diff --git a/core/core.services.yml b/core/core.services.yml index 8a24ee7..0026104 100644 --- a/core/core.services.yml +++ b/core/core.services.yml @@ -382,15 +382,17 @@ services: - [setRequest, ['@?request']] access_manager: class: Drupal\Core\Access\AccessManager - arguments: ['@router.route_provider', '@url_generator', '@paramconverter_manager'] + arguments: ['@router.route_provider', '@url_generator', '@paramconverter_manager', '@current_user'] calls: - [setContainer, ['@service_container']] - [setRequest, ['@?request']] + scope: request access_subscriber: class: Drupal\Core\EventSubscriber\AccessSubscriber tags: - { name: event_subscriber } arguments: ['@access_manager'] + scope: request access_check.default: class: Drupal\Core\Access\DefaultAccessCheck tags: diff --git a/core/includes/menu.inc b/core/includes/menu.inc index d205ac0..a31e892 100644 --- a/core/includes/menu.inc +++ b/core/includes/menu.inc @@ -970,6 +970,7 @@ function _menu_link_translate(&$item, $translate = FALSE) { function menu_item_route_access(Route $route, $href, &$map) { $request = Request::create('/' . $href); $request->attributes->set('_system_path', $href); + $request->attributes->set('_account', Drupal::request()->attributes->get('_account')); // Attempt to match this path to provide a fully built request to the // access checker. try { diff --git a/core/lib/Drupal/Core/Access/AccessInterface.php b/core/lib/Drupal/Core/Access/AccessInterface.php index f555ecb..b79a549 100644 --- a/core/lib/Drupal/Core/Access/AccessInterface.php +++ b/core/lib/Drupal/Core/Access/AccessInterface.php @@ -7,6 +7,7 @@ namespace Drupal\Core\Access; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -47,12 +48,14 @@ * The route to check against. * @param \Symfony\Component\HttpFoundation\Request $request * The request object. + * @param \Drupal\Core\Session\AccountInterface $account + * The currently logged in account. * * @return mixed * TRUE if access is allowed. * FALSE if not. * NULL if no opinion. */ - public function access(Route $route, Request $request); + public function access(Route $route, Request $request, AccountInterface $account); } diff --git a/core/lib/Drupal/Core/Access/AccessManager.php b/core/lib/Drupal/Core/Access/AccessManager.php index a3b6191..00c981c 100644 --- a/core/lib/Drupal/Core/Access/AccessManager.php +++ b/core/lib/Drupal/Core/Access/AccessManager.php @@ -9,6 +9,7 @@ use Drupal\Core\ParamConverter\ParamConverterManager; use Drupal\Core\Routing\RouteProviderInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; use Symfony\Component\Routing\RouteCollection; use Symfony\Component\Routing\Route; @@ -83,6 +84,13 @@ class AccessManager extends ContainerAware { protected $request; /** + * The current user. + * + * @var \Drupal\Core\Session\AccountInterface + */ + protected $account; + + /** * Constructs a AccessManager instance. * * @param \Drupal\Core\Routing\RouteProviderInterface $route_provider @@ -91,11 +99,14 @@ class AccessManager extends ContainerAware { * The url generator. * @param \Drupal\Core\ParamConverter\ParamConverterManager $paramconverter_manager * The param converter manager. + * @param \Drupal\Core\Session\AccountInterface $account + * The current user. */ - public function __construct(RouteProviderInterface $route_provider, UrlGeneratorInterface $url_generator, ParamConverterManager $paramconverter_manager) { + public function __construct(RouteProviderInterface $route_provider, UrlGeneratorInterface $url_generator, ParamConverterManager $paramconverter_manager, AccountInterface $account) { $this->routeProvider = $route_provider; $this->urlGenerator = $url_generator; $this->paramConverterManager = $paramconverter_manager; + $this->account = $account; } /** @@ -193,7 +204,6 @@ public function checkNamedRoute($route_name, array $parameters = array(), Reques // Create a request and copy the account from the current request. $route_request = Request::create($this->urlGenerator->generate($route_name, $parameters)); $defaults = $parameters; - $defaults['_account'] = $this->request->attributes->get('_account'); $defaults[RouteObjectInterface::ROUTE_OBJECT] = $route; $route_request->attributes->add($this->paramConverterManager->enhance($defaults, $route_request)); } @@ -225,7 +235,6 @@ public function checkNamedRoute($route_name, array $parameters = array(), Reques */ public function check(Route $route, Request $request) { $checks = $route->getOption('_access_checks') ?: array(); - $conjunction = $route->getOption('_access_mode') ?: 'ANY'; if ($conjunction == 'ALL') { @@ -257,7 +266,7 @@ protected function checkAll(array $checks, Route $route, Request $request) { $this->loadCheck($service_id); } - $service_access = $this->checks[$service_id]->access($route, $request); + $service_access = $this->checks[$service_id]->access($route, $request, $this->account); if ($service_access === AccessInterface::ALLOW) { $access = TRUE; } @@ -293,7 +302,7 @@ protected function checkAny(array $checks, $route, $request) { $this->loadCheck($service_id); } - $service_access = $this->checks[$service_id]->access($route, $request); + $service_access = $this->checks[$service_id]->access($route, $request, $this->account); if ($service_access === AccessInterface::ALLOW) { $access = TRUE; } diff --git a/core/lib/Drupal/Core/Access/DefaultAccessCheck.php b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php index 46f8a63..123fc5d 100644 --- a/core/lib/Drupal/Core/Access/DefaultAccessCheck.php +++ b/core/lib/Drupal/Core/Access/DefaultAccessCheck.php @@ -7,6 +7,7 @@ namespace Drupal\Core\Access; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -25,7 +26,7 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { if ($route->getRequirement('_access') === 'TRUE') { return static::ALLOW; } diff --git a/core/lib/Drupal/Core/Entity/EntityAccessCheck.php b/core/lib/Drupal/Core/Entity/EntityAccessCheck.php index bce3a9e..01c4113 100644 --- a/core/lib/Drupal/Core/Entity/EntityAccessCheck.php +++ b/core/lib/Drupal/Core/Entity/EntityAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\Core\Entity; use Drupal\Core\Entity\EntityInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; use Drupal\Core\Access\StaticAccessCheckInterface; @@ -37,7 +38,7 @@ public function appliesTo() { * @endcode * Available operations are 'view', 'update', 'create', and 'delete'. */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { // Split the entity type and the operation. $requirement = $route->getRequirement('_entity_access'); list($entity_type, $operation) = explode('.', $requirement); @@ -45,7 +46,7 @@ public function access(Route $route, Request $request) { if ($request->attributes->has($entity_type)) { $entity = $request->attributes->get($entity_type); if ($entity instanceof EntityInterface) { - return $entity->access($operation); + return $entity->access($operation, $account); } } // No opinion, so other access checks should decide if access should be diff --git a/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php b/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php index 2630034..22d7b6f 100644 --- a/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php +++ b/core/lib/Drupal/Core/Entity/EntityCreateAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\Core\Entity; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -50,9 +51,9 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { list($entity_type, $bundle) = explode(':', $route->getRequirement($this->requirementsKey) . ':'); - return $this->entityManager->getAccessController($entity_type)->createAccess($bundle); + return $this->entityManager->getAccessController($entity_type)->createAccess($bundle, $account); } } diff --git a/core/modules/aggregator/lib/Drupal/aggregator/Access/CategoriesAccessCheck.php b/core/modules/aggregator/lib/Drupal/aggregator/Access/CategoriesAccessCheck.php index 2429572..daaf5b5 100644 --- a/core/modules/aggregator/lib/Drupal/aggregator/Access/CategoriesAccessCheck.php +++ b/core/modules/aggregator/lib/Drupal/aggregator/Access/CategoriesAccessCheck.php @@ -9,6 +9,7 @@ use Drupal\Core\Access\StaticAccessCheckInterface; use Drupal\Core\Database\Connection; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -44,10 +45,8 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { - // @todo Replace user_access() with a correctly injected and session-using - // alternative. - return user_access('access news feeds') && (bool) $this->database->queryRange('SELECT 1 FROM {aggregator_category}', 0, 1)->fetchField(); + public function access(Route $route, Request $request, AccountInterface $account) { + return $account->hasPermission('access news feeds') && (bool) $this->database->queryRange('SELECT 1 FROM {aggregator_category}', 0, 1)->fetchField(); } } diff --git a/core/modules/block/lib/Drupal/block/Access/BlockThemeAccessCheck.php b/core/modules/block/lib/Drupal/block/Access/BlockThemeAccessCheck.php index b5ca0b2..6eb53db 100644 --- a/core/modules/block/lib/Drupal/block/Access/BlockThemeAccessCheck.php +++ b/core/modules/block/lib/Drupal/block/Access/BlockThemeAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\block\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,9 +27,9 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $theme = $request->attributes->get('theme'); - return user_access('administer blocks') && drupal_theme_access($theme); + return $account->hasPermission('administer blocks') && drupal_theme_access($theme); } } diff --git a/core/modules/edit/lib/Drupal/edit/Access/EditEntityAccessCheck.php b/core/modules/edit/lib/Drupal/edit/Access/EditEntityAccessCheck.php index bce4160..da3df51 100644 --- a/core/modules/edit/lib/Drupal/edit/Access/EditEntityAccessCheck.php +++ b/core/modules/edit/lib/Drupal/edit/Access/EditEntityAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\edit\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; @@ -29,7 +30,7 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { // @todo Request argument validation and object loading should happen // elsewhere in the request processing pipeline: // http://drupal.org/node/1798214. diff --git a/core/modules/edit/lib/Drupal/edit/Access/EditEntityFieldAccessCheck.php b/core/modules/edit/lib/Drupal/edit/Access/EditEntityFieldAccessCheck.php index 9559be7..8590987 100644 --- a/core/modules/edit/lib/Drupal/edit/Access/EditEntityFieldAccessCheck.php +++ b/core/modules/edit/lib/Drupal/edit/Access/EditEntityFieldAccessCheck.php @@ -9,6 +9,7 @@ use Drupal\Core\Access\StaticAccessCheckInterface; use Drupal\edit\Access\EditEntityFieldAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; @@ -29,7 +30,7 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { // @todo Request argument validation and object loading should happen // elsewhere in the request processing pipeline: // http://drupal.org/node/1798214. diff --git a/core/modules/field_ui/lib/Drupal/field_ui/Access/FormModeAccessCheck.php b/core/modules/field_ui/lib/Drupal/field_ui/Access/FormModeAccessCheck.php index 871db1f..d63f7d9 100644 --- a/core/modules/field_ui/lib/Drupal/field_ui/Access/FormModeAccessCheck.php +++ b/core/modules/field_ui/lib/Drupal/field_ui/Access/FormModeAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\field_ui\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,7 +27,7 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { if ($entity_type = $request->attributes->get('entity_type')) { $bundle = $request->attributes->get('bundle'); $form_mode = $request->attributes->get('mode'); @@ -35,7 +36,7 @@ public function access(Route $route, Request $request) { $visibility = ($form_mode == 'default') || !empty($form_mode_settings[$form_mode]['status']); if ($visibility) { $permission = $route->getRequirement('_field_ui_form_mode_access'); - return user_access($permission); + return $account->hasPermission($permission); } } } diff --git a/core/modules/field_ui/lib/Drupal/field_ui/Access/ViewModeAccessCheck.php b/core/modules/field_ui/lib/Drupal/field_ui/Access/ViewModeAccessCheck.php index e0c3c92..2b1ebf3 100644 --- a/core/modules/field_ui/lib/Drupal/field_ui/Access/ViewModeAccessCheck.php +++ b/core/modules/field_ui/lib/Drupal/field_ui/Access/ViewModeAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\field_ui\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,7 +27,7 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { if ($entity_type = $request->attributes->get('entity_type')) { $bundle = $request->attributes->get('bundle'); $view_mode = $request->attributes->get('mode'); @@ -35,7 +36,7 @@ public function access(Route $route, Request $request) { $visibility = ($view_mode == 'default') || !empty($view_mode_settings[$view_mode]['status']); if ($visibility) { $permission = $route->getRequirement('_field_ui_view_mode_access'); - return user_access($permission); + return $account->hasPermission($permission); } } } diff --git a/core/modules/filter/lib/Drupal/filter/Access/FilterAccessCheck.php b/core/modules/filter/lib/Drupal/filter/Access/FilterAccessCheck.php index 25918e8..8902e24 100644 --- a/core/modules/filter/lib/Drupal/filter/Access/FilterAccessCheck.php +++ b/core/modules/filter/lib/Drupal/filter/Access/FilterAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\filter\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,7 +27,7 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { if ($format = $request->attributes->get('filter_format')) { // Handle special cases up front. All users have access to the fallback // format. @@ -37,7 +38,7 @@ public function access(Route $route, Request $request) { // Check the permission if one exists; otherwise, we have a non-existent // format so we return FALSE. $permission = filter_permission_name($format); - return !empty($permission) && user_access($permission); + return !empty($permission) && $account->hasPermission($permission); } } } diff --git a/core/modules/filter/lib/Drupal/filter/Access/FormatDisableCheck.php b/core/modules/filter/lib/Drupal/filter/Access/FormatDisableCheck.php index 1f905bb..1228768 100644 --- a/core/modules/filter/lib/Drupal/filter/Access/FormatDisableCheck.php +++ b/core/modules/filter/lib/Drupal/filter/Access/FormatDisableCheck.php @@ -8,6 +8,7 @@ namespace Drupal\filter\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,9 +27,9 @@ public function appliesTo() { /** * Implements \Drupal\Core\Access\AccessCheckInterface::access(). */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { if ($format = $request->attributes->get('filter_format')) { - return user_access('administer filters') && ($format->format != filter_fallback_format()); + return $account->hasPermission('administer filters') && ($format->format != filter_fallback_format()); } return FALSE; diff --git a/core/modules/node/lib/Drupal/node/Access/NodeRevisionAccessCheck.php b/core/modules/node/lib/Drupal/node/Access/NodeRevisionAccessCheck.php index aca491d..5e15cd3 100644 --- a/core/modules/node/lib/Drupal/node/Access/NodeRevisionAccessCheck.php +++ b/core/modules/node/lib/Drupal/node/Access/NodeRevisionAccessCheck.php @@ -72,9 +72,9 @@ public function applies(Route $route) { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $revision = $this->nodeStorage->loadRevision($request->attributes->get('node_revision')); - return $this->checkAccess($revision, $route->getRequirement('_access_node_revision')) ? static::ALLOW : static::DENY; + return $this->checkAccess($revision, $account, $route->getRequirement('_access_node_revision')) ? static::ALLOW : static::DENY; } /** @@ -82,12 +82,11 @@ public function access(Route $route, Request $request) { * * @param \Drupal\node\NodeInterface $node * The node to check. + * @param \Drupal\Core\Session\AccountInterface $account + * A user object representing the user for whom the operation is + * to be performed. * @param string $op * (optional) The specific operation being checked. Defaults to 'view.' - * @param \Drupal\Core\Session\AccountInterface|null $account - * (optional) A user object representing the user for whom the operation is - * to be performed. Determines access for a user other than the current user. - * Defaults to NULL. * @param string|null $langcode * (optional) Language code for the variant of the node. Different language * variants might have different permissions associated. If NULL, the @@ -96,7 +95,7 @@ public function access(Route $route, Request $request) { * @return bool * TRUE if the operation may be performed, FALSE otherwise. */ - public function checkAccess(NodeInterface $node, $op = 'view', AccountInterface $account = NULL, $langcode = NULL) { + public function checkAccess(NodeInterface $node, AccountInterface $account, $op = 'view', $langcode = NULL) { $map = array( 'view' => 'view all revisions', 'update' => 'revert all revisions', @@ -115,10 +114,6 @@ public function checkAccess(NodeInterface $node, $op = 'view', AccountInterface return FALSE; } - if (!isset($account)) { - $account = $GLOBALS['user']; - } - // If no language code was provided, default to the node revision's langcode. if (empty($langcode)) { $langcode = $node->language()->id; diff --git a/core/modules/node/node.module b/core/modules/node/node.module index 44f60e7..6c8b008 100644 --- a/core/modules/node/node.module +++ b/core/modules/node/node.module @@ -1075,7 +1075,7 @@ function theme_node_search_admin($variables) { * @see node_menu() */ function _node_revision_access(EntityInterface $node, $op = 'view', $account = NULL, $langcode = NULL) { - return Drupal::service('access_check.node.revision')->checkAccess($node, $op, $account, $langcode); + return Drupal::service('access_check.node.revision')->checkAccess($node, $account ?: \Drupal::currentUser(), $op, $langcode); } /** diff --git a/core/modules/overlay/lib/Drupal/overlay/Access/DismissMessageAccessCheck.php b/core/modules/overlay/lib/Drupal/overlay/Access/DismissMessageAccessCheck.php index fca139c..3bd55c7 100644 --- a/core/modules/overlay/lib/Drupal/overlay/Access/DismissMessageAccessCheck.php +++ b/core/modules/overlay/lib/Drupal/overlay/Access/DismissMessageAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\overlay\Access; use Drupal\Core\Access\AccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,8 +27,7 @@ public function applies(Route $route) { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { - $account = $request->attributes->get('_account'); + public function access(Route $route, Request $request, AccountInterface $account) { if (!user_access('access overlay', $account)) { return static::DENY; } diff --git a/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php b/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php index 0d9dd87..19d05be 100644 --- a/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php +++ b/core/modules/rest/lib/Drupal/rest/Access/CSRFAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\rest\Access; use Drupal\Core\Access\AccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -42,7 +43,7 @@ public function applies(Route $route) { /** * Implements AccessCheckInterface::access(). */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $method = $request->getMethod(); $cookie = $request->cookies->get(session_name(), FALSE); // This check only applies if @@ -50,7 +51,7 @@ public function access(Route $route, Request $request) { // 2. the user was successfully authenticated and // 3. the request comes with a session cookie. if (!in_array($method, array('GET', 'HEAD', 'OPTIONS', 'TRACE')) - && $GLOBALS['user']->isAuthenticated() + && $account->isAuthenticated() && $cookie ) { $csrf_token = $request->headers->get('X-CSRF-Token'); diff --git a/core/modules/shortcut/lib/Drupal/shortcut/Access/LinkDeleteAccessCheck.php b/core/modules/shortcut/lib/Drupal/shortcut/Access/LinkDeleteAccessCheck.php index 6fad35c..1eaa9dd 100644 --- a/core/modules/shortcut/lib/Drupal/shortcut/Access/LinkDeleteAccessCheck.php +++ b/core/modules/shortcut/lib/Drupal/shortcut/Access/LinkDeleteAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\shortcut\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,7 +27,7 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $menu_link = $request->attributes->get('menu_link'); $set_name = str_replace('shortcut-', '', $menu_link['menu_name']); if ($shortcut_set = shortcut_set_load($set_name)) { diff --git a/core/modules/system/lib/Drupal/system/Access/CronAccessCheck.php b/core/modules/system/lib/Drupal/system/Access/CronAccessCheck.php index 9c12bd0..785f026 100644 --- a/core/modules/system/lib/Drupal/system/Access/CronAccessCheck.php +++ b/core/modules/system/lib/Drupal/system/Access/CronAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\system\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,7 +27,7 @@ public function appliesTo() { /** * Implements AccessCheckInterface::access(). */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $key = $request->attributes->get('key'); if ($key != \Drupal::state()->get('system.cron_key')) { watchdog('cron', 'Cron could not run because an invalid key was used.', array(), WATCHDOG_NOTICE); diff --git a/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/DefinedTestAccessCheck.php b/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/DefinedTestAccessCheck.php index f2cc4d9..7abafd4 100644 --- a/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/DefinedTestAccessCheck.php +++ b/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/DefinedTestAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\router_test\Access; use Drupal\Core\Access\AccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -26,7 +27,7 @@ public function applies(Route $route) { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { if ($route->getRequirement('_test_access') === 'TRUE') { return static::ALLOW; } diff --git a/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/TestAccessCheck.php b/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/TestAccessCheck.php index f615600..a1fd042 100644 --- a/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/TestAccessCheck.php +++ b/core/modules/system/tests/modules/router_test/lib/Drupal/router_test/Access/TestAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\router_test\Access; use Drupal\Core\Access\AccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,7 +27,7 @@ public function applies(Route $route) { /** * Implements AccessCheckInterface::access(). */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { // No opinion, so other access checks should decide if access should be // allowed or not. return NULL; diff --git a/core/modules/taxonomy/lib/Drupal/taxonomy/Access/TaxonomyTermCreateAccess.php b/core/modules/taxonomy/lib/Drupal/taxonomy/Access/TaxonomyTermCreateAccess.php index b6305e6..c7a480a 100644 --- a/core/modules/taxonomy/lib/Drupal/taxonomy/Access/TaxonomyTermCreateAccess.php +++ b/core/modules/taxonomy/lib/Drupal/taxonomy/Access/TaxonomyTermCreateAccess.php @@ -8,6 +8,7 @@ namespace Drupal\taxonomy\Access; use Drupal\Core\Entity\EntityCreateAccessCheck; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -24,12 +25,12 @@ class TaxonomyTermCreateAccess extends EntityCreateAccessCheck { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $entity_type = $route->getRequirement($this->requirementsKey); if ($vocabulary = $request->attributes->get('taxonomy_vocabulary')) { return $this->entityManager->getAccessController($entity_type)->createAccess($vocabulary->id()); } - return parent::access($route, $request); + return parent::access($route, $request, $account); } } diff --git a/core/modules/toolbar/lib/Drupal/toolbar/Access/SubtreeAccess.php b/core/modules/toolbar/lib/Drupal/toolbar/Access/SubtreeAccess.php index f61add9..abe0f0a 100644 --- a/core/modules/toolbar/lib/Drupal/toolbar/Access/SubtreeAccess.php +++ b/core/modules/toolbar/lib/Drupal/toolbar/Access/SubtreeAccess.php @@ -8,6 +8,7 @@ namespace Drupal\toolbar\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -26,9 +27,9 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $hash = $request->get('hash'); - if (user_access('access toolbar') && ($hash == _toolbar_get_subtree_hash())) { + if ($account->hasPermission('access toolbar') && ($hash == _toolbar_get_subtree_hash())) { return TRUE; } else { diff --git a/core/modules/user/lib/Drupal/user/Access/LoginStatusCheck.php b/core/modules/user/lib/Drupal/user/Access/LoginStatusCheck.php index de92fc4..114d329 100644 --- a/core/modules/user/lib/Drupal/user/Access/LoginStatusCheck.php +++ b/core/modules/user/lib/Drupal/user/Access/LoginStatusCheck.php @@ -8,6 +8,7 @@ namespace Drupal\user\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,8 +27,8 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { - return (bool) $GLOBALS['user']->id(); + public function access(Route $route, Request $request, AccountInterface $account) { + return $account->isAuthenticated(); } } diff --git a/core/modules/user/lib/Drupal/user/Access/PermissionAccessCheck.php b/core/modules/user/lib/Drupal/user/Access/PermissionAccessCheck.php index f175653..b9d084e 100644 --- a/core/modules/user/lib/Drupal/user/Access/PermissionAccessCheck.php +++ b/core/modules/user/lib/Drupal/user/Access/PermissionAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\user\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,11 +27,9 @@ public function appliesTo() { /** * Implements AccessCheckInterface::access(). */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { $permission = $route->getRequirement('_permission'); - // @todo Replace user_access() with a correctly injected and session-using - // alternative. - // If user_access() fails, return NULL to give other checks a chance. - return user_access($permission) ? static::ALLOW : static::DENY; + // If the access check fails, return NULL to give other checks a chance. + return $account->hasPermission($permission) ? static::ALLOW : static::DENY; } } diff --git a/core/modules/user/lib/Drupal/user/Access/RegisterAccessCheck.php b/core/modules/user/lib/Drupal/user/Access/RegisterAccessCheck.php index 1fb0688..193cdf4 100644 --- a/core/modules/user/lib/Drupal/user/Access/RegisterAccessCheck.php +++ b/core/modules/user/lib/Drupal/user/Access/RegisterAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\user\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\Routing\Route; use Symfony\Component\HttpFoundation\Request; @@ -26,7 +27,7 @@ public function appliesTo() { /** * Implements AccessCheckInterface::access(). */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { return user_is_anonymous() && (\Drupal::config('user.settings')->get('register') != USER_REGISTER_ADMINISTRATORS_ONLY); } } diff --git a/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php b/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php index 5485a9b..0253a42 100644 --- a/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php +++ b/core/modules/user/lib/Drupal/user/Access/RoleAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\user\Access; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -30,12 +31,10 @@ public function appliesTo() { /** * {@inheritdoc} */ - public function access(Route $route, Request $request) { + public function access(Route $route, Request $request, AccountInterface $account) { // Requirements just allow strings, so this might be a comma separated list. $rid_string = $route->getRequirement('_role'); - $account = $request->attributes->get('_account'); - $explode_and = array_filter(array_map('trim', explode('+', $rid_string))); if (count($explode_and) > 1) { $diff = array_diff($explode_and, $account->getRoles()); diff --git a/core/modules/views/lib/Drupal/views/ViewsAccessCheck.php b/core/modules/views/lib/Drupal/views/ViewsAccessCheck.php index 8d6c962..e6bf73f 100644 --- a/core/modules/views/lib/Drupal/views/ViewsAccessCheck.php +++ b/core/modules/views/lib/Drupal/views/ViewsAccessCheck.php @@ -8,6 +8,7 @@ namespace Drupal\views; use Drupal\Core\Access\StaticAccessCheckInterface; +use Drupal\Core\Session\AccountInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Route; @@ -28,8 +29,8 @@ public function appliesTo() { /** * Implements AccessCheckInterface::applies(). */ - public function access(Route $route, Request $request) { - $access = user_access('access all views'); + public function access(Route $route, Request $request, AccountInterface $account) { + $access = $account->hasPermission('access all views'); return $access ?: NULL; } diff --git a/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php b/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php index 097cdd3..bfc6c0c 100644 --- a/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php +++ b/core/tests/Drupal/Tests/Core/Access/AccessManagerTest.php @@ -70,6 +70,13 @@ class AccessManagerTest extends UnitTestCase { */ protected $paramConverter; + /** + * The mocked account. + * + * @var \Drupal\Core\Session\AccountInterface|\PHPUnit_Framework_MockObject_MockObject + */ + protected $account; + public static function getInfo() { return array( 'name' => 'Access manager tests', @@ -115,7 +122,9 @@ protected function setUp() { $this->paramConverter = $this->getMock('\Drupal\Core\ParamConverter\ParamConverterManager'); - $this->accessManager = new AccessManager($this->routeProvider, $this->urlGenerator, $this->paramConverter); + $this->account = $this->getMock('Drupal\Core\Session\AccountInterface'); + + $this->accessManager = new AccessManager($this->routeProvider, $this->urlGenerator, $this->paramConverter, $this->account); $this->accessManager->setContainer($this->container); } @@ -326,8 +335,7 @@ public function testCheckNamedRoute() { $this->assertTrue($this->accessManager->checkNamedRoute('test_route_4', array(), $request)); // Tests the access with routes without given request. - $account = $this->getMock('Drupal\Core\Session\AccountInterface'); - $this->accessManager->setRequest(new Request(array(), array(), array('_account' => $account))); + $this->accessManager->setRequest(new Request()); $this->paramConverter->expects($this->at(0)) ->method('enhance') @@ -381,9 +389,9 @@ public function testCheckNamedRouteWithUpcastedValues() { ->with('/test-route-1/example') ->will($this->returnValue($subrequest)); - $this->accessManager = new AccessManager($this->routeProvider, $this->urlGenerator, $this->paramConverter); + $this->accessManager = new AccessManager($this->routeProvider, $this->urlGenerator, $this->paramConverter, $this->account); $this->accessManager->setContainer($this->container); - $this->accessManager->setRequest(new Request(array(), array(), array('_account' => $account))); + $this->accessManager->setRequest(new Request()); $access_check = $this->getMock('Drupal\Core\Access\AccessCheckInterface'); $access_check->expects($this->any()) @@ -446,7 +454,7 @@ protected static function convertAccessCheckInterfaceToString($constant) { * Adds a default access check service to the container and the access manager. */ protected function setupAccessChecker() { - $this->accessManager = new AccessManager($this->routeProvider, $this->urlGenerator, $this->paramConverter); + $this->accessManager = new AccessManager($this->routeProvider, $this->urlGenerator, $this->paramConverter, $this->account); $this->accessManager->setContainer($this->container); $access_check = new DefaultAccessCheck(); $this->container->register('test_access_default', $access_check); diff --git a/core/tests/Drupal/Tests/Core/Access/DefaultAccessCheckTest.php b/core/tests/Drupal/Tests/Core/Access/DefaultAccessCheckTest.php index ab02aec..89c845a 100644 --- a/core/tests/Drupal/Tests/Core/Access/DefaultAccessCheckTest.php +++ b/core/tests/Drupal/Tests/Core/Access/DefaultAccessCheckTest.php @@ -26,6 +26,13 @@ class DefaultAccessCheckTest extends UnitTestCase { */ protected $accessChecker; + /** + * The mocked account. + * + * @var \Drupal\Core\Session\AccountInterface|\PHPUnit_Framework_MockObject_MockObject + */ + protected $account; + public static function getInfo() { return array( 'name' => 'DefaultAccessCheck access checker', @@ -40,6 +47,7 @@ public static function getInfo() { protected function setUp() { parent::setUp(); + $this->account = $this->getMock('Drupal\Core\Session\AccountInterface'); $this->accessChecker = new DefaultAccessCheck(); } @@ -58,13 +66,13 @@ public function testAccess() { $request = new Request(array()); $route = new Route('/test-route', array(), array('_access' => 'NULL')); - $this->assertNull($this->accessChecker->access($route, $request)); + $this->assertNull($this->accessChecker->access($route, $request, $this->account)); $route = new Route('/test-route', array(), array('_access' => 'FALSE')); - $this->assertFalse($this->accessChecker->access($route, $request)); + $this->assertFalse($this->accessChecker->access($route, $request, $this->account)); $route = new Route('/test-route', array(), array('_access' => 'TRUE')); - $this->assertTrue($this->accessChecker->access($route, $request)); + $this->assertTrue($this->accessChecker->access($route, $request, $this->account)); } } diff --git a/core/tests/Drupal/Tests/Core/Entity/EntityAccessCheckTest.php b/core/tests/Drupal/Tests/Core/Entity/EntityAccessCheckTest.php index 18a5403..f57d38d 100644 --- a/core/tests/Drupal/Tests/Core/Entity/EntityAccessCheckTest.php +++ b/core/tests/Drupal/Tests/Core/Entity/EntityAccessCheckTest.php @@ -49,7 +49,8 @@ public function testAccess() { ->will($this->returnValue(TRUE)); $access_check = new EntityAccessCheck(); $request->attributes->set('node', $node); - $access = $access_check->access($route, $request); + $account = $this->getMock('Drupal\Core\Session\AccountInterface'); + $access = $access_check->access($route, $request, $account); $this->assertEquals(TRUE, $access); } diff --git a/core/tests/Drupal/Tests/Core/Entity/EntityCreateAccessCheckTest.php b/core/tests/Drupal/Tests/Core/Entity/EntityCreateAccessCheckTest.php index d5f50d0..5f4ec6b 100644 --- a/core/tests/Drupal/Tests/Core/Entity/EntityCreateAccessCheckTest.php +++ b/core/tests/Drupal/Tests/Core/Entity/EntityCreateAccessCheckTest.php @@ -104,7 +104,9 @@ public function testAccess($entity_bundle, $requirement, $access, $expected) { $request = new Request(); - $this->assertEquals($expected, $applies_check->access($route, $request)); + $account = $this->getMock('Drupal\Core\Session\AccountInterface'); + $this->assertEquals($expected, $applies_check->access($route, $request, $account)); + } } diff --git a/core/tests/Drupal/Tests/Core/Route/RoleAccessCheckTest.php b/core/tests/Drupal/Tests/Core/Route/RoleAccessCheckTest.php index a745cc4..873ff0e 100644 --- a/core/tests/Drupal/Tests/Core/Route/RoleAccessCheckTest.php +++ b/core/tests/Drupal/Tests/Core/Route/RoleAccessCheckTest.php @@ -160,17 +160,15 @@ public function testRoleAccess($path, $grant_accounts, $deny_accounts) { foreach ($grant_accounts as $account) { $subrequest = Request::create($path, 'GET'); - $subrequest->attributes->set('_account', $account); $message = sprintf('Access granted for user with the roles %s on path: %s', implode(', ', $account->getRoles()), $path); - $this->assertSame(AccessCheckInterface::ALLOW, $role_access_check->access($collection->get($path), $subrequest), $message); + $this->assertSame(AccessCheckInterface::ALLOW, $role_access_check->access($collection->get($path), $subrequest, $account), $message); } // Check all users which don't have access. foreach ($deny_accounts as $account) { $subrequest = Request::create($path, 'GET'); - $subrequest->attributes->set('_account', $account); $message = sprintf('Access denied for user %s with the roles %s on path: %s', $account->id(), implode(', ', $account->getRoles()), $path); - $has_access = $role_access_check->access($collection->get($path), $subrequest); + $has_access = $role_access_check->access($collection->get($path), $subrequest, $account); $this->assertSame(AccessCheckInterface::DENY, $has_access , $message); } }