Add entity & bundle access checks [FOLLOWUP]

I have some rudimentary code that checks create access in entity_access() for each bundle in the widget setup, unsettling any that return false and then wraps the add new/existing form to check if no bundles are left (it replaces the form with an access warning message) it works for node creation but I imagine only for nodes and other access callbacks that follow the pattern of allowing an entity bundle to be passed in place of the entity object. That doesn't take in account update access for existing entities. Makes me think it should be done at the controller level so each entity with proper support can specify a callback that can check per entity type, bundle and entity using whatever means necessary...unless entity API should be getting beefed up here...

Wow, nice!

Opening this up again for one little issue.

When I added my rudimentary code as mentioned above, I wrapped the Create & Add Existing form elements in a check for "create_bundles". That is use-case specific as I needed to restrict create & add to those with create access, and a good default is of course to allow referencing even when create access is denied which I found when updating to the current dev.

This makes me think an additional setting would be nice along with "Allow Existing", something along the lines of "Allow users to add existing @label without requiring @singular_label bundle create access.". Then in the form check for any create_bundles OR this setting in addition to the current check for allow_existing.

Patch attached does this.

Here's a version that keeps the current behaviour by default.

You're right that the create entity access is not currently needed to reference an entity, so there is no bug. What I'm saying is that I needed this restriction for my use case and others might as well in a content context so I've added the setting above to enable restricting referencing if a user does not have create access, or that the need for access has not been bypassed.

Here is the same thing with reversed logic. In this version we add a setting that allows a user to "Require entity bundle create access to reference existing entities", the logic may seem ever so slightly convoluted, but the UX makes more sense I guess.

To explain my use-case a little more and why I think this is relevant to the module in general. The site allows a user to add a node while anonymous (it triggers a purchase). On this node there is an inline entity form to add another node of a different type, but this type of node has create access restrictions until they have created an account and are logged in. Furthermore they may only reference nodes they have created (Entity Reference is using the views select to get a list of user owned items). Thus it makes sense to only allow referencing existing that they have created and if not logged in not present the add existing form. I don't think this is an edge case, or wont be once IEF goes multi platinum :)

Also if you come around to liking this :) then I think it might be nice if when a user doesn't have create or reference access (because it has been denied when there is no create access) that there be a little check on the form that puts a little warning in the field markup along the lines of:

      // If the user does not have entity create access and we have restricted
      // referencing existing entities then we present a warning explaining
      // why they cannot add or reference anything.
      if (!count($settings['create_bundles']) && $controller->getSetting('existing_require_create_access')) {
        $element['actions'] = array(
          '#type' => 'container',
          '#suffix' => t('<div class="messages warning">* You do not yet have access to add or reference any @type_plural.</div>', array('@type_plural' => $labels['plural'])),
        );
      }

*cough* :)

No worries, glad one of the ideas is useful! Thanks for the thorough review and a direction forward as well!