5 use Drupal\Core\Access\AccessResult;
6 use Drupal\Core\Entity\EntityAccessControlHandler;
7 use Drupal\Core\Entity\EntityInterface;
8 use Drupal\Core\Entity\EntityStorageInterface;
9 use Drupal\Core\Field\FieldDefinitionInterface;
10 use Drupal\Core\Field\FieldItemListInterface;
11 use Drupal\Core\Session\AccountInterface;
14 * Provides a File access control handler.
16 class FileAccessControlHandler extends EntityAccessControlHandler {
21 protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
22 /** @var \Drupal\file\FileInterface $entity */
23 if ($operation == 'download' || $operation == 'view') {
24 if (\Drupal::service('file_system')->uriScheme($entity->getFileUri()) === 'public') {
25 // Always allow access to file in public file system.
26 return AccessResult::allowed();
28 elseif ($references = $this->getFileReferences($entity)) {
29 foreach ($references as $field_name => $entity_map) {
30 foreach ($entity_map as $referencing_entity_type => $referencing_entities) {
31 /** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */
32 foreach ($referencing_entities as $referencing_entity) {
33 $entity_and_field_access = $referencing_entity->access('view', $account, TRUE)->andIf($referencing_entity->$field_name->access('view', $account, TRUE));
34 if ($entity_and_field_access->isAllowed()) {
35 return $entity_and_field_access;
41 elseif ($entity->getOwnerId() == $account->id()) {
42 // This case handles new nodes, or detached files. The user who uploaded
43 // the file can access it even if it's not yet used.
44 if ($account->isAnonymous()) {
45 // For anonymous users, only the browser session that uploaded the
46 // file is positively allowed access to it. See file_save_upload().
47 // @todo Implement \Drupal\Core\Entity\EntityHandlerInterface so that
48 // services can be more properly injected.
49 $allowed_fids = \Drupal::service('session')->get('anonymous_allowed_file_ids', []);
50 if (!empty($allowed_fids[$entity->id()])) {
51 return AccessResult::allowed();
55 return AccessResult::allowed();
60 if ($operation == 'delete' || $operation == 'update') {
61 $account = $this->prepareUser($account);
62 $file_uid = $entity->get('uid')->getValue();
63 // Only the file owner can delete and update the file entity.
64 if ($account->id() == $file_uid[0]['target_id']) {
65 return AccessResult::allowed();
67 return AccessResult::forbidden();
71 return AccessResult::neutral();
75 * Wrapper for file_get_file_references().
77 * @param \Drupal\file\FileInterface $file
78 * The file object for which to get references.
81 * A multidimensional array. The keys are field_name, entity_type,
82 * entity_id and the value is an entity referencing this file.
84 * @see file_get_file_references()
86 protected function getFileReferences(FileInterface $file) {
87 return file_get_file_references($file, NULL, EntityStorageInterface::FIELD_LOAD_REVISION, NULL);
93 protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
94 // Deny access to fields that should only be set on file creation, and
95 // "status" which should only be changed based on a file's usage.
96 $create_only_fields = [
101 // The operation is 'edit' when the entity is being created or updated.
102 // Determine if the entity is being updated by checking if it is new.
103 $field_name = $field_definition->getName();
104 if ($operation === 'edit' && $items && ($entity = $items->getEntity()) && !$entity->isNew() && in_array($field_name, $create_only_fields, TRUE)) {
105 return AccessResult::forbidden();
107 // Regardless of whether the entity exists access should be denied to the
108 // status field as this is managed via other APIs, for example:
109 // - \Drupal\file\FileUsage\FileUsageBase::add()
110 // - \Drupal\file\Plugin\EntityReferenceSelection\FileSelection::createNewEntity()
111 if ($operation === 'edit' && $field_name === 'status') {
112 return AccessResult::forbidden();
114 return parent::checkFieldAccess($operation, $field_definition, $account, $items);
120 protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
121 // The file entity has no "create" permission because by default Drupal core
122 // does not allow creating file entities independently. It allows you to
123 // create file entities that are referenced from another entity
124 // (e.g. an image for a article). A contributed module is free to alter
125 // this to allow file entities to be created directly.
126 // @todo Update comment to mention REST module when
127 // https://www.drupal.org/node/1927648 is fixed.
128 return AccessResult::neutral();