diff --git a/core/lib/Drupal/Core/Action/ActionInterface.php b/core/lib/Drupal/Core/Action/ActionInterface.php index 21a5c5e..4f1b98c 100644 --- a/core/lib/Drupal/Core/Action/ActionInterface.php +++ b/core/lib/Drupal/Core/Action/ActionInterface.php @@ -10,6 +10,7 @@ use Drupal\Component\Plugin\PluginInspectionInterface; use Drupal\Core\Executable\ExecutableInterface; use Drupal\Core\Access\AccessibleInterface; +use Drupal\Core\Session\AccountInterface; /** * Provides an interface for an Action plugin. @@ -35,7 +36,7 @@ * @see \Drupal\Core\Action\ActionBase * @see plugin_api */ -interface ActionInterface extends ExecutableInterface, PluginInspectionInterface, AccessibleInterface { +interface ActionInterface extends ExecutableInterface, PluginInspectionInterface { /** * Executes the plugin for an array of objects. @@ -45,4 +46,27 @@ */ public function executeMultiple(array $objects); + /** + * Checks data value access. + * + * @param string $operation + * The operation to be performed. 'execute' for checking access whether the + * $account can execute the action on the particular $object. + * @param mixed $object + * The object to execute the action on. + * @param \Drupal\Core\Session\AccountInterface $account + * (optional) The user for which to check access, or NULL to check access + * for the current user. Defaults to NULL. + * @param bool $return_as_object + * (optional) Defaults to FALSE. + * + * @return bool|\Drupal\Core\Access\AccessResultInterface + * The access result. Returns a boolean if $return_as_object is FALSE (this + * is the default) and otherwise an AccessResultInterface object. + * When a boolean is returned, the result of AccessInterface::isAllowed() is + * returned, i.e. TRUE means access is explicitly allowed, FALSE means + * access is either explicitly forbidden or "no opinion". + */ + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE); + } diff --git a/core/modules/action/src/Plugin/Action/EmailAction.php b/core/modules/action/src/Plugin/Action/EmailAction.php index 545d051..febcef4 100644 --- a/core/modules/action/src/Plugin/Action/EmailAction.php +++ b/core/modules/action/src/Plugin/Action/EmailAction.php @@ -189,7 +189,7 @@ public function submitConfigurationForm(array &$form, FormStateInterface $form_s /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { $result = AccessResult::allowed(); return $return_as_object ? $result : $result->isAllowed(); } diff --git a/core/modules/action/src/Plugin/Action/GotoAction.php b/core/modules/action/src/Plugin/Action/GotoAction.php index e09890c..96d590d 100644 --- a/core/modules/action/src/Plugin/Action/GotoAction.php +++ b/core/modules/action/src/Plugin/Action/GotoAction.php @@ -118,7 +118,7 @@ public function submitConfigurationForm(array &$form, FormStateInterface $form_s /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { $result = AccessResult::allowed(); return $return_as_object ? $result : $result->isAllowed(); } diff --git a/core/modules/action/src/Plugin/Action/MessageAction.php b/core/modules/action/src/Plugin/Action/MessageAction.php index a8e9f8c..a1e980f 100644 --- a/core/modules/action/src/Plugin/Action/MessageAction.php +++ b/core/modules/action/src/Plugin/Action/MessageAction.php @@ -94,7 +94,7 @@ public function submitConfigurationForm(array &$form, FormStateInterface $form_s /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { $result = AccessResult::allowed(); return $return_as_object ? $result : $result->isAllowed(); } diff --git a/core/modules/comment/src/Plugin/Action/PublishComment.php b/core/modules/comment/src/Plugin/Action/PublishComment.php index d23a700..0fdfd1b 100644 --- a/core/modules/comment/src/Plugin/Action/PublishComment.php +++ b/core/modules/comment/src/Plugin/Action/PublishComment.php @@ -34,9 +34,9 @@ public function execute($comment = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer comments'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\comment\CommentInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/comment/src/Plugin/Action/SaveComment.php b/core/modules/comment/src/Plugin/Action/SaveComment.php index 55faa47..549f64b 100644 --- a/core/modules/comment/src/Plugin/Action/SaveComment.php +++ b/core/modules/comment/src/Plugin/Action/SaveComment.php @@ -31,9 +31,9 @@ public function execute($comment = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer comments'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\comment\CommentInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/comment/src/Plugin/Action/UnpublishByKeywordComment.php b/core/modules/comment/src/Plugin/Action/UnpublishByKeywordComment.php index 99e75d3..45daaa8 100644 --- a/core/modules/comment/src/Plugin/Action/UnpublishByKeywordComment.php +++ b/core/modules/comment/src/Plugin/Action/UnpublishByKeywordComment.php @@ -72,9 +72,9 @@ public function submitConfigurationForm(array &$form, FormStateInterface $form_s /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer comments'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\comment\CommentInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/comment/src/Plugin/Action/UnpublishComment.php b/core/modules/comment/src/Plugin/Action/UnpublishComment.php index f2403b1..6b8b403 100644 --- a/core/modules/comment/src/Plugin/Action/UnpublishComment.php +++ b/core/modules/comment/src/Plugin/Action/UnpublishComment.php @@ -34,9 +34,11 @@ public function execute($comment = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer comments'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\comment\CommentInterface $object */ + if ($operation == 'execute') { + return $object->access('update', $account, $return_as_object); + } } } diff --git a/core/modules/node/src/Plugin/Action/AssignOwnerNode.php b/core/modules/node/src/Plugin/Action/AssignOwnerNode.php index eeba913..2be6af7 100644 --- a/core/modules/node/src/Plugin/Action/AssignOwnerNode.php +++ b/core/modules/node/src/Plugin/Action/AssignOwnerNode.php @@ -137,9 +137,9 @@ public function submitConfigurationForm(array &$form, FormStateInterface $form_s /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/DeleteNode.php b/core/modules/node/src/Plugin/Action/DeleteNode.php index 53c1cbb..4e7f386 100644 --- a/core/modules/node/src/Plugin/Action/DeleteNode.php +++ b/core/modules/node/src/Plugin/Action/DeleteNode.php @@ -75,9 +75,9 @@ public function execute($object = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('delete', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/DemoteNode.php b/core/modules/node/src/Plugin/Action/DemoteNode.php index 86e3d00..e260efa 100644 --- a/core/modules/node/src/Plugin/Action/DemoteNode.php +++ b/core/modules/node/src/Plugin/Action/DemoteNode.php @@ -33,9 +33,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/PromoteNode.php b/core/modules/node/src/Plugin/Action/PromoteNode.php index 4204616..98d84a5 100644 --- a/core/modules/node/src/Plugin/Action/PromoteNode.php +++ b/core/modules/node/src/Plugin/Action/PromoteNode.php @@ -34,9 +34,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/PublishNode.php b/core/modules/node/src/Plugin/Action/PublishNode.php index 0a7f518..cefa497 100644 --- a/core/modules/node/src/Plugin/Action/PublishNode.php +++ b/core/modules/node/src/Plugin/Action/PublishNode.php @@ -33,9 +33,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/SaveNode.php b/core/modules/node/src/Plugin/Action/SaveNode.php index 0bd8fca..b32bd2d 100644 --- a/core/modules/node/src/Plugin/Action/SaveNode.php +++ b/core/modules/node/src/Plugin/Action/SaveNode.php @@ -32,9 +32,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/StickyNode.php b/core/modules/node/src/Plugin/Action/StickyNode.php index 435fd81..14ce5f9 100644 --- a/core/modules/node/src/Plugin/Action/StickyNode.php +++ b/core/modules/node/src/Plugin/Action/StickyNode.php @@ -34,9 +34,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/UnpublishByKeywordNode.php b/core/modules/node/src/Plugin/Action/UnpublishByKeywordNode.php index 706f97d..6dcfd2d 100644 --- a/core/modules/node/src/Plugin/Action/UnpublishByKeywordNode.php +++ b/core/modules/node/src/Plugin/Action/UnpublishByKeywordNode.php @@ -69,9 +69,9 @@ public function submitConfigurationForm(array &$form, FormStateInterface $form_s /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/UnpublishNode.php b/core/modules/node/src/Plugin/Action/UnpublishNode.php index 5054824..23d190f 100644 --- a/core/modules/node/src/Plugin/Action/UnpublishNode.php +++ b/core/modules/node/src/Plugin/Action/UnpublishNode.php @@ -33,9 +33,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/node/src/Plugin/Action/UnstickyNode.php b/core/modules/node/src/Plugin/Action/UnstickyNode.php index cb0c837..ff66489 100644 --- a/core/modules/node/src/Plugin/Action/UnstickyNode.php +++ b/core/modules/node/src/Plugin/Action/UnstickyNode.php @@ -33,9 +33,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer nodes'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\node\NodeInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/system/src/Plugin/views/field/BulkForm.php b/core/modules/system/src/Plugin/views/field/BulkForm.php index 8fcf9df..57055d6 100644 --- a/core/modules/system/src/Plugin/views/field/BulkForm.php +++ b/core/modules/system/src/Plugin/views/field/BulkForm.php @@ -34,7 +34,7 @@ class BulkForm extends FieldPluginBase { /** * An array of actions that can be executed. * - * @var \Drupal\Core\Action\ActionInterface[] + * @var \Drupal\system\ActionConfigEntityInterface[] */ protected $actions = array(); @@ -224,12 +224,6 @@ protected function getBulkOptions($filtered = TRUE) { // Filter the action list. foreach ($this->actions as $id => $action) { if ($filtered) { - - // Filter out options without access to it. - // @fixme Find out the right operation. - if (!$action->access('execute', $this->view->getUser())) { - continue; - } $in_selected = in_array($id, $this->options['selected_actions']); // If the field is configured to include only the selected actions, // skip actions that were not selected. @@ -265,15 +259,16 @@ public function viewsFormSubmit(&$form, FormStateInterface $form_state) { // Filter only selected checkboxes. $selected = array_filter($form_state->getValue($this->options['id'])); $entities = array(); + $action = $this->actions[$form_state->getValue('action')]; foreach (array_intersect_key($this->view->result, $selected) as $row) { $entity = $this->getEntity($row); - $entities[$entity->id()] = $entity; - } - $action = $this->actions[$form_state->getValue('action')]; + // Skip execution if the user did not had access. + if (!$action->getPlugin()->access('execute', $entity, $this->view->getUser())) { + continue; + } - if (!$action->access('execute', $this->view->getUser())) { - throw new AccessDeniedHttpException(); + $entities[$entity->id()] = $entity; } $action->execute($entities); diff --git a/core/modules/system/tests/modules/action_test/src/Plugin/Action/NoType.php b/core/modules/system/tests/modules/action_test/src/Plugin/Action/NoType.php index 21ae399c..4f33acc 100644 --- a/core/modules/system/tests/modules/action_test/src/Plugin/Action/NoType.php +++ b/core/modules/system/tests/modules/action_test/src/Plugin/Action/NoType.php @@ -30,7 +30,7 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { $result = AccessResult::allowed(); return $return_as_object ? $result : $result->isAllowed(); } diff --git a/core/modules/system/tests/modules/action_test/src/Plugin/Action/SaveEntity.php b/core/modules/system/tests/modules/action_test/src/Plugin/Action/SaveEntity.php index 98e94bd..8b93c75 100644 --- a/core/modules/system/tests/modules/action_test/src/Plugin/Action/SaveEntity.php +++ b/core/modules/system/tests/modules/action_test/src/Plugin/Action/SaveEntity.php @@ -32,9 +32,9 @@ public function execute($entity = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer users', 'OR'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\Core\Entity\EntityInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/user/src/Plugin/Action/AddRoleUser.php b/core/modules/user/src/Plugin/Action/AddRoleUser.php index 7e66646..0ff48c6 100644 --- a/core/modules/user/src/Plugin/Action/AddRoleUser.php +++ b/core/modules/user/src/Plugin/Action/AddRoleUser.php @@ -37,12 +37,4 @@ public function execute($account = NULL) { } } - /** - * {@inheritdoc} - */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer users'); - return $return_as_object ? $result : $result->isAllowed(); - } - } diff --git a/core/modules/user/src/Plugin/Action/BlockUser.php b/core/modules/user/src/Plugin/Action/BlockUser.php index 6e4ddbe..0ada490 100644 --- a/core/modules/user/src/Plugin/Action/BlockUser.php +++ b/core/modules/user/src/Plugin/Action/BlockUser.php @@ -39,9 +39,9 @@ public function execute($account = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer users'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\user\UserInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/user/src/Plugin/Action/CancelUser.php b/core/modules/user/src/Plugin/Action/CancelUser.php index e9e2940..f67443a 100644 --- a/core/modules/user/src/Plugin/Action/CancelUser.php +++ b/core/modules/user/src/Plugin/Action/CancelUser.php @@ -75,9 +75,9 @@ public function execute($object = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer users'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\user\UserInterface $object */ + return $object->access('delete', $account, $return_as_object); } } diff --git a/core/modules/user/src/Plugin/Action/ChangeUserRoleBase.php b/core/modules/user/src/Plugin/Action/ChangeUserRoleBase.php index 3f49183..fca84be 100644 --- a/core/modules/user/src/Plugin/Action/ChangeUserRoleBase.php +++ b/core/modules/user/src/Plugin/Action/ChangeUserRoleBase.php @@ -96,9 +96,9 @@ public function calculateDependencies() { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer users'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\user\UserInterface $object */ + return $object->access('update', $account, $return_as_object); } } diff --git a/core/modules/user/src/Plugin/Action/RemoveRoleUser.php b/core/modules/user/src/Plugin/Action/RemoveRoleUser.php index 03676b3..a0f7bdb 100644 --- a/core/modules/user/src/Plugin/Action/RemoveRoleUser.php +++ b/core/modules/user/src/Plugin/Action/RemoveRoleUser.php @@ -37,12 +37,4 @@ public function execute($account = NULL) { } } - /** - * {@inheritdoc} - */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer users'); - return $return_as_object ? $result : $result->isAllowed(); - } - } diff --git a/core/modules/user/src/Plugin/Action/UnblockUser.php b/core/modules/user/src/Plugin/Action/UnblockUser.php index 9eb3328..c9b360e 100644 --- a/core/modules/user/src/Plugin/Action/UnblockUser.php +++ b/core/modules/user/src/Plugin/Action/UnblockUser.php @@ -36,9 +36,9 @@ public function execute($account = NULL) { /** * {@inheritdoc} */ - public function access($operation, AccountInterface $account = NULL, $return_as_object = FALSE) { - $result = AccessResult::allowedIfHasPermission($account, 'administer users'); - return $return_as_object ? $result : $result->isAllowed(); + public function access($operation, $object, AccountInterface $account = NULL, $return_as_object = FALSE) { + /** @var \Drupal\user\UserInterface $object */ + return $object->access('update', $account, $return_as_object); } }