function RelationshipFieldAccess::access

Same name in other branches
  1. 9 core/modules/jsonapi/src/Access/RelationshipFieldAccess.php \Drupal\jsonapi\Access\RelationshipFieldAccess::access()

Checks access to the relationship field on the given route.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The incoming HTTP request object.

\Symfony\Component\Routing\Route $route: The route to check against.

\Drupal\Core\Session\AccountInterface $account: The currently logged in account.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

File

core/modules/jsonapi/src/Access/RelationshipFieldAccess.php, line 65

Class

RelationshipFieldAccess
Defines a class to check access to related and relationship routes.

Namespace

Drupal\jsonapi\Access

Code

public function access(Request $request, Route $route, AccountInterface $account) {
    $relationship_field_name = $route->getRequirement(static::ROUTE_REQUIREMENT_KEY);
    $field_operation = $request->isMethodCacheable() ? 'view' : 'edit';
    $entity_operation = $request->isMethodCacheable() ? 'view' : 'update';
    if ($resource_type = $request->get(Routes::RESOURCE_TYPE_KEY)) {
        assert($resource_type instanceof ResourceType);
        $entity = $request->get('entity');
        $internal_name = $resource_type->getInternalName($relationship_field_name);
        if ($entity instanceof FieldableEntityInterface && $entity->hasField($internal_name)) {
            $entity_access = $this->entityAccessChecker
                ->checkEntityAccess($entity, $entity_operation, $account);
            $field_access = $entity->get($internal_name)
                ->access($field_operation, $account, TRUE);
            // Ensure that access is respected for different entity revisions.
            $access_result = $entity_access->andIf($field_access);
            if (!$access_result->isAllowed()) {
                $reason = "The current user is not allowed to {$field_operation} this relationship.";
                $access_reason = $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : NULL;
                $detailed_reason = empty($access_reason) ? $reason : $reason . " {$access_reason}";
                $access_result->setReason($detailed_reason);
                if ($request->isMethodCacheable()) {
                    throw new CacheableAccessDeniedHttpException(CacheableMetadata::createFromObject($access_result), $detailed_reason);
                }
            }
            return $access_result;
        }
    }
    return AccessResult::neutral();
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.