diff --git a/core/modules/system/tests/src/Kernel/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php b/core/modules/system/tests/src/Kernel/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php index 0e10ab05f7..d3ef6eb500 100644 --- a/core/modules/system/tests/src/Kernel/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php +++ b/core/modules/system/tests/src/Kernel/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php @@ -251,6 +251,7 @@ public function testUserHandler(): void { 'target_type' => 'user', 'handler' => 'default', 'target_bundles' => NULL, + 'include_blocked' => TRUE, 'include_anonymous' => TRUE, ]; @@ -400,6 +401,25 @@ public function testUserHandler(): void { ], ]; $this->assertReferenceable($selection_options, $referenceable_tests, 'User handler (does not include anonymous)'); + + // Even users with 'administer users' permission cannot view blocked users if + // the 'include_blocked' selection option is FALSE. + \Drupal::currentUser()->setAccount($users['admin']); + $selection_options['include_blocked'] = FALSE; + $referenceable_tests = [ + [ + 'arguments' => [ + [NULL, 'CONTAINS'], + ], + 'result' => [ + 'user' => [ + $users['admin']->id() => $user_labels['admin'], + $users['non_admin']->id() => $user_labels['non_admin'], + ], + ], + ], + ]; + $this->assertReferenceable($selection_options, $referenceable_tests, 'User handler (does not include blocked)'); } /** diff --git a/core/modules/user/config/schema/user.schema.yml b/core/modules/user/config/schema/user.schema.yml index ed7e3875ed..52a3666efc 100644 --- a/core/modules/user/config/schema/user.schema.yml +++ b/core/modules/user/config/schema/user.schema.yml @@ -188,6 +188,9 @@ entity_reference_selection.default:user: include_anonymous: type: boolean label: 'Include the anonymous user in the matched entities.' + include_blocked: + type: boolean + label: 'Include blocked users in the matched entities.' field.formatter.settings.user_name: type: mapping diff --git a/core/modules/user/src/Plugin/EntityReferenceSelection/UserSelection.php b/core/modules/user/src/Plugin/EntityReferenceSelection/UserSelection.php index 96f127b9fc..60e15b0400 100644 --- a/core/modules/user/src/Plugin/EntityReferenceSelection/UserSelection.php +++ b/core/modules/user/src/Plugin/EntityReferenceSelection/UserSelection.php @@ -94,6 +94,7 @@ public function defaultConfiguration() { 'type' => '_none', 'role' => NULL, ], + 'include_blocked' => TRUE, 'include_anonymous' => TRUE, ] + parent::defaultConfiguration(); } @@ -104,10 +105,23 @@ public function defaultConfiguration() { public function buildConfigurationForm(array $form, FormStateInterface $form_state) { $configuration = $this->getConfiguration(); + $form['include_blocked'] = [ + '#type' => 'checkbox', + '#title' => $this->t('Include blocked users'), + '#default_value' => !empty($configuration['include_blocked']), + '#description' => $this->t('If this option is not set, only users with the administer users permission may reference blocked users.'), + ]; + $form['include_anonymous'] = [ '#type' => 'checkbox', '#title' => $this->t('Include the anonymous user.'), '#default_value' => $configuration['include_anonymous'], + // If inactive users are not included, then it's not possible to get the Anonymous user either. + '#states' => [ + 'visible' => [ + ':input[name="settings[handler_settings][include_blocked]"]' => ['checked' => TRUE], + ], + ], ]; // Add user specific filter options. @@ -177,7 +191,7 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS') // Adding the permission check is sadly insufficient for users: core // requires us to also know about the concept of 'blocked' and 'active'. - if (!$this->currentUser->hasPermission('administer users')) { + if (!$configuration['include_blocked'] && !$this->currentUser->hasPermission('administer users')) { $query->condition('status', 1); } return $query;