function UserAccessControlHandler::checkFieldAccess
Same name in other branches
- 9 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
- 8.9.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
- 11.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
Overrides EntityAccessControlHandler::checkFieldAccess
File
-
core/
modules/ user/ src/ UserAccessControlHandler.php, line 93
Class
- UserAccessControlHandler
- Defines the access control handler for the user entity type.
Namespace
Drupal\userCode
protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, ?FieldItemListInterface $items = NULL) {
// Fields that are not implicitly allowed to administrative users.
$explicit_check_fields = [
'pass',
];
// Administrative users are allowed to edit and view all fields.
if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
return AccessResult::allowed()->cachePerPermissions();
}
// Flag to indicate if this user entity is the own user account.
$is_own_account = $items ? $items->getEntity()
->id() == $account->id() : FALSE;
switch ($field_definition->getName()) {
case 'name':
// Allow view access to anyone with access to the entity.
// The username field is editable during the registration process.
if ($operation == 'view' || $items && $items->getEntity()
->isNew()) {
return AccessResult::allowed()->cachePerPermissions();
}
// Allow edit access for the own user name if the permission is
// satisfied.
if ($is_own_account && $account->hasPermission('change own username')) {
return AccessResult::allowed()->cachePerPermissions()
->cachePerUser();
}
else {
return AccessResult::neutral();
}
case 'mail':
// Only check for the 'view user email addresses' permission and a view
// operation. Use case fall-through for all other cases.
if ($operation == 'view' && $account->hasPermission('view user email addresses')) {
return AccessResult::allowed()->cachePerPermissions();
}
case 'preferred_langcode':
case 'preferred_admin_langcode':
case 'timezone':
// Allow view access to own mail address and other personalization
// settings.
if ($operation == 'view') {
return AccessResult::allowedIf($is_own_account)->cachePerUser();
}
// Anyone that can edit the user can also edit this field.
return AccessResult::allowed()->cachePerPermissions();
case 'pass':
// Allow editing the password, but not viewing it.
return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden();
case 'created':
// Allow viewing the created date, but not editing it.
return $operation == 'view' ? AccessResult::allowed() : AccessResult::neutral();
case 'roles':
case 'status':
case 'access':
case 'login':
case 'init':
return AccessResult::neutral();
}
return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.