diff --git a/core/modules/block_content/block_content.permissions.yml b/core/modules/block_content/block_content.permissions.yml
new file mode 100644
index 0000000000..18bcddd199
--- /dev/null
+++ b/core/modules/block_content/block_content.permissions.yml
@@ -0,0 +1,2 @@
+permission_callbacks:
+ - \Drupal\block_content\BlockContentPermissions::blockTypePermissions
diff --git a/core/modules/block_content/block_content.routing.yml b/core/modules/block_content/block_content.routing.yml
index 35724a68b8..2dbfda1668 100644
--- a/core/modules/block_content/block_content.routing.yml
+++ b/core/modules/block_content/block_content.routing.yml
@@ -6,7 +6,7 @@ block_content.add_page:
options:
_admin_route: TRUE
requirements:
- _permission: 'administer blocks'
+ _block_content_add_access: 'block_content_type'
block_content.add_form:
path: '/block/add/{block_content_type}'
@@ -16,7 +16,7 @@ block_content.add_form:
options:
_admin_route: TRUE
requirements:
- _permission: 'administer blocks'
+ _block_content_add_access: 'block_content_type:{block_content_type}'
entity.block_content.canonical:
path: '/block/{block_content}'
diff --git a/core/modules/block_content/block_content.services.yml b/core/modules/block_content/block_content.services.yml
index 9c6dceb82e..7b06d58679 100644
--- a/core/modules/block_content/block_content.services.yml
+++ b/core/modules/block_content/block_content.services.yml
@@ -4,3 +4,8 @@ services:
arguments: ['@cache.bootstrap', '@lock', '@entity_type.manager']
tags:
- { name: needs_destruction }
+ access_check.block_content.add:
+ class: Drupal\block_content\Access\BlockContentAddAccessCheck
+ arguments: ['@entity_type.manager']
+ tags:
+ - { name: access_check, applies_to: _block_content_add_access }
diff --git a/core/modules/block_content/src/Access/BlockContentAddAccessCheck.php b/core/modules/block_content/src/Access/BlockContentAddAccessCheck.php
new file mode 100644
index 0000000000..98dfe58420
--- /dev/null
+++ b/core/modules/block_content/src/Access/BlockContentAddAccessCheck.php
@@ -0,0 +1,64 @@
+entityTypeManager = $entity_type_manager;
+ }
+
+ /**
+ * Checks access to the block_content add page for the block_content type.
+ *
+ * @param \Drupal\Core\Session\AccountInterface $account
+ * The currently logged in account.
+ * @param \Drupal\block_content\BlockContentTypeInterface $block_content_type
+ * (optional) The block_content type. If not specified, access is allowed if
+ * there is at least one block_content type of which the user may create.
+ *
+ * @return string
+ * A \Drupal\Core\Access\AccessInterface constant value.
+ */
+ public function access(AccountInterface $account, BlockContentTypeInterface $block_content_type = NULL) {
+ $access_control_handler = $this->entityTypeManager->getAccessControlHandler('block_content');
+ if ($account->hasPermission('administer blocks')) {
+ return AccessResult::allowed()->cachePerPermissions();
+ }
+ if ($block_content_type) {
+ return $access_control_handler->createAccess($block_content_type->id(), $account, [], TRUE);
+ }
+ // Check if the user can create any block type.
+ foreach ($this->entityTypeManager->getStorage('block_content_type')->loadMultiple() as $block_content_type) {
+ if (($access = $access_control_handler->createAccess($block_content_type->id(), $account, [], TRUE)) && $access->isAllowed()) {
+ return $access;
+ }
+ }
+
+ // No opinion.
+ return AccessResult::neutral();
+ }
+
+}
diff --git a/core/modules/block_content/src/BlockContentAccessControlHandler.php b/core/modules/block_content/src/BlockContentAccessControlHandler.php
index 00f05151b0..d50daa052f 100644
--- a/core/modules/block_content/src/BlockContentAccessControlHandler.php
+++ b/core/modules/block_content/src/BlockContentAccessControlHandler.php
@@ -54,13 +54,23 @@ public static function createInstance(ContainerInterface $container, EntityTypeI
* {@inheritdoc}
*/
protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
+ // Allow view and update access to user with the
+ // 'edit any (type) block content' permission or the 'administer blocks'
+ // permission.
+ $permission = 'edit any ' . $entity->bundle() . ' block content';
if ($operation === 'view') {
$access = AccessResult::allowedIf($entity->isPublished())
- ->orIf(AccessResult::allowedIfHasPermission($account, 'administer blocks'));
+ ->orIf(AccessResult::allowedIfHasPermission($account, 'administer blocks'))
+ ->orIf(AccessResult::allowedIfHasPermission($account, $permission));
+ }
+ elseif ($operation === 'update') {
+ $access = AccessResult::allowedIfHasPermission($account, 'administer blocks')
+ ->orIf(AccessResult::allowedIfHasPermission($account, $permission));
}
else {
$access = parent::checkAccess($entity, $operation, $account);
}
+
// Add the entity as a cacheable dependency because access will at least be
// determined by whether the block is reusable.
$access->addCacheableDependency($entity);
@@ -85,4 +95,12 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
return $access;
}
+ /**
+ * {@inheritdoc}
+ */
+ protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
+ return parent::checkCreateAccess($account, $context, $entity_bundle)
+ ->orIf(AccessResult::allowedIfHasPermission($account, 'create ' . $entity_bundle . ' block content'));
+ }
+
}
diff --git a/core/modules/block_content/src/BlockContentPermissions.php b/core/modules/block_content/src/BlockContentPermissions.php
new file mode 100644
index 0000000000..e575d297bc
--- /dev/null
+++ b/core/modules/block_content/src/BlockContentPermissions.php
@@ -0,0 +1,53 @@
+buildPermission($type);
+ }
+
+ return $perms;
+ }
+
+ /**
+ * Return all the permissions available for a custom block type.
+ *
+ * @param \Drupal\block_content\Entity\BlockContentType $type
+ * The custom block type.
+ *
+ * @return array
+ * Permissions available for the given custom block type.
+ */
+ protected function buildPermission(BlockContentType $type) {
+ $type_id = $type->id();
+ $type_params = ['%type_name' => $type->label()];
+ return [
+ "edit any $type_id block content" => [
+ 'title' => $this->t('%type_name: Edit any block content', $type_params),
+ ],
+ "create $type_id block content" => [
+ 'title' => $this->t('%type_name: Create new block content', $type_params),
+ ],
+ ];
+ }
+
+}
diff --git a/core/modules/block_content/src/Controller/BlockContentController.php b/core/modules/block_content/src/Controller/BlockContentController.php
index 5ea0935996..9f5cb6d896 100644
--- a/core/modules/block_content/src/Controller/BlockContentController.php
+++ b/core/modules/block_content/src/Controller/BlockContentController.php
@@ -2,6 +2,7 @@
namespace Drupal\block_content\Controller;
+use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\Controller\ControllerBase;
use Drupal\Core\Entity\EntityStorageInterface;
use Drupal\block_content\BlockContentTypeInterface;
@@ -73,8 +74,18 @@ public function __construct(EntityStorageInterface $block_content_storage, Entit
* returns the custom block add page for that custom block type.
*/
public function add(Request $request) {
- $types = $this->blockContentTypeStorage->loadMultiple();
- if ($types && count($types) == 1) {
+ $build = ['#theme' => 'block_content_add_list'];
+ $cache = (new CacheableMetadata())->addCacheTags($this->entityTypeManager()->getDefinition('block_content_type')->getListCacheTags());
+ $types = [];
+ // Only use block_content types the user has access to.
+ foreach ($this->blockContentTypeStorage->loadMultiple() as $type) {
+ $access = $this->entityTypeManager()->getAccessControlHandler('block_content')->createAccess($type->id(), NULL, [], TRUE);
+ if ($access->isAllowed()) {
+ $types[$type->id()] = $type;
+ }
+ $cache = CacheableMetadata::createFromObject($access)->merge($cache);
+ }
+ if (count($types) == 1) {
$type = reset($types);
return $this->addForm($type, $request);
}
@@ -85,8 +96,9 @@ public function add(Request $request) {
]),
];
}
-
- return ['#theme' => 'block_content_add_list', '#content' => $types];
+ $cache->applyTo($build);
+ $build['#content'] = $types;
+ return $build;
}
/**
diff --git a/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php b/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php
index 361bade5f8..7659549d89 100644
--- a/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php
+++ b/core/modules/block_content/tests/src/Functional/BlockContentCreationTest.php
@@ -77,6 +77,34 @@ public function testBlockContentCreation() {
'%value' => $edit['info[0][value]'],
]));
$this->assertResponse(200);
+
+ // Test user with specific create permission has access to add that type
+ // via the UI.
+ $this->createBlockContentType('test_block_type');
+ $user = $this->drupalCreateUser(['create basic block content', 'administer blocks']);
+ $this->drupalLogin($user);
+ $this->drupalGet('block/add/basic');
+ $this->assertSession()->statusCodeEquals(200);
+ // Only 1 block type accessible, user is shown the form for that type.
+ $this->assertSession()->fieldExists('info[0][value]');
+ $this->assertSession()->fieldExists('body[0][value]');
+ $this->submitForm([
+ 'info[0][value]' => 'Another test block',
+ 'body[0][value]' => $this->randomMachineName(16),
+ ], t('Save'));
+ $this->assertSession()->responseContains(t('@block %name has been created.', [
+ '@block' => 'basic',
+ '%name' => 'Another test block'
+ ]));
+ $this->assertSession()->statusCodeEquals(200);
+
+ user_role_grant_permissions($user->roles[0]->target_id, ['create test_block_type block content']);
+ $this->drupalGet('block/add');
+ $this->assertSession()->linkExists('basic');
+ $this->assertSession()->linkExists('test_block_type');
+ $this->clickLink('test_block_type');
+ $this->assertSession()->addressEquals('block/add/test_block_type');
+ $this->assertSession()->statusCodeEquals(200);
}
/**
diff --git a/core/modules/block_content/tests/src/Functional/PageEditTest.php b/core/modules/block_content/tests/src/Functional/PageEditTest.php
index e751c70b09..6e3d841292 100644
--- a/core/modules/block_content/tests/src/Functional/PageEditTest.php
+++ b/core/modules/block_content/tests/src/Functional/PageEditTest.php
@@ -48,6 +48,9 @@ public function testPageEdit() {
// Stay on the current page, without reloading.
$this->drupalPostForm(NULL, $edit, t('Save'));
+ // Login as a user with specific edit permissions.
+ $this->drupalLogin($this->drupalCreateUser(['edit any basic block content']));
+
// Edit the same block, creating a new revision.
$this->drupalGet("block/" . $block->id());
$edit = [];
@@ -61,6 +64,8 @@ public function testPageEdit() {
$revised_block = BlockContent::load($block->id());
$this->assertNotIdentical($block->getRevisionId(), $revised_block->getRevisionId(), 'A new revision has been created.');
+ $this->drupalLogin($this->adminUser);
+
// Test deleting the block.
$this->drupalGet("block/" . $revised_block->id());
$this->clickLink(t('Delete'));
diff --git a/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php b/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
index 0c4c0a4493..46897e254f 100644
--- a/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
+++ b/core/modules/block_content/tests/src/Kernel/BlockContentAccessHandlerTest.php
@@ -2,14 +2,12 @@
namespace Drupal\Tests\block_content\Kernel;
-use Drupal\block_content\BlockContentAccessControlHandler;
use Drupal\block_content\Entity\BlockContent;
use Drupal\block_content\Entity\BlockContentType;
use Drupal\Core\Access\AccessibleInterface;
use Drupal\Core\Access\AccessResult;
use Drupal\KernelTests\KernelTestBase;
-use Drupal\user\Entity\Role;
-use Drupal\user\Entity\User;
+use Drupal\Tests\user\Traits\UserCreationTrait;
/**
* Tests the block content entity access handler.
@@ -20,6 +18,8 @@
*/
class BlockContentAccessHandlerTest extends KernelTestBase {
+ use UserCreationTrait;
+
/**
* {@inheritdoc}
*/
@@ -37,13 +37,6 @@ class BlockContentAccessHandlerTest extends KernelTestBase {
*/
protected $accessControlHandler;
- /**
- * The BlockContent entity used for testing.
- *
- * @var \Drupal\block_content\Entity\BlockContent
- */
- protected $blockEntity;
-
/**
* The test role.
*
@@ -62,30 +55,24 @@ protected function setUp() {
$this->installEntitySchema('block_content');
// Create a block content type.
- $block_content_type = BlockContentType::create([
+ $block_type = BlockContentType::create([
'id' => 'square',
'label' => 'A square block type',
'description' => "Provides a block type that is square.",
]);
- $block_content_type->save();
-
- $this->blockEntity = BlockContent::create([
- 'info' => 'The Block',
- 'type' => 'square',
+ $block_type->save();
+ // And another.
+ $block_type = BlockContentType::create([
+ 'id' => 'basic',
+ 'label' => 'A basic block type',
+ 'description' => "Provides a block type that is basic.",
]);
- $this->blockEntity->save();
+ $block_type->save();
// Create user 1 test does not have all permissions.
- User::create([
- 'name' => 'admin',
- ])->save();
+ $this->createUser();
- $this->role = Role::create([
- 'id' => 'roly',
- 'label' => 'roly poly',
- ]);
- $this->role->save();
- $this->accessControlHandler = new BlockContentAccessControlHandler(\Drupal::entityTypeManager()->getDefinition('block_content'), \Drupal::service('event_dispatcher'));
+ $this->accessControlHandler = \Drupal::entityTypeManager()->getAccessControlHandler('block_content');
}
/**
@@ -94,23 +81,15 @@ protected function setUp() {
* @dataProvider providerTestAccess
*/
public function testAccess($operation, $published, $reusable, $permissions, $parent_access, $expected_access) {
- $published ? $this->blockEntity->setPublished() : $this->blockEntity->setUnpublished();
- $reusable ? $this->blockEntity->setReusable() : $this->blockEntity->setNonReusable();
+ $user = $this->createUser($permissions);
- $user = User::create([
- 'name' => 'Someone',
- 'mail' => 'hi@example.com',
+ $block_entity = BlockContent::create([
+ 'info' => 'The Block',
+ 'type' => 'square',
+ 'status' => $published,
+ 'reusable' => $reusable,
]);
- if ($permissions) {
- foreach ($permissions as $permission) {
- $this->role->grantPermission($permission);
- }
- $this->role->save();
- }
- $user->addRole($this->role->id());
- $user->save();
-
if ($parent_access) {
$parent_entity = $this->prophesize(AccessibleInterface::class);
$expected_parent_result = NULL;
@@ -131,12 +110,11 @@ public function testAccess($operation, $published, $reusable, $permissions, $par
->willReturn($expected_parent_result)
->shouldBeCalled();
- $this->blockEntity->setAccessDependency($parent_entity->reveal());
-
+ $block_entity->setAccessDependency($parent_entity->reveal());
}
- $this->blockEntity->save();
+ $block_entity->save();
- $result = $this->accessControlHandler->access($this->blockEntity, $operation, $user, TRUE);
+ $result = $this->accessControlHandler->access($block_entity, $operation, $user, TRUE);
switch ($expected_access) {
case 'allowed':
$this->assertTrue($result->isAllowed());
@@ -146,7 +124,7 @@ public function testAccess($operation, $published, $reusable, $permissions, $par
$this->assertTrue($result->isForbidden());
break;
- case 'neutral':
+ case 'neutral':
$this->assertTrue($result->isNeutral());
break;
@@ -184,6 +162,22 @@ public function providerTestAccess() {
NULL,
'allowed',
],
+ 'view:unpublished:reusable:per-block-editor:basic' => [
+ 'view',
+ FALSE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
+ 'view:unpublished:reusable:per-block-editor:square' => [
+ 'view',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
'view:published:reusable:admin' => [
'view',
TRUE,
@@ -192,6 +186,22 @@ public function providerTestAccess() {
NULL,
'allowed',
],
+ 'view:published:reusable:per-block-editor:basic' => [
+ 'view',
+ TRUE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'allowed',
+ ],
+ 'view:published:reusable:per-block-editor:square' => [
+ 'view',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
'view:published:non_reusable' => [
'view',
TRUE,
@@ -291,9 +301,104 @@ public function providerTestAccess() {
'forbidden',
'forbidden',
],
+ $operation . ':unpublished:reusable:per-block-editor:basic' => [
+ $operation,
+ FALSE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
+ $operation . ':published:reusable:per-block-editor:basic' => [
+ $operation,
+ TRUE,
+ TRUE,
+ ['edit any basic block content'],
+ NULL,
+ 'neutral',
+ ],
];
}
+
+ $cases += [
+ 'update:unpublished:reusable:per-block-editor:square' => [
+ 'update',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
+ 'update:published:reusable:per-block-editor:square' => [
+ 'update',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'allowed',
+ ],
+ ];
+
+ $cases += [
+ 'delete:unpublished:reusable:per-block-editor:square' => [
+ 'delete',
+ FALSE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'neutral',
+ ],
+ 'delete:published:reusable:per-block-editor:square' => [
+ 'delete',
+ TRUE,
+ TRUE,
+ ['edit any square block content'],
+ NULL,
+ 'neutral',
+ ],
+ ];
return $cases;
}
+ /**
+ * @covers ::checkCreateAccess
+ *
+ * @dataProvider providerTestCreateAccess
+ */
+ public function testCreateAccess(array $permissions, $block_type_id, $expected_access) {
+ $user = $this->createUser($permissions);
+ $this->assertEquals($expected_access, $this->accessControlHandler->createAccess($block_type_id, $user, []));
+ }
+
+ /**
+ * Data provider for ::testCreateAccess.
+ *
+ * @return array
+ * Test cases.
+ */
+ public function providerTestCreateAccess() {
+ return [
+ 'super admin' => [
+ ['administer blocks'],
+ 'square',
+ TRUE,
+ ],
+ 'no permissions' => [
+ [],
+ 'square',
+ FALSE,
+ ],
+ 'different block-type' => [
+ ['create basic block content'],
+ 'square',
+ FALSE,
+ ],
+ 'create access' => [
+ ['create square block content'],
+ 'square',
+ TRUE,
+ ],
+ ];
+ }
+
}
diff --git a/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php b/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php
new file mode 100644
index 0000000000..d1ba0789d5
--- /dev/null
+++ b/core/modules/block_content/tests/src/Kernel/BlockContentPermissionsTest.php
@@ -0,0 +1,98 @@
+installSchema('system', ['sequences']);
+ $this->installEntitySchema('user');
+ $this->installEntitySchema('block_content');
+
+ $this->permissionHandler = $this->container->get('user.permissions');
+ }
+
+ /**
+ * @covers ::blockTypePermissions
+ */
+ public function testDynamicPermissions() {
+ $permissions = $this->permissionHandler->getPermissions();
+ $this->assertArrayNotHasKey('edit any basic block content', $permissions, 'The per-block-type permission does not exist.');
+ $this->assertArrayNotHasKey('edit any square block content', $permissions, 'The per-block-type permission does not exist.');
+ $this->assertArrayNotHasKey('create basic block content', $permissions, 'The per-block-type permission does not exist.');
+ $this->assertArrayNotHasKey('create square block content', $permissions, 'The per-block-type permission does not exist.');
+
+ // Create a basic block content type.
+ BlockContentType::create([
+ 'id' => 'basic',
+ 'label' => 'A basic block type',
+ 'description' => 'Provides a basic block type',
+ ])->save();
+
+ // Create a square block content type.
+ BlockContentType::create([
+ 'id' => 'square',
+ 'label' => 'A square block type',
+ 'description' => 'Provides a block type that is square',
+ ])->save();
+
+ $permissions = $this->permissionHandler->getPermissions();
+
+ // Assert the basic permissions have been created.
+ $this->assertArrayHasKey('edit any basic block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A basic block type: Edit any block content',
+ $permissions['edit any basic block content']['title']->render()
+ );
+ $this->assertArrayHasKey('create basic block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A basic block type: Create new block content',
+ $permissions['create basic block content']['title']->render()
+ );
+
+ // Assert the square permissions have been created.
+ $this->assertArrayHasKey('edit any square block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A square block type: Edit any block content',
+ $permissions['edit any square block content']['title']->render()
+ );
+ $this->assertArrayHasKey('create square block content', $permissions, 'The per-block-type permission exists.');
+ $this->assertEquals(
+ 'A square block type: Create new block content',
+ $permissions['create square block content']['title']->render()
+ );
+ }
+
+}