diff --git a/core/modules/block_content/block_content.permissions.yml b/core/modules/block_content/block_content.permissions.yml
new file mode 100644
index 0000000000..18bcddd199
--- /dev/null
+++ b/core/modules/block_content/block_content.permissions.yml
@@ -0,0 +1,2 @@
+permission_callbacks:
+ - \Drupal\block_content\BlockContentPermissions::blockTypePermissions
diff --git a/core/modules/block_content/src/BlockContentAccessControlHandler.php b/core/modules/block_content/src/BlockContentAccessControlHandler.php
index 00f05151b0..d50daa052f 100644
--- a/core/modules/block_content/src/BlockContentAccessControlHandler.php
+++ b/core/modules/block_content/src/BlockContentAccessControlHandler.php
@@ -54,13 +54,23 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
+ // Allow view and update access to user with the
+ // 'edit any (type) block content' permission or the 'administer blocks'
+ // permission.
+ $permission = 'edit any ' . $entity->bundle() . ' block content';
if ($operation === 'view') {
$access = AccessResult::allowedIf($entity->isPublished())
- ->orIf(AccessResult::allowedIfHasPermission($account, 'administer blocks'));
+ ->orIf(AccessResult::allowedIfHasPermission($account, 'administer blocks'))
+ ->orIf(AccessResult::allowedIfHasPermission($account, $permission));
+ }
+ elseif ($operation === 'update') {
+ $access = AccessResult::allowedIfHasPermission($account, 'administer blocks')
+ ->orIf(AccessResult::allowedIfHasPermission($account, $permission));
}
else {
$access = parent::checkAccess($entity, $operation, $account);
}
+
// Add the entity as a cacheable dependency because access will at least be
// determined by whether the block is reusable.
$access->addCacheableDependency($entity);
@@ -85,4 +95,12 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
return $access;
}
+ /**
+ * {@inheritdoc}
+ */
+ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
+ return parent::checkCreateAccess($account, $context, $entity_bundle)
+ ->orIf(AccessResult::allowedIfHasPermission($account, 'create ' . $entity_bundle . ' block content'));
+ }
+
}
diff --git a/core/modules/block_content/src/BlockContentPermissions.php b/core/modules/block_content/src/BlockContentPermissions.php
new file mode 100644
index 0000000000..e575d297bc
--- /dev/null
+++ b/core/modules/block_content/src/BlockContentPermissions.php
@@ -0,0 +1,53 @@
+buildPermission($type);
+ }
+
+ return $perms;
+ }
+
+ /**
+ * Return all the permissions available for a custom block type.
+ *
+ * @param \Drupal\block_content\Entity\BlockContentType $type
+ * The custom block type.
+ *
+ * @return array
+ * Permissions available for the given custom block type.
+ */
+ protected function buildPermission(BlockContentType $type) {
+ $type_id = $type->id();
+ $type_params = ['%type_name' => $type->label()];
+ return [
+ "edit any $type_id block content" => [
+ 'title' => $this->t('%type_name: Edit any block content', $type_params),
+ ],
+ "create $type_id block content" => [
+ 'title' => $this->t('%type_name: Create new block content', $type_params),
+ ],
+ ];
+ }
+
+}
diff --git a/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php b/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
index 0c4c0a4493..46897e254f 100644
--- a/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
+++ b/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
@@ -2,14 +2,12 @@
namespace Drupal\Tests\block_content\Kernel;
-use Drupal\block_content\BlockContentAccessControlHandler;
use Drupal\block_content\Entity\BlockContent;
use Drupal\block_content\Entity\BlockContentType;
use Drupal\Core\Access\AccessibleInterface;
use Drupal\Core\Access\AccessResult;
use Drupal\KernelTests\KernelTestBase;
-use Drupal\user\Entity\Role;
-use Drupal\user\Entity\User;
+use Drupal\Tests\user\Traits\UserCreationTrait;
/**
* Tests the block content entity access handler.
@@ -20,6 +18,8 @@
*/
class BlockContentAccessHandlerTest extends KernelTestBase {
+ use UserCreationTrait;
+
/**
* {@inheritdoc}
*/
@@ -37,13 +37,6 @@ class BlockContentAccessHandlerTest extends KernelTestBase {
*/
protected $accessControlHandler;
- /**
- * The BlockContent entity used for testing.
- *
- * @var \Drupal\block_content\Entity\BlockContent
- */
- protected $blockEntity;
-
/**
* The test role.
*
@@ -62,30 +55,24 @@ protected function setUp() {
$this->installEntitySchema('block_content');
// Create a block content type.
- $block_content_type = BlockContentType::create([
+ $block_type = BlockContentType::create([
'id' => 'square',
'label' => 'A square block type',
'description' => "Provides a block type that is square.",
]);
- $block_content_type->save();
-
- $this->blockEntity = BlockContent::create([
- 'info' => 'The Block',
- 'type' => 'square',
+ $block_type->save();
+ // And another.
+ $block_type = BlockContentType::create([
+ 'id' => 'basic',
+ 'label' => 'A basic block type',
+ 'description' => "Provides a block type that is basic.",
]);
- $this->blockEntity->save();
+ $block_type->save();
// Create user 1 test does not have all permissions.
- User::create([
- 'name' => 'admin',
- ])->save();
+ $this->createUser();
- $this->role = Role::create([
- 'id' => 'roly',
- 'label' => 'roly poly',
- ]);
- $this->role->save();
- $this->accessControlHandler = new BlockContentAccessControlHandler(\Drupal::entityTypeManager()->getDefinition('block_content'), \Drupal::service('event_dispatcher'));
+ $this->accessControlHandler = \Drupal::entityTypeManager()->getAccessControlHandler('block_content');
}
/**
@@ -94,23 +81,15 @@ protected function setUp() {
* @dataProvider providerTestAccess
*/
public function testAccess($operation, $published, $reusable, $permissions, $parent_access, $expected_access) {
- $published ? $this->blockEntity->setPublished() : $this->blockEntity->setUnpublished();
- $reusable ? $this->blockEntity->setReusable() : $this->blockEntity->setNonReusable();
+ $user = $this->createUser($permissions);
- $user = User::create([
- 'name' => 'Someone',
- 'mail' => 'hi@example.com',
+ $block_entity = BlockContent::create([
+ 'info' => 'The Block',
+ 'type' => 'square',
+ 'status' => $published,
+ 'reusable' => $reusable,
]);
- if ($permissions) {
- foreach ($permissions as $permission) {
- $this->role->grantPermission($permission);
- }
- $this->role->save();
- }
- $user->addRole($this->role->id());
- $user->save();
-
if ($parent_access) {
$parent_entity = $this->prophesize(AccessibleInterface::class);
$expected_parent_result = NULL;
@@ -131,12 +110,11 @@ public function testAccess($operation, $published, $reusable, $permissions, $par
->willReturn($expected_parent_result)
->shouldBeCalled();
- $this->blockEntity->setAccessDependency($parent_entity->reveal());
-
+ $block_entity->setAccessDependency($parent_entity->reveal());
}
- $this->blockEntity->save();
+ $block_entity->save();
- $result = $this->accessControlHandler->access($this->blockEntity, $operation, $user, TRUE);
+ $result = $this->accessControlHandler->access($block_entity, $operation, $user, TRUE);
switch ($expected_access) {
case 'allowed':
$this->assertTrue($result->isAllowed());
@@ -146,7 +124,7 @@ public function testAccess($operation, $published, $reusable, $permissions, $par
$this->assertTrue($result->isForbidden());
break;
- case 'neutral':
+ case 'neutral':
$this->assertTrue($result->isNeutral());
break;
@@ -184,6 +162,22 @@ public function providerTestAccess() {
NULL,
'allowed',
],
+ 'view:unpublished:reusable:per-block-editor:basic' => [
+ 'view',
+ FALSE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
+ 'view:unpublished:reusable:per-block-editor:square' => [
+ 'view',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
'view:published:reusable:admin' => [
'view',
TRUE,
@@ -192,6 +186,22 @@ public function providerTestAccess() {
NULL,
'allowed',
],
+ 'view:published:reusable:per-block-editor:basic' => [
+ 'view',
+ TRUE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'allowed',
+ ],
+ 'view:published:reusable:per-block-editor:square' => [
+ 'view',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
'view:published:non_reusable' => [
'view',
TRUE,
@@ -291,9 +301,104 @@ public function providerTestAccess() {
'forbidden',
'forbidden',
],
+ $operation . ':unpublished:reusable:per-block-editor:basic' => [
+ $operation,
+ FALSE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
+ $operation . ':published:reusable:per-block-editor:basic' => [
+ $operation,
+ TRUE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
];
}
+
+ $cases += [
+ 'update:unpublished:reusable:per-block-editor:square' => [
+ 'update',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
+ 'update:published:reusable:per-block-editor:square' => [
+ 'update',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
+ ];
+
+ $cases += [
+ 'delete:unpublished:reusable:per-block-editor:square' => [
+ 'delete',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'neutral',
+ ],
+ 'delete:published:reusable:per-block-editor:square' => [
+ 'delete',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'neutral',
+ ],
+ ];
return $cases;
}
+ /**
+ * @covers ::checkCreateAccess
+ *
+ * @dataProvider providerTestCreateAccess
+ */
+ public function testCreateAccess(array $permissions, $block_type_id, $expected_access) {
+ $user = $this->createUser($permissions);
+ $this->assertEquals($expected_access, $this->accessControlHandler->createAccess($block_type_id, $user, []));
+ }
+
+ /**
+ * Data provider for ::testCreateAccess.
+ *
+ * @return array
+ * Test cases.
+ */
+ public function providerTestCreateAccess() {
+ return [
+ 'super admin' => [
+ ['administer blocks'],
+ 'square',
+ TRUE,
+ ],
+ 'no permissions' => [
+ [],
+ 'square',
+ FALSE,
+ ],
+ 'different block-type' => [
+ ['create basic block content'],
+ 'square',
+ FALSE,
+ ],
+ 'create access' => [
+ ['create square block content'],
+ 'square',
+ TRUE,
+ ],
+ ];
+ }
+
}
diff --git a/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php b/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php
new file mode 100644
index 0000000000..d1ba0789d5
--- /dev/null
+++ b/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php
@@ -0,0 +1,98 @@
+installSchema('system', ['sequences']);
+ $this->installEntitySchema('user');
+ $this->installEntitySchema('block_content');
+
+ $this->permissionHandler = $this->container->get('user.permissions');
+ }
+
+ /**
+ * @covers ::blockTypePermissions
+ */
+ public function testDynamicPermissions() {
+ $permissions = $this->permissionHandler->getPermissions();
+ $this->assertArrayNotHasKey('edit any basic block content', $permissions, 'The per-block-type permission does not exist.');
+ $this->assertArrayNotHasKey('edit any square block content', $permissions, 'The per-block-type permission does not exist.');
+ $this->assertArrayNotHasKey('create basic block content', $permissions, 'The per-block-type permission does not exist.');
+ $this->assertArrayNotHasKey('create square block content', $permissions, 'The per-block-type permission does not exist.');
+
+ // Create a basic block content type.
+ BlockContentType::create([
+ 'id' => 'basic',
+ 'label' => 'A basic block type',
+ 'description' => 'Provides a basic block type',
+ ])->save();
+
+ // Create a square block content type.
+ BlockContentType::create([
+ 'id' => 'square',
+ 'label' => 'A square block type',
+ 'description' => 'Provides a block type that is square',
+ ])->save();
+
+ $permissions = $this->permissionHandler->getPermissions();
+
+ // Assert the basic permissions have been created.
+ $this->assertArrayHasKey('edit any basic block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A basic block type: Edit any block content',
+ $permissions['edit any basic block content']['title']->render()
+ );
+ $this->assertArrayHasKey('create basic block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A basic block type: Create new block content',
+ $permissions['create basic block content']['title']->render()
+ );
+
+ // Assert the square permissions have been created.
+ $this->assertArrayHasKey('edit any square block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A square block type: Edit any block content',
+ $permissions['edit any square block content']['title']->render()
+ );
+ $this->assertArrayHasKey('create square block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A square block type: Create new block content',
+ $permissions['create square block content']['title']->render()
+ );
+ }
+
+}