function field_permission_example_entity_field_access

Same name and namespace in other branches
  1. 4.0.x modules/field_permission_example/field_permission_example.module \field_permission_example_entity_field_access()

Implements hook_entity_field_access().

We want to make sure that fields aren't being seen or edited by those who shouldn't.

Related topics

Example: Field Permissions
Example using permissions on a Field API field.

File

modules/field_permission_example/field_permission_example.module, line 96

Code

function field_permission_example_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
    $messenger = \Drupal::messenger();
    // Find out what field we're looking at.  If it isn't
    // our sticky note widget, tell Drupal we don't care about its access.
    if ($field_definition->getType() != 'field_permission_example_fieldnote') {
        return AccessResult::neutral();
    }
    // First we'll check if the user has the 'superuser'
    // permissions that node provides. This way administrators
    // will be able to administer the content types.
    if ($account->hasPermission('bypass node access')) {
        $messenger->addMessage(t('User can bypass node access.'));
        return AccessResult::allowed();
    }
    if ($account->hasPermission('administer content types', $account)) {
        $messenger->addMessage(t('User can administer content types.'));
        return AccessResult::allowed();
    }
    if ($account->hasPermission('administer the fieldnote field', $account)) {
        $messenger->addMessage(t('User can administer this field.'));
        return AccessResult::allowed();
    }
    // For anyone else, it depends on the desired operation.
    if ($operation == 'view' and $account->hasPermission('view any fieldnote')) {
        $messenger->addMessage(t('User can view any field note.'));
        return AccessResult::allowed();
    }
    if ($operation == 'edit' and $account->hasPermission('edit any fieldnote')) {
        $messenger->addMessage(t('User can edit any field note.'));
        return AccessResult::allowed();
    }
    // At this point, we need to know if the user "owns" the entity we're attached
    // to. If it's a user, we'll use the account name to test. Otherwise rely on
    // the entity implementing the EntityOwnerInterface. Anything else can't be
    // owned, and we'll refuse access.
    if ($items) {
        $entity = $items->getEntity();
        if ($entity instanceof EntityOwnerInterface and $entity->getOwner()
            ->getAccountName() == $account->getAccountName() or $entity instanceof UserInterface and $entity->name->value == $account->getAccountName()) {
            if ($operation == 'view' and $account->hasPermission('view own fieldnote')) {
                $messenger->addMessage(t('User can view their own field note.'));
                return AccessResult::allowed();
            }
            if ($operation == 'edit' and $account->hasPermission('edit own fieldnote')) {
                $messenger->addMessage(t('User can edit their own field note.'));
                return AccessResult::allowed();
            }
        }
    }
    // Anything else on this field is forbidden.
    return AccessResult::forbidden();
}