function content_moderation_entity_access

Implements hook_entity_access().

Entities should be viewable if unpublished and the user has the appropriate permission. This permission is therefore effectively mandatory for any user that wants to moderate things.

File

core/modules/content_moderation/content_moderation.module, line 215

Code

function content_moderation_entity_access(EntityInterface $entity, $operation, AccountInterface $account) {
  /** @var \Drupal\content_moderation\ModerationInformationInterface $moderation_info */
  $moderation_info = Drupal::service('content_moderation.moderation_information');
  $access_result = NULL;
  if ($operation === 'view') {
    $access_result = $entity instanceof EntityPublishedInterface && !$entity->isPublished() ? AccessResult::allowedIfHasPermission($account, 'view any unpublished content') : AccessResult::neutral();
    $access_result->addCacheableDependency($entity);
  }
  elseif ($operation === 'update' && $moderation_info->isModeratedEntity($entity) && $entity->moderation_state) {
    /** @var \Drupal\content_moderation\StateTransitionValidation $transition_validation */
    $transition_validation = \Drupal::service('content_moderation.state_transition_validation');
    $valid_transition_targets = $transition_validation->getValidTransitions($entity, $account);
    $access_result = $valid_transition_targets ? AccessResult::neutral() : AccessResult::forbidden('No valid transitions exist for given account.');
    $access_result->addCacheableDependency($entity);
    $workflow = $moderation_info->getWorkflowForEntity($entity);
    $access_result->addCacheableDependency($workflow);
    // The state transition validation service returns a list of transitions
    // based on the user's permission to use them.
    $access_result->cachePerPermissions();
  }
  // Do not allow users to delete the state that is configured as the default
  // state for the workflow.
  if ($entity instanceof WorkflowInterface) {
    $configuration = $entity->getTypePlugin()
      ->getConfiguration();
    if (!empty($configuration['default_moderation_state']) && $operation === sprintf('delete-state:%s', $configuration['default_moderation_state'])) {
      return AccessResult::forbidden()->addCacheableDependency($entity);
    }
  }
  return $access_result;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.