diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php index 7b3e49e..5107fb7 100644 --- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php +++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php @@ -7,10 +7,15 @@ namespace Drupal\rest\Plugin\rest\resource; +use Psr\Log\LoggerInterface; +use Drupal\Core\Entity\ContentEntityInterface; +use Drupal\Core\Entity\EntityDisplayBase; +use Drupal\Core\Session\AccountProxyInterface; use Drupal\Core\Entity\EntityInterface; use Drupal\Core\Entity\EntityStorageException; use Drupal\rest\Plugin\ResourceBase; use Drupal\rest\ResourceResponse; +use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Symfony\Component\HttpKernel\Exception\HttpException; @@ -34,6 +39,47 @@ class EntityResource extends ResourceBase { /** + * A curent user instance. + * + * @var \Drupal\Core\Session\AccountProxyInterface + */ + protected $currentUser; + + /** + * Constructs a Drupal\rest\Plugin\ResourceBase object. + * + * @param array $configuration + * A configuration array containing information about the plugin instance. + * @param string $plugin_id + * The plugin_id for the plugin instance. + * @param mixed $plugin_definition + * The plugin implementation definition. + * @param array $serializer_formats + * The available serialization formats. + * @param \Psr\Log\LoggerInterface $logger + * A logger instance. + * @param \Drupal\Core\Session\AccountProxyInterface $current_user + * A curent user instance. + */ + public function __construct(array $configuration, $plugin_id, $plugin_definition, array $serializer_formats, LoggerInterface $logger, AccountProxyInterface $current_user) { + parent::__construct($configuration, $plugin_id, $plugin_definition, $serializer_formats, $logger); + $this->currentUser = $current_user; + } + + /** + * {@inheritdoc} + */ + public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) { + return new static( + $configuration, + $plugin_id, + $plugin_definition, + $container->getParameter('serializer.formats'), + $container->get('logger.factory')->get('rest'), + $container->get('current_user') + ); + } + /** * Responds to entity GET requests. * * @param \Drupal\Core\Entity\EntityInterface $entity @@ -45,12 +91,25 @@ class EntityResource extends ResourceBase { * @throws \Symfony\Component\HttpKernel\Exception\HttpException */ public function get(EntityInterface $entity) { - if (!$entity->access('view')) { - throw new AccessDeniedHttpException(); + + // Validate access only for entities extending Content Entity Interface. + if ($entity instanceof ContentEntityInterface) { + if (!$entity->access('view')) { + throw new AccessDeniedHttpException(); + } + + foreach ($entity as $field_name => $field) { + if (!$field->access('view')) { + unset($entity->{$field_name}); + } + } } - foreach ($entity as $field_name => $field) { - if (!$field->access('view')) { - unset($entity->{$field_name}); + // Validate if current has permit to get Entity Display entities. + else if($entity instanceof EntityDisplayBase) { + $plugin_definition = $this->getPluginDefinition(); + $permission = 'Access GET on ' . $plugin_definition['label'] . ' resource'; + if(!$this->currentUser->hasPermission($permission)) { + throw new AccessDeniedHttpException(); } } return new ResourceResponse($entity);