function field_permission_example_entity_field_access

Same name and namespace in other branches
  1. 4.0.x modules/field_permission_example/field_permission_example.module \field_permission_example_entity_field_access()

Implements hook_entity_field_access().

We want to make sure that fields aren't being seen or edited by those who shouldn't.

Related topics

Example: Field Permissions
Example using permissions on a Field API field.

File

modules/field_permission_example/field_permission_example.module, line 96

Code

function field_permission_example_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
  $messenger = \Drupal::messenger();
  // Find out what field we're looking at.  If it isn't
  // our sticky note widget, tell Drupal we don't care about its access.
  if ($field_definition->getType() != 'field_permission_example_fieldnote') {
    return AccessResult::neutral();
  }
  // First we'll check if the user has the 'superuser'
  // permissions that node provides. This way administrators
  // will be able to administer the content types.
  if ($account->hasPermission('bypass node access')) {
    $messenger->addMessage(t('User can bypass node access.'));
    return AccessResult::allowed();
  }
  if ($account->hasPermission('administer content types', $account)) {
    $messenger->addMessage(t('User can administer content types.'));
    return AccessResult::allowed();
  }
  if ($account->hasPermission('administer the fieldnote field', $account)) {
    $messenger->addMessage(t('User can administer this field.'));
    return AccessResult::allowed();
  }
  // For anyone else, it depends on the desired operation.
  if ($operation == 'view' and $account->hasPermission('view any fieldnote')) {
    $messenger->addMessage(t('User can view any field note.'));
    return AccessResult::allowed();
  }
  if ($operation == 'edit' and $account->hasPermission('edit any fieldnote')) {
    $messenger->addMessage(t('User can edit any field note.'));
    return AccessResult::allowed();
  }
  // At this point, we need to know if the user "owns" the entity we're attached
  // to. If it's a user, we'll use the account name to test. Otherwise rely on
  // the entity implementing the EntityOwnerInterface. Anything else can't be
  // owned, and we'll refuse access.
  if ($items) {
    $entity = $items->getEntity();
    if ($entity instanceof EntityOwnerInterface and $entity->getOwner()
      ->getAccountName() == $account->getAccountName() or $entity instanceof UserInterface and $entity->name->value == $account->getAccountName()) {
      if ($operation == 'view' and $account->hasPermission('view own fieldnote')) {
        $messenger->addMessage(t('User can view their own field note.'));
        return AccessResult::allowed();
      }
      if ($operation == 'edit' and $account->hasPermission('edit own fieldnote')) {
        $messenger->addMessage(t('User can edit their own field note.'));
        return AccessResult::allowed();
      }
    }
  }
  // Anything else on this field is forbidden.
  return AccessResult::forbidden();
}