  // The user might not have access to edit the field, but still needs to
  // submit the current field value as part of the PATCH request. For
  // example, the entity keys required by denormalizers. Therefore, if the
  // received value equals the stored value, return FALSE without throwing an
  // exception. But only for fields that the user has access to view, because
  // the user has no legitimate way of knowing the current value of fields
  // that they are not allowed to view, and we must not make the presence or
  // absence of a 403 response a way to find that out.
  if ($original_field->access('view') && $original_field->equals($received_field)) {
    return FALSE;
  }
  // If the user is allowed to edit the field, it is always safe to set the
  // received value. We may be setting an unchanged value, but that is ok.
  $field_edit_access = $original_field->access('edit', NULL, TRUE);
  if ($field_edit_access->isAllowed()) {
    return TRUE;
  }
  // It's helpful and safe to let the user know when they are not allowed to
  // update a field.
  $field_name = $received_field->getName();
  $error_message = "Access denied on updating field '{$field_name}'.";
  if ($field_edit_access instanceof AccessResultReasonInterface) {
    $reason = $field_edit_access->getReason();
    if ($reason) {
      $error_message .= ' ' . $reason;
    }
  }
  throw new AccessDeniedHttpException($error_message);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.