function field_permission_example_entity_field_access
Same name in other branches
- 3.x modules/field_permission_example/field_permission_example.module \field_permission_example_entity_field_access()
Implements hook_entity_field_access().
We want to make sure that fields aren't being seen or edited by those who shouldn't.
Related topics
File
-
modules/
field_permission_example/ field_permission_example.module, line 96
Code
function field_permission_example_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
$messenger = \Drupal::messenger();
// Find out what field we're looking at. If it isn't
// our sticky note widget, tell Drupal we don't care about its access.
if ($field_definition->getType() != 'field_permission_example_fieldnote') {
return AccessResult::neutral();
}
// First we'll check if the user has the 'superuser'
// permissions that node provides. This way administrators
// will be able to administer the content types.
if ($account->hasPermission('bypass node access')) {
$messenger->addMessage(t('User can bypass node access.'));
return AccessResult::allowed();
}
if ($account->hasPermission('administer content types', $account)) {
$messenger->addMessage(t('User can administer content types.'));
return AccessResult::allowed();
}
if ($account->hasPermission('administer the fieldnote field', $account)) {
$messenger->addMessage(t('User can administer this field.'));
return AccessResult::allowed();
}
// For anyone else, it depends on the desired operation.
if ($operation == 'view' and $account->hasPermission('view any fieldnote')) {
$messenger->addMessage(t('User can view any field note.'));
return AccessResult::allowed();
}
if ($operation == 'edit' and $account->hasPermission('edit any fieldnote')) {
$messenger->addMessage(t('User can edit any field note.'));
return AccessResult::allowed();
}
// At this point, we need to know if the user "owns" the entity we're attached
// to. If it's a user, we'll use the account name to test. Otherwise rely on
// the entity implementing the EntityOwnerInterface. Anything else can't be
// owned, and we'll refuse access.
if ($items) {
$entity = $items->getEntity();
if ($entity instanceof EntityOwnerInterface and $entity->getOwner()
->getAccountName() == $account->getAccountName() or $entity instanceof UserInterface and $entity->name->value == $account->getAccountName()) {
if ($operation == 'view' and $account->hasPermission('view own fieldnote')) {
$messenger->addMessage(t('User can view their own field note.'));
return AccessResult::allowed();
}
if ($operation == 'edit' and $account->hasPermission('edit own fieldnote')) {
$messenger->addMessage(t('User can edit their own field note.'));
return AccessResult::allowed();
}
}
}
// Anything else on this field is forbidden.
return AccessResult::forbidden();
}