2015-08-18 00:00:26 +00:00
< ? php
/**
* @ file
* Contains \Drupal\comment\CommentAccessControlHandler .
*/
namespace Drupal\comment ;
use Drupal\Core\Access\AccessResult ;
use Drupal\Core\Entity\EntityAccessControlHandler ;
use Drupal\Core\Entity\EntityInterface ;
use Drupal\Core\Field\FieldDefinitionInterface ;
use Drupal\Core\Field\FieldItemListInterface ;
use Drupal\Core\Session\AccountInterface ;
/**
* Defines the access control handler for the comment entity type .
*
* @ see \Drupal\comment\Entity\Comment
*/
class CommentAccessControlHandler extends EntityAccessControlHandler {
/**
* { @ inheritdoc }
*/
2015-10-08 18:40:12 +00:00
protected function checkAccess ( EntityInterface $entity , $operation , AccountInterface $account ) {
2015-08-18 00:00:26 +00:00
/** @var \Drupal\comment\CommentInterface|\Drupal\user\EntityOwnerInterface $entity */
$comment_admin = $account -> hasPermission ( 'administer comments' );
if ( $operation == 'approve' ) {
return AccessResult :: allowedIf ( $comment_admin && ! $entity -> isPublished ())
-> cachePerPermissions ()
-> cacheUntilEntityChanges ( $entity );
}
if ( $comment_admin ) {
$access = AccessResult :: allowed () -> cachePerPermissions ();
return ( $operation != 'view' ) ? $access : $access -> andIf ( $entity -> getCommentedEntity () -> access ( $operation , $account , TRUE ));
}
switch ( $operation ) {
case 'view' :
return AccessResult :: allowedIf ( $account -> hasPermission ( 'access comments' ) && $entity -> isPublished ()) -> cachePerPermissions () -> cacheUntilEntityChanges ( $entity )
-> andIf ( $entity -> getCommentedEntity () -> access ( $operation , $account , TRUE ));
case 'update' :
return AccessResult :: allowedIf ( $account -> id () && $account -> id () == $entity -> getOwnerId () && $entity -> isPublished () && $account -> hasPermission ( 'edit own comments' )) -> cachePerPermissions () -> cachePerUser () -> cacheUntilEntityChanges ( $entity );
default :
// No opinion.
return AccessResult :: neutral () -> cachePerPermissions ();
}
}
/**
* { @ inheritdoc }
*/
protected function checkCreateAccess ( AccountInterface $account , array $context , $entity_bundle = NULL ) {
return AccessResult :: allowedIfHasPermission ( $account , 'post comments' );
}
/**
* { @ inheritdoc }
*/
protected function checkFieldAccess ( $operation , FieldDefinitionInterface $field_definition , AccountInterface $account , FieldItemListInterface $items = NULL ) {
if ( $operation == 'edit' ) {
// Only users with the "administer comments" permission can edit
// administrative fields.
$administrative_fields = array (
'uid' ,
'status' ,
'created' ,
'date' ,
);
if ( in_array ( $field_definition -> getName (), $administrative_fields , TRUE )) {
return AccessResult :: allowedIfHasPermission ( $account , 'administer comments' );
}
// No user can change read-only fields.
$read_only_fields = array (
'hostname' ,
2015-09-04 20:20:09 +00:00
'changed' ,
2015-08-18 00:00:26 +00:00
'cid' ,
'thread' ,
2015-09-04 20:20:09 +00:00
);
// These fields can be edited during comment creation.
$create_only_fields = [
2015-08-18 00:00:26 +00:00
'comment_type' ,
2015-09-04 20:20:09 +00:00
'uuid' ,
2015-08-18 00:00:26 +00:00
'entity_id' ,
'entity_type' ,
'field_name' ,
2015-09-04 20:20:09 +00:00
'pid' ,
];
if ( $items && ( $entity = $items -> getEntity ()) && $entity -> isNew () && in_array ( $field_definition -> getName (), $create_only_fields , TRUE )) {
// We are creating a new comment, user can edit create only fields.
return AccessResult :: allowedIfHasPermission ( $account , 'post comments' ) -> addCacheableDependency ( $entity );
}
// We are editing an existing comment - create only fields are now read
// only.
$read_only_fields = array_merge ( $read_only_fields , $create_only_fields );
2015-08-18 00:00:26 +00:00
if ( in_array ( $field_definition -> getName (), $read_only_fields , TRUE )) {
return AccessResult :: forbidden ();
}
// If the field is configured to accept anonymous contact details - admins
// can edit name, homepage and mail. Anonymous users can also fill in the
// fields on comment creation.
if ( in_array ( $field_definition -> getName (), [ 'name' , 'mail' , 'homepage' ], TRUE )) {
if ( ! $items ) {
// We cannot make a decision about access to edit these fields if we
// don't have any items and therefore cannot determine the Comment
// entity. In this case we err on the side of caution and prevent edit
// access.
return AccessResult :: forbidden ();
}
/** @var \Drupal\comment\CommentInterface $entity */
$entity = $items -> getEntity ();
$commented_entity = $entity -> getCommentedEntity ();
$anonymous_contact = $commented_entity -> get ( $entity -> getFieldName ()) -> getFieldDefinition () -> getSetting ( 'anonymous' );
$admin_access = AccessResult :: allowedIfHasPermission ( $account , 'administer comments' );
$anonymous_access = AccessResult :: allowedIf ( $entity -> isNew () && $account -> isAnonymous () && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT && $account -> hasPermission ( 'post comments' ))
-> cachePerPermissions ()
-> cacheUntilEntityChanges ( $entity )
-> cacheUntilEntityChanges ( $field_definition -> getConfig ( $commented_entity -> bundle ()))
-> cacheUntilEntityChanges ( $commented_entity );
return $admin_access -> orIf ( $anonymous_access );
}
}
if ( $operation == 'view' ) {
2015-10-08 18:40:12 +00:00
// Nobody has access to the hostname.
if ( $field_definition -> getName () == 'hostname' ) {
return AccessResult :: forbidden ();
}
// The mail field is hidden from non-admins.
if ( $field_definition -> getName () == 'mail' ) {
return AccessResult :: allowedIfHasPermission ( $account , 'administer comments' );
2015-08-18 00:00:26 +00:00
}
}
return parent :: checkFieldAccess ( $operation , $field_definition , $account , $items );
}
}
