class CommentAccessControlHandler

Same name in other branches
  1. 9 core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler
  2. 8.9.x core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler
  3. 10 core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler

Defines the access control handler for the comment entity type.

Hierarchy

Expanded class hierarchy of CommentAccessControlHandler

See also

\Drupal\comment\Entity\Comment

1 file declares its use of CommentAccessControlHandler
Comment.php in core/modules/comment/src/Entity/Comment.php

File

core/modules/comment/src/CommentAccessControlHandler.php, line 18

Namespace

Drupal\comment
View source
class CommentAccessControlHandler extends EntityAccessControlHandler {
    
    /**
     * {@inheritdoc}
     */
    protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
        
        /** @var \Drupal\comment\CommentInterface|\Drupal\user\EntityOwnerInterface $entity */
        $comment_admin = $account->hasPermission('administer comments');
        if ($operation == 'approve') {
            return AccessResult::allowedIf($comment_admin && !$entity->isPublished())
                ->cachePerPermissions()
                ->addCacheableDependency($entity);
        }
        if ($comment_admin) {
            $access = AccessResult::allowed()->cachePerPermissions();
            return $operation != 'view' ? $access : $access->andIf($entity->getCommentedEntity()
                ->access($operation, $account, TRUE));
        }
        switch ($operation) {
            case 'view':
                $access_result = AccessResult::allowedIf($account->hasPermission('access comments') && $entity->isPublished())
                    ->cachePerPermissions()
                    ->addCacheableDependency($entity)
                    ->andIf($entity->getCommentedEntity()
                    ->access($operation, $account, TRUE));
                if (!$access_result->isAllowed()) {
                    $access_result->setReason("The 'access comments' permission is required and the comment must be published.");
                }
                return $access_result;
            case 'update':
                $access_result = AccessResult::allowedIf($account->id() && $account->id() == $entity->getOwnerId() && $entity->isPublished() && $account->hasPermission('edit own comments'))
                    ->cachePerPermissions()
                    ->cachePerUser()
                    ->addCacheableDependency($entity);
                if (!$access_result->isAllowed()) {
                    $access_result->setReason("The 'edit own comments' permission is required, the user must be the comment author, and the comment must be published.");
                }
                return $access_result;
            default:
                // No opinion.
                return AccessResult::neutral()->cachePerPermissions();
        }
    }
    
    /**
     * {@inheritdoc}
     */
    protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
        return AccessResult::allowedIfHasPermission($account, 'post comments');
    }
    
    /**
     * {@inheritdoc}
     */
    protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, ?FieldItemListInterface $items = NULL) {
        if ($operation == 'edit') {
            // Only users with the "administer comments" permission can edit
            // administrative fields.
            $administrative_fields = [
                'uid',
                'status',
                'created',
                'date',
            ];
            if (in_array($field_definition->getName(), $administrative_fields, TRUE)) {
                return AccessResult::allowedIfHasPermission($account, 'administer comments');
            }
            // No user can change read-only fields.
            $read_only_fields = [
                'hostname',
                'changed',
                'cid',
                'thread',
            ];
            // These fields can be edited during comment creation.
            $create_only_fields = [
                'comment_type',
                'uuid',
                'entity_id',
                'entity_type',
                'field_name',
                'pid',
            ];
            
            /** @var \Drupal\comment\CommentInterface|null $entity */
            $entity = $items ? $items->getEntity() : NULL;
            $commented_entity = $entity ? $entity->getCommentedEntity() : NULL;
            if ($entity && $entity->isNew() && in_array($field_definition->getName(), $create_only_fields, TRUE)) {
                $access_result = AccessResult::allowedIfHasPermission($account, 'post comments')->addCacheableDependency($entity);
                $comment_field_name = $entity->get('field_name')->value;
                if ($commented_entity && $comment_field_name) {
                    // We are creating a new comment, user can edit create only fields if
                    // commenting is open.
                    $commenting_status = (int) $commented_entity->get($comment_field_name)->status;
                    $access_result = $access_result->andIf(AccessResult::allowedIf($commenting_status !== CommentItemInterface::CLOSED))
                        ->addCacheableDependency($commented_entity);
                }
                return $access_result;
            }
            // We are editing an existing comment - create only fields are now read
            // only.
            $read_only_fields = array_merge($read_only_fields, $create_only_fields);
            if (in_array($field_definition->getName(), $read_only_fields, TRUE)) {
                return AccessResult::forbidden();
            }
            // If the field is configured to accept anonymous contact details - admins
            // can edit name, homepage and mail. Anonymous users can also fill in the
            // fields on comment creation.
            if (in_array($field_definition->getName(), [
                'name',
                'mail',
                'homepage',
            ], TRUE)) {
                if (!$items) {
                    // We cannot make a decision about access to edit these fields if we
                    // don't have any items and therefore cannot determine the Comment
                    // entity. In this case we err on the side of caution and prevent edit
                    // access.
                    return AccessResult::forbidden();
                }
                $is_name = $field_definition->getName() === 'name';
                $anonymous_contact = $commented_entity->get($entity->getFieldName())
                    ->getFieldDefinition()
                    ->getSetting('anonymous');
                $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
                $anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && ($anonymous_contact != CommentInterface::ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account->hasPermission('post comments'))
                    ->cachePerPermissions()
                    ->addCacheableDependency($entity)
                    ->addCacheableDependency($field_definition->getConfig($commented_entity->bundle()))
                    ->addCacheableDependency($commented_entity);
                return $admin_access->orIf($anonymous_access);
            }
        }
        if ($operation == 'view') {
            // Nobody has access to the hostname.
            if ($field_definition->getName() == 'hostname') {
                return AccessResult::forbidden();
            }
            // The mail field is hidden from non-admins.
            if ($field_definition->getName() == 'mail') {
                return AccessResult::allowedIfHasPermission($account, 'administer comments');
            }
        }
        return parent::checkFieldAccess($operation, $field_definition, $account, $items);
    }

}

Members

Title Sort descending Modifiers Object type Summary Overriden Title Overrides
CommentAccessControlHandler::checkAccess protected function Overrides EntityAccessControlHandler::checkAccess
CommentAccessControlHandler::checkCreateAccess protected function Overrides EntityAccessControlHandler::checkCreateAccess
CommentAccessControlHandler::checkFieldAccess protected function Overrides EntityAccessControlHandler::checkFieldAccess
DependencySerializationTrait::$_entityStorages protected property
DependencySerializationTrait::$_serviceIds protected property
DependencySerializationTrait::__sleep public function 1
DependencySerializationTrait::__wakeup public function 2
EntityAccessControlHandler::$accessCache protected property Stores calculated access check results.
EntityAccessControlHandler::$entityType protected property Information about the entity type.
EntityAccessControlHandler::$entityTypeId protected property The entity type ID of the access control handler instance.
EntityAccessControlHandler::$viewLabelOperation protected property Allows to grant access to just the labels. 7
EntityAccessControlHandler::access public function Overrides EntityAccessControlHandlerInterface::access 1
EntityAccessControlHandler::createAccess public function Overrides EntityAccessControlHandlerInterface::createAccess 1
EntityAccessControlHandler::fieldAccess public function Overrides EntityAccessControlHandlerInterface::fieldAccess
EntityAccessControlHandler::getCache protected function Tries to retrieve a previously cached access value from the static cache.
EntityAccessControlHandler::prepareUser protected function Loads the current account object, if it does not exist yet.
EntityAccessControlHandler::processAccessHookResults protected function Determines entity access.
EntityAccessControlHandler::resetCache public function Overrides EntityAccessControlHandlerInterface::resetCache
EntityAccessControlHandler::setCache protected function Statically caches whether the given user has access.
EntityAccessControlHandler::__construct public function Constructs an access control handler instance. 8
EntityHandlerBase::$moduleHandler protected property The module handler to invoke hooks on. 5
EntityHandlerBase::moduleHandler protected function Gets the module handler. 5
EntityHandlerBase::setModuleHandler public function Sets the module handler for this handler.
StringTranslationTrait::$stringTranslation protected property The string translation service. 3
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.