core/modules/media/src/MediaAccessControlHandler.php | 7 ++++++- .../src/Functional/EntityResource/Media/MediaResourceTestBase.php | 2 +- .../src/Functional/EntityResource/User/UserResourceTestBase.php | 2 +- core/modules/user/src/UserAccessControlHandler.php | 3 ++- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/core/modules/media/src/MediaAccessControlHandler.php b/core/modules/media/src/MediaAccessControlHandler.php index 434abfe..3a59c33 100644 --- a/core/modules/media/src/MediaAccessControlHandler.php +++ b/core/modules/media/src/MediaAccessControlHandler.php @@ -3,6 +3,7 @@ namespace Drupal\media; use Drupal\Core\Access\AccessResult; +use Drupal\Core\Access\AccessResultReasonInterface; use Drupal\Core\Entity\EntityAccessControlHandler; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Session\AccountInterface; @@ -44,10 +45,14 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter if ($account->hasPermission('delete any media')) { return AccessResult::allowed()->cachePerPermissions(); } - return AccessResult::allowedIf($account->hasPermission('delete media') && $is_owner) + $access_result = AccessResult::allowedIf($account->hasPermission('delete media') && $is_owner) ->cachePerPermissions() ->cachePerUser() ->addCacheableDependency($entity); + if (!$access_result->isAllowed() && $access_result instanceof AccessResultReasonInterface) { + $access_result->setReason("As a non-owner of this media item, the 'delete any media' permission is required; as an owner of this media, the 'delete media' permission is required."); + } + return $access_result; default: return AccessResult::neutral()->cachePerPermissions(); diff --git a/core/modules/rest/tests/src/Functional/EntityResource/Media/MediaResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/Media/MediaResourceTestBase.php index 475a1ca..179f2d6 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/Media/MediaResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/Media/MediaResourceTestBase.php @@ -247,7 +247,7 @@ protected function getExpectedUnauthorizedAccessMessage($method) { return 'You are not authorized to update this media entity of bundle camelids.'; case 'DELETE': - return 'You are not authorized to delete this media entity of bundle camelids.'; + return "As a non-owner of this media item, the 'delete any media' permission is required; as an owner of this media, the 'delete media' permission is required."; default: return parent::getExpectedUnauthorizedAccessMessage($method); diff --git a/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php index d758cf6..3db06b3 100644 --- a/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php +++ b/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php @@ -257,7 +257,7 @@ protected function getExpectedUnauthorizedAccessMessage($method) { case 'PATCH': return "You are not authorized to update this user entity."; case 'DELETE': - return 'You are not authorized to delete this user entity.'; + return "The 'cancel account' permission is required."; default: return parent::getExpectedUnauthorizedAccessMessage($method); } diff --git a/core/modules/user/src/UserAccessControlHandler.php b/core/modules/user/src/UserAccessControlHandler.php index 712b32a..f2f23db 100644 --- a/core/modules/user/src/UserAccessControlHandler.php +++ b/core/modules/user/src/UserAccessControlHandler.php @@ -68,7 +68,8 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter case 'delete': // Users with 'cancel account' permission can cancel their own account. - return AccessResult::allowedIf($account->id() == $entity->id() && $account->hasPermission('cancel account'))->cachePerPermissions()->cachePerUser(); + return AccessResult::allowedIfHasPermission($account, 'cancel account') + ->andIf(AccessResult::allowedIf($account->id() == $entity->id())->cachePerUser()); } // No opinion.