function UserAccessControlHandler::checkFieldAccess

Same name and namespace in other branches
  1. 11.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
  2. 10 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
  3. 8.9.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()

File

core/modules/user/src/UserAccessControlHandler.php, line 87

Class

UserAccessControlHandler
Defines the access control handler for the user entity type.

Namespace

Drupal\user

Code

protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
  // Fields that are not implicitly allowed to administrative users.
  $explicit_check_fields = [
    'pass',
  ];
  // Administrative users are allowed to edit and view all fields.
  if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
    return AccessResult::allowed()->cachePerPermissions();
  }
  // Flag to indicate if this user entity is the own user account.
  $is_own_account = $items ? $items->getEntity()
    ->id() == $account->id() : FALSE;
  switch ($field_definition->getName()) {
    case 'name':
      // Allow view access to anyone with access to the entity.
      // The username field is editable during the registration process.
      if ($operation == 'view' || $items && $items->getEntity()
        ->isAnonymous()) {
        return AccessResult::allowed()->cachePerPermissions();
      }
      // Allow edit access for the own user name if the permission is
      // satisfied.
      if ($is_own_account && $account->hasPermission('change own username')) {
        return AccessResult::allowed()->cachePerPermissions()
          ->cachePerUser();
      }
      else {
        return AccessResult::neutral();
      }
    case 'mail':
      // Only check for the 'view user email addresses' permission and a view
      // operation. Use case fall-through for all other cases.
      if ($operation == 'view' && $account->hasPermission('view user email addresses')) {
        return AccessResult::allowed()->cachePerPermissions();
      }
    case 'preferred_langcode':
    case 'preferred_admin_langcode':
    case 'timezone':
      // Allow view access to own mail address and other personalization
      // settings.
      if ($operation == 'view') {
        return AccessResult::allowedIf($is_own_account)->cachePerUser();
      }
      // Anyone that can edit the user can also edit this field.
      return AccessResult::allowed()->cachePerPermissions();
    case 'pass':
      // Allow editing the password, but not viewing it.
      return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden();
    case 'created':
      // Allow viewing the created date, but not editing it.
      return $operation == 'view' ? AccessResult::allowed() : AccessResult::neutral();
    case 'roles':
    case 'status':
    case 'access':
    case 'login':
    case 'init':
      return AccessResult::neutral();
  }
  return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.