function CommentAccessControlHandler::checkFieldAccess

Same name and namespace in other branches
  1. 11.x core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler::checkFieldAccess()
  2. 10 core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler::checkFieldAccess()
  3. 8.9.x core/modules/comment/src/CommentAccessControlHandler.php \Drupal\comment\CommentAccessControlHandler::checkFieldAccess()

File

core/modules/comment/src/CommentAccessControlHandler.php, line 71

Class

CommentAccessControlHandler
Defines the access control handler for the comment entity type.

Namespace

Drupal\comment

Code

protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
  if ($operation == 'edit') {
    // Only users with the "administer comments" permission can edit
    // administrative fields.
    $administrative_fields = [
      'uid',
      'status',
      'created',
      'date',
    ];
    if (in_array($field_definition->getName(), $administrative_fields, TRUE)) {
      return AccessResult::allowedIfHasPermission($account, 'administer comments');
    }
    // No user can change read-only fields.
    $read_only_fields = [
      'hostname',
      'changed',
      'cid',
      'thread',
    ];
    // These fields can be edited during comment creation.
    $create_only_fields = [
      'comment_type',
      'uuid',
      'entity_id',
      'entity_type',
      'field_name',
      'pid',
    ];
    if ($items && ($entity = $items->getEntity()) && $entity->isNew() && in_array($field_definition->getName(), $create_only_fields, TRUE)) {
      // We are creating a new comment, user can edit create only fields.
      return AccessResult::allowedIfHasPermission($account, 'post comments')->addCacheableDependency($entity);
    }
    // We are editing an existing comment - create only fields are now read
    // only.
    $read_only_fields = array_merge($read_only_fields, $create_only_fields);
    if (in_array($field_definition->getName(), $read_only_fields, TRUE)) {
      return AccessResult::forbidden();
    }
    // If the field is configured to accept anonymous contact details - admins
    // can edit name, homepage and mail. Anonymous users can also fill in the
    // fields on comment creation.
    if (in_array($field_definition->getName(), [
      'name',
      'mail',
      'homepage',
    ], TRUE)) {
      if (!$items) {
        // We cannot make a decision about access to edit these fields if we
        // don't have any items and therefore cannot determine the Comment
        // entity. In this case we err on the side of caution and prevent edit
        // access.
        return AccessResult::forbidden();
      }
      $is_name = $field_definition->getName() === 'name';
      /** @var \Drupal\comment\CommentInterface $entity */
      $entity = $items->getEntity();
      $commented_entity = $entity->getCommentedEntity();
      $anonymous_contact = $commented_entity->get($entity->getFieldName())
        ->getFieldDefinition()
        ->getSetting('anonymous');
      $admin_access = AccessResult::allowedIfHasPermission($account, 'administer comments');
      $anonymous_access = AccessResult::allowedIf($entity->isNew() && $account->isAnonymous() && ($anonymous_contact != CommentInterface::ANONYMOUS_MAYNOT_CONTACT || $is_name) && $account->hasPermission('post comments'))
        ->cachePerPermissions()
        ->addCacheableDependency($entity)
        ->addCacheableDependency($field_definition->getConfig($commented_entity->bundle()))
        ->addCacheableDependency($commented_entity);
      return $admin_access->orIf($anonymous_access);
    }
  }
  if ($operation == 'view') {
    // Nobody has access to the hostname.
    if ($field_definition->getName() == 'hostname') {
      return AccessResult::forbidden();
    }
    // The mail field is hidden from non-admins.
    if ($field_definition->getName() == 'mail') {
      return AccessResult::allowedIfHasPermission($account, 'administer comments');
    }
  }
  return parent::checkFieldAccess($operation, $field_definition, $account, $items);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.