Same name and namespace in other branches

1. 8.9.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkAccess()
2. 10 core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkAccess()
3. 11.x core/modules/user/src/UserAccessControlHandler.php \Drupal\user\UserAccessControlHandler::checkAccess()

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.

Parameters

\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkAccess

File

core/modules/user/src/UserAccessControlHandler.php, line 31

Class

UserAccessControlHandler

Defines the access control handler for the user entity type.

Namespace

Drupal\user

Code

protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
    
    /** @var \Drupal\user\UserInterface $entity*/
    // We don't treat the user label as privileged information, so this check
    // has to be the first one in order to allow labels for all users to be
    // viewed, including the special anonymous user.
    if ($operation === 'view label') {
        return AccessResult::allowed();
    }
    // The anonymous user's profile can neither be viewed, updated nor deleted.
    if ($entity->isAnonymous()) {
        return AccessResult::forbidden();
    }
    // Administrators can view/update/delete all user profiles.
    if ($account->hasPermission('administer users')) {
        return AccessResult::allowed()->cachePerPermissions();
    }
    switch ($operation) {
        case 'view':
            // Only allow view access if the account is active.
            if ($account->hasPermission('access user profiles') && $entity->isActive()) {
                return AccessResult::allowed()->cachePerPermissions()
                    ->addCacheableDependency($entity);
            }
            elseif ($account->id() == $entity->id()) {
                return AccessResult::allowed()->cachePerUser();
            }
            else {
                return AccessResultNeutral::neutral("The 'access user profiles' permission is required and the user must be active.")->cachePerPermissions()
                    ->addCacheableDependency($entity);
            }
            break;
        case 'update':
            // Users can always edit their own account.
            $access_result = AccessResult::allowedIf($account->id() == $entity->id())
                ->cachePerUser();
            if (!$access_result->isAllowed() && $access_result instanceof AccessResultReasonInterface) {
                $access_result->setReason("Users can only update their own account, unless they have the 'administer users' permission.");
            }
            return $access_result;
        case 'delete':
            // Users with 'cancel account' permission can cancel their own account.
            return AccessResult::allowedIfHasPermission($account, 'cancel account')->andIf(AccessResult::allowedIf($account->id() == $entity->id())
                ->cachePerUser());
    }
    // No opinion.
    return AccessResult::neutral();
}

---