diff -u b/lib/Drupal/profile2/ProfileAccessController.php b/lib/Drupal/profile2/ProfileAccessController.php --- b/lib/Drupal/profile2/ProfileAccessController.php +++ b/lib/Drupal/profile2/ProfileAccessController.php @@ -7,8 +7,8 @@ namespace Drupal\profile2; +use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityAccessControllerInterface; -use Drupal\profile2\Plugin\Core\Entity\Profile; use Drupal\user\Plugin\Core\Entity\User; /** @@ -26,14 +26,14 @@ /** * Implements EntityAccessControllerInterface::viewAccess(). */ - public function viewAccess(Profile $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { + public function viewAccess(EntityInterface $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { return $this->access($profile, 'view', $langcode, $account); } /** * Implements EntityAccessControllerInterface::createAccess(). */ - public function createAccess(Profile $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { + public function createAccess(EntityInterface $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { // Map to 'edit' access. return $this->access($profile, 'edit', $langcode, $account); } @@ -41,7 +41,7 @@ /** * Implements EntityAccessControllerInterface::updateAccess(). */ - public function updateAccess(Profile $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { + public function updateAccess(EntityInterface $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { // Map to 'edit' access. return $this->access($profile, 'edit', $langcode, $account); } @@ -49,14 +49,14 @@ /** * Implements EntityAccessControllerInterface::deleteAccess(). */ - public function deleteAccess(Profile $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { + public function deleteAccess(EntityInterface $profile, $langcode = LANGUAGE_DEFAULT, User $account = NULL) { return $this->access($profile, 'delete', $langcode, $account); } /** * Determines whether the given user has access to a profile. * - * @param \Drupal\profile2\Plugin\Core\Entity\Profile $profile + * @param \Drupal\Core\Entity\EntityInterface $profile * A profile to check access for. * @param string $operation * The operation being performed. One of 'view', 'create', 'update', or @@ -73,7 +73,7 @@ * @see hook_profile2_access() * @see profile2_profile2_access() */ - protected function access(Profile $profile, $operation, $langcode, User $account = NULL) { + protected function access(EntityInterface $profile, $operation, $langcode, User $account = NULL) { if (!isset($account)) { $account = entity_load('user', $GLOBALS['user']->uid); } diff -u b/profile2.module b/profile2.module --- b/profile2.module +++ b/profile2.module @@ -492,13 +492,19 @@ * Adds a checkbox for controlling field view access to fields added to * profiles. */ -function profile2_form_field_ui_field_edit_form_alter(&$form, &$form_state) { - if ($form['instance']['entity_type']['#value'] == 'profile2') { +function profile2_form_field_ui_field_settings_form_alter(&$form, &$form_state) { + // Only add the field setting if this field is attached to a profile entity + // bundle. + if (isset($form['#field']['bundles']['profile2'])) { $form['field']['settings']['profile2_private'] = array( '#type' => 'checkbox', - '#title' => t('Make the content of this field private'), + '#title' => t('Private field'), '#default_value' => !empty($form['#field']['settings']['profile2_private']), - '#description' => t('If checked, the content of this field is only shown to the profile owner and administrators.'), + // Only expose the setting when editing the settings for a field attached + // to a profile entity bundle. For other entity types, we just ensure that + // the existing value is retained. + '#access' => $form['#entity_type'] == 'profile2', + '#description' => t('Only show the field content to the profile owner and administrators.'), ); } } only in patch2: unchanged: --- /dev/null +++ b/lib/Drupal/profile2/Tests/ProfileFieldAccessTest.php @@ -0,0 +1,101 @@ + 'Field access', + 'description' => 'Tests profile field access functionality.', + 'group' => 'Profile2', + ); + } + + function setUp() { + parent::setUp(); + + $this->type = entity_create('profile2_type', array( + 'id' => 'personal', + 'label' => 'Personal data', + 'weight' => 0, + 'registration' => TRUE, + )); + $this->type->save(); + + $this->checkPermissions(array(), TRUE); + $this->admin_user = $this->drupalCreateUser(array( + 'access user profiles', + 'administer profile types', + 'bypass profile access', + )); + $user_permissions = array( + 'access user profiles', + 'edit own personal profile', + 'view any personal profile', + ); + $this->web_user = $this->drupalCreateUser($user_permissions); + $this->other_user = $this->drupalCreateUser($user_permissions); + } + + /** + * Tests private profile field access. + */ + function testPrivateField() { + $id = $this->type->id(); + + $this->drupalLogin($this->admin_user); + + // Create a private profile field. + $edit = array( + 'fields[_add_new_field][label]' => 'Secret', + 'fields[_add_new_field][field_name]' => 'secret', + 'fields[_add_new_field][type]' => 'text', + 'fields[_add_new_field][widget_type]' => 'text_textfield', + ); + $this->drupalPost("admin/people/profiles/manage/$id/fields", $edit, t('Save')); + + $edit = array( + 'field[settings][profile2_private]' => 1, + ); + $this->drupalPost(NULL, $edit, t('Save field settings')); + + $this->drupalPost(NULL, array(), t('Save settings')); + + // Fill in a field value. + $this->drupalLogin($this->web_user); + $uid = $this->web_user->id(); + $secret = $this->randomName(); + $edit = array( + 'field_secret[und][0][value]' => $secret, + ); + $this->drupalPost("user/$uid/edit/$id", $edit, t('Save')); + + // Verify that the private field value appears for the profile owner. + $this->drupalGet("user/$uid"); + $this->assertText($secret); + + // Verify that the private field value appears for the administrator. + $this->drupalLogin($this->admin_user); + $this->drupalGet("user/$uid"); + $this->assertText($secret); + + // Verify that the private field value does not appear for other users. + $this->drupalLogin($this->other_user); + $this->drupalGet("user/$uid"); + $this->assertNoText($secret); + } + +}