Make custom_elements_thunder follow field-access [#3273275]

Problem/Motivation

We need to respect field-access for security and provide a good way to do it easily for custom-code that wants to access specific fields.

before:

  /**
   * {@inheritdoc}
   */
  public function addtoElement($paragraph, CustomElement $element, $viewMode) {
    assert($paragraph instanceof ParagraphInterface);

    // Always add a title attribute if field_title is there.
    if (isset($paragraph->field_title) && $paragraph->field_title->value) {
      $element->setAttribute('title', $paragraph->field_title->value);
    }

    /** @var \Drupal\media_entity\Entity\Media $media_entity */
    $media_entity = $paragraph->field_image->entity;
    if (!$media_entity) {
      return;
    }

    $element->setAttribute('src', $media_entity->field_image->entity->uri->url);

    if (!$media_entity->field_copyright->isEmpty()) {
      $element->setAttribute('copyright', $media_entity->field_copyright->value);
    }
    if (!$media_entity->field_source->isEmpty()) {
      $element->setAttribute('source', $media_entity->field_source->value);
    }
    if (!$media_entity->field_description->isEmpty()) {
      $element->setAttribute('caption', $media_entity->field_description->processed);
    }
  }

after, maybe something like:

  /**
   * {@inheritdoc}
   */
  public function addtoElement($paragraph, CustomElement $element, $viewMode) {
     ....
    if ($element->hasAccess($media_entity->field_copyright->access('view', NULL, TRUE)) && !$media_entity->field_copyright->isEmpty()) {
      $element->setAttribute('copyright', $media_entity->field_copyright->value);
    }
....

  }

Remaining tasks

* Figure out a good solution and implement

User interface changes

API changes

only additions

Issue fork custom_elements-3273275

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3273275-customelementsthunder-field-access changes, plain diff MR !11
Check out this branch for the first time

Check out existing branch, if you already have it locally

1 hidden branch

3273275-cleanup

changes, plain diff MR !12

Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

4 April 2022 at 11:19

fago created an issue. See original summary.

Comment #2

fago

German

Vienna

commented 4 April 2022 at 11:22

maybe we should add something like CustomElementsFieldUtilsTrait which we could put on the process or class and that one could have helpers that do the access checking for fields + the checking whtether is empty, e.g. ::fieldIsViewable() ?

Comment #3

12 April 2022 at 10:53

vasike made their first commit to this issue’s fork.

Comment #4

13 April 2022 at 13:15

vasike opened merge request !11

Comment #5

fago

German

Vienna

commented 14 April 2022 at 10:18

thanks for the PR. The cleanup stuff looks mostly good, maybe it would make sense to the clean-up as a separate issue/PR first?

Anyway, on the topic: I don't like the proposed helper for the following reason:
* it hard-codes how values are assigned. When this needs to be customized, you cannot use the helper and are back on your own again
* it's not helpful for entity references
* it hides important details from the processor - I don't see the values being assigned anymore
* the Custom-Elements class is currently decoupled from entities - I'd prefer to keep it like that

I think the helper should focus on the access checking and leave the value-assignement part. Maybe something like that:


trait CustomElementsProcessorFieldUtils {
  
   function fieldIsAccessible($field_items, $element) {
      // call field access. 
      // add access result to cache
      return boolean.
   }
   function entityIsAccessible(EntityInterface $entity = NULL, $element) {
      // make sure entity is not null, entity access is true. 
      // add access result to cache
      return boolean.
   }
}
// then use the trait in processors like that
   if ($this->fieldIsAccessible($media_entity->field_copyright) && $media_entity->field_copyright->value) {
      $element->setAttribute('copyright', $media_entity->field_copyright->value);
    }