function UserAccessControlHandler::checkFieldAccess

Same name in other branches
  1. 8.9.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
  2. 10 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()
  3. 11.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkFieldAccess()

Overrides EntityAccessControlHandler::checkFieldAccess

File

core/modules/user/src/UserAccessControlHandler.php, line 87

Class

UserAccessControlHandler
Defines the access control handler for the user entity type.

Namespace

Drupal\user

Code

protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
    // Fields that are not implicitly allowed to administrative users.
    $explicit_check_fields = [
        'pass',
    ];
    // Administrative users are allowed to edit and view all fields.
    if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
        return AccessResult::allowed()->cachePerPermissions();
    }
    // Flag to indicate if this user entity is the own user account.
    $is_own_account = $items ? $items->getEntity()
        ->id() == $account->id() : FALSE;
    switch ($field_definition->getName()) {
        case 'name':
            // Allow view access to anyone with access to the entity.
            // The username field is editable during the registration process.
            if ($operation == 'view' || $items && $items->getEntity()
                ->isAnonymous()) {
                return AccessResult::allowed()->cachePerPermissions();
            }
            // Allow edit access for the own user name if the permission is
            // satisfied.
            if ($is_own_account && $account->hasPermission('change own username')) {
                return AccessResult::allowed()->cachePerPermissions()
                    ->cachePerUser();
            }
            else {
                return AccessResult::neutral();
            }
        case 'mail':
            // Only check for the 'view user email addresses' permission and a view
            // operation. Use case fall-through for all other cases.
            if ($operation == 'view' && $account->hasPermission('view user email addresses')) {
                return AccessResult::allowed()->cachePerPermissions();
            }
        case 'preferred_langcode':
        case 'preferred_admin_langcode':
        case 'timezone':
            // Allow view access to own mail address and other personalization
            // settings.
            if ($operation == 'view') {
                return AccessResult::allowedIf($is_own_account)->cachePerUser();
            }
            // Anyone that can edit the user can also edit this field.
            return AccessResult::allowed()->cachePerPermissions();
        case 'pass':
            // Allow editing the password, but not viewing it.
            return $operation == 'edit' ? AccessResult::allowed() : AccessResult::forbidden();
        case 'created':
            // Allow viewing the created date, but not editing it.
            return $operation == 'view' ? AccessResult::allowed() : AccessResult::neutral();
        case 'roles':
        case 'status':
        case 'access':
        case 'login':
        case 'init':
            return AccessResult::neutral();
    }
    return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.