Let's start to convert all calls to user_access() with the new AccountInterface::hasPermission() method.

Part of #2048171: [meta] Replace user_access() calls with $account->hasPermission() wherever possible.

Change records for this issue:

CommentFileSizeAuthor
#23 interdiff-2062007-21-23.txt8.18 KBherom
#23 node_replace_user_access-2062007-23.patch20.37 KBherom
#21 interdiff-2062007-19-21.txt7.04 KBherom
#21 node_replace_user_access-2062007-21.patch19.44 KBherom
#19 node_replace_user_access-2062007-19.patch19.29 KBtkuldeep17
#17 node_replace_user_access-2062007-17.patch19.36 KBtkuldeep17
#15 node_replace_user_access-2062007-15.patch19.35 KBtkuldeep17
#12 node_replace_user_access-2062007-11.patch19.36 KBtkuldeep17
#10 node_replace_user_access-2062007-9.patch20.45 KBtkuldeep17
#8 node_replace_user_access-2062007-8.patch20.45 KBtkuldeep17
#5 drupal-node_replace_user_access-2062007-5.patch25.89 KBsidharthap
#1 drupal-node_replace_user_access_2062007.patch29.67 KBinternetdevels

Comments

internetdevels’s picture

internetdevels commented
StatusFileSize
new drupal-node_replace_user_access_2062007.patch29.67 KB

Here is the patch. In some cases Drupal::request()->attributes->get('_account') return NULL to account object. That why I added drupal_anonymous_user() function for fix the issue. But looks it requires additional investigation.

internetdevels’s picture

internetdevels commented
Status: Active » Needs review

Oops, forgot change status.

Status: Needs review » Needs work

The last submitted patch, drupal-node_replace_user_access_2062007.patch, failed testing.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Component: user system » node.module
Priority: Minor » Normal 
  1. +++ b/core/modules/node/lib/Drupal/node/NodeAccessController.php
@@ -70,12 +70,14 @@ public static function createInstance(ContainerInterface $container, $entity_typ
+    $account = $account ?: \Drupal::request()->attributes->get('_account');

    This could be fixed in #2048223: Add $account argument to AccessCheckInterface::access() method and use the current_user service 

  2. +++ b/core/modules/node/lib/Drupal/node/NodeFormController.php
@@ -141,14 +141,15 @@ public function form(array $form, array &$form_state) {
+      || \Drupal::request()->attributes->get('_account')->hasPermission('administer nodes'),
...
+      '#access' => \Drupal::request()->attributes->get('_account')->hasPermission('administer nodes'),

@@ -167,7 +168,7 @@ public function form(array $form, array &$form_state) {
+      '#access' => \Drupal::request()->attributes->get('_account')->hasPermission('administer nodes'),

@@ -206,7 +207,7 @@ public function form(array $form, array &$form_state) {
+      '#access' => \Drupal::request()->attributes->get('_account')->hasPermission('administer nodes'),

@@ -257,7 +258,8 @@ protected function actions(array $form, array &$form_state) {
+        && \Drupal::request()->attributes->get('_account')->hasPermission('administer nodes')) {

+++ b/core/modules/node/lib/Drupal/node/NodeTypeListController.php
@@ -91,7 +91,8 @@ public function buildRow(EntityInterface $entity) {
+        && \Drupal::request()->attributes->get('_account')->hasPermission('administer node fields')) {

@@ -99,7 +100,8 @@ public function getOperations(EntityInterface $entity) {
+        && \Drupal::request()->attributes->get('_account')->hasPermission('administer node form display')) {

@@ -107,7 +109,8 @@ public function getOperations(EntityInterface $entity) {
+        && \Drupal::request()->attributes->get('_account')->hasPermission('administer node display')) {

+++ b/core/modules/node/lib/Drupal/node/Plugin/Block/SyndicateBlock.php
@@ -35,7 +35,11 @@ public function settings() {
+    $account = \Drupal::request()->attributes->get('_account');

+++ b/core/modules/node/lib/Drupal/node/Plugin/entity_reference/selection/NodeSelection.php
@@ -34,7 +34,8 @@ public function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS') {
+    if (!\Drupal::request()->attributes->get('_account')->hasPermission('bypass node access')

+++ b/core/modules/node/lib/Drupal/node/Plugin/views/field/RevisionLink.php
@@ -32,7 +32,9 @@ public function init(ViewExecutable $view, DisplayPluginBase $display, array &$o
+    $account = \Drupal::request()->attributes->get('_account');

+++ b/core/modules/node/lib/Drupal/node/Plugin/views/field/RevisionLinkDelete.php
@@ -21,7 +21,9 @@
+    $account = \Drupal::request()->attributes->get('_account');

+++ b/core/modules/node/lib/Drupal/node/Plugin/views/field/RevisionLinkRevert.php
@@ -21,7 +21,9 @@
+    $account = \Drupal::request()->attributes->get('_account');

    Use Drupal::currentUser() service https://drupal.org/node/2032447

sidharthap’s picture

sidharthap
Primary language English
commented
Status: Needs work » Needs review
StatusFileSize
new drupal-node_replace_user_access-2062007-5.patch25.89 KB

corrected #4

The last submitted patch, drupal-node_replace_user_access-2062007-5.patch, failed testing.

tkuldeep17’s picture

tkuldeep17 commented

Hi sidharthap

For using method of Drupal.php class, you should use \Drupal::currentUser()->hasPermission('access content'); instead of Drupal::currentUser()->hasPermission('access content');

As all the classes have some namespaces, but Drupal.php is defined in global namespace, so for using global namespace you have to prefix with '\'. For more about global name spaces.

tkuldeep17’s picture

tkuldeep17 commented
Issue summary: View changes
Status: Needs work » Needs review
StatusFileSize
new node_replace_user_access-2062007-8.patch20.45 KB

Submitting my patch...

Status: Needs review » Needs work

The last submitted patch, 8: node_replace_user_access-2062007-8.patch, failed testing.

tkuldeep17’s picture

tkuldeep17 commented
Status: Needs work » Needs review
StatusFileSize
new node_replace_user_access-2062007-9.patch20.45 KB

Resubmitting patch..

Status: Needs review » Needs work

The last submitted patch, 10: node_replace_user_access-2062007-9.patch, failed testing.

tkuldeep17’s picture

tkuldeep17 commented
StatusFileSize
new node_replace_user_access-2062007-11.patch19.36 KB

Very Sorry, I was creating patch from old code base.. Now this patch is from new code base..

tkuldeep17’s picture

tkuldeep17 commented
Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, 12: node_replace_user_access-2062007-11.patch, failed testing.

tkuldeep17’s picture

tkuldeep17 commented
Status: Needs work » Needs review
StatusFileSize
new node_replace_user_access-2062007-15.patch19.35 KB

Fixing php syntax error..

Status: Needs review » Needs work

The last submitted patch, 15: node_replace_user_access-2062007-15.patch, failed testing.

tkuldeep17’s picture

tkuldeep17 commented
Status: Needs work » Needs review
StatusFileSize
new node_replace_user_access-2062007-17.patch19.36 KB

I am not getting, why drupal bot is giving php syntax error, I am using php 5.5. Drupal bot is saying 'unexpected ;'
return \Drupal::currentUser()->hasPermission(('revert revisions') || \Drupal::currentUser()->hasPermission('administer nodes');

Please help me..

In this patch I am adding parenthesis 

(\Drupal::currentUser()->hasPermission(('revert revisions')) ||
     (\Drupal::currentUser()->hasPermission('administer nodes'));

As in my local I am not getting error.. not able resolve it..

Status: Needs review » Needs work

The last submitted patch, 17: node_replace_user_access-2062007-17.patch, failed testing.

tkuldeep17’s picture

tkuldeep17 commented
Status: Needs work » Needs review
StatusFileSize
new node_replace_user_access-2062007-19.patch19.29 KB

Sorry forgot to updated code base, so resubmitting patch..

Status: Needs review » Needs work

The last submitted patch, 19: node_replace_user_access-2062007-19.patch, failed testing.

herom’s picture

herom commented
Status: Needs work » Needs review
StatusFileSize
new node_replace_user_access-2062007-21.patch19.44 KB
new interdiff-2062007-19-21.txt7.04 KB

adding dependency injection for $account in NodeFormController.
also, reverting changes in node/Plugin/views for now, since #2109433: Replace user_access() through injected user accounts in views. has a better solution for it.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Needs review » Needs work
Parent issue: » #2048171: [meta] Replace user_access() calls with $account->hasPermission() wherever possible. 
  1. +++ b/core/modules/node/lib/Drupal/node/NodeFormController.php
@@ -26,6 +36,29 @@ class NodeFormController extends ContentEntityFormController {
+        $container->get('entity.manager'),
+        $container->get('current_user')

+++ b/core/modules/node/lib/Drupal/node/Plugin/entity_reference/selection/NodeSelection.php
@@ -34,7 +34,8 @@ public function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS') {
+          !count(\Drupal::moduleHandler()->getImplementations('node_grants'))) {

+++ b/core/modules/node/node.api.php
@@ -572,18 +572,20 @@ function hook_node_access(\Drupal\node\NodeInterface $node, $op, $account, $lang
+       ($account->hasPermission('edit own ' . $type . ' content') && ($account->id() == $node->getAuthorId()))) {
...
+       ($account->hasPermission('delete own ' . $type . ' content') && ($account->id() == $node->getAuthorId()))) {
...
+      if ($account->hasPermission('edit any ' . $type . ' content') ||
...
+      if ($account->hasPermission('delete any ' . $type . ' content') ||

+++ b/core/modules/node/lib/Drupal/node/Plugin/entity_reference/selection/NodeSelection.php
@@ -34,7 +34,8 @@ public function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS') {
+    if (!\Drupal::currentUser()->hasPermission('bypass node access') &&

+++ b/core/modules/node/lib/Drupal/node/NodeFormController.php
@@ -26,6 +36,29 @@ class NodeFormController extends ContentEntityFormController {
+    return new static(

    indent is wrong, use 2 spaces 

  2. +++ b/core/modules/node/node.module
@@ -21,6 +21,7 @@
+

    unnecessary change 

  3. +++ b/core/modules/node/node.module
@@ -1106,11 +1107,13 @@ function node_revision_list(EntityInterface $node) {
+  if (!\Drupal::currentUser()->hasPermission('bypass node access')) {
...
+
+
+    if (\Drupal::currentUser()->hasPermission('view own unpublished content') && $own_unpublished = db_query('SELECT DISTINCT nid FROM {node_field_data} WHERE uid = :uid AND status = :status', array(':uid' => \Drupal::currentUser()->id(), ':status' => NODE_NOT_PUBLISHED))->fetchCol()) {

    Please use variable $current_user or $account to not make 2 calls to \Drupal wrapper
    Also no reason in 2 blank lines 

  4. +++ b/core/modules/node/node.pages.inc
@@ -193,11 +193,11 @@ function node_revision_overview($node) {
+  if ((\Drupal::currentUser()->hasPermission("revert $type revisions") || \Drupal::currentUser()->hasPermission('revert all revisions') || \Drupal::currentUser()->hasPermission('administer nodes')) && $node->access('update')) {
...
+  if ((\Drupal::currentUser()->hasPermission("delete $type revisions") || \Drupal::currentUser()->hasPermission('delete all revisions') || \Drupal::currentUser()->hasPermission('administer nodes')) && $node->access('delete')) {

+++ b/core/modules/node/node.views_execution.inc
@@ -12,9 +12,9 @@
+    '***ADMINISTER_NODES***' => intval(\Drupal::currentUser()->hasPermission('administer nodes')),
+    '***VIEW_OWN_UNPUBLISHED_NODES***' => intval(\Drupal::currentUser()->hasPermission('view own unpublished content')),
+    '***BYPASS_NODE_ACCESS***' =>  intval(\Drupal::currentUser()->hasPermission('bypass node access')),

    Use temporary variable $current_user or $account here

herom’s picture

herom commented
Status: Needs work » Needs review
StatusFileSize
new node_replace_user_access-2062007-23.patch20.37 KB
new interdiff-2062007-21-23.txt8.18 KB

cleanup done.

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Needs review » Reviewed & tested by the community

The coding standards does not prohibit wrapping long conditions https://drupal.org/coding-standards#linelength
I think more readable code always makes sense

+++ b/core/modules/node/lib/Drupal/node/Plugin/entity_reference/selection/NodeSelection.php
@@ -32,7 +32,8 @@ public function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS') {
-    if (!user_access('bypass node access') && !count(\Drupal::moduleHandler()->getImplementations('node_grants'))) {
+    if (!\Drupal::currentUser()->hasPermission('bypass node access')
+        && !count(\Drupal::moduleHandler()->getImplementations('node_grants'))) {

+++ b/core/modules/node/node.api.php
@@ -567,23 +567,27 @@ function hook_node_load($nodes) {
+      if ($account->hasPermission('edit any ' . $type . ' content')
+          || ($account->hasPermission('edit own ' . $type . ' content')
+              && ($account->id() == $node->getAuthorId()))) {
...
-      if (user_access('edit any ' . $type . ' content', $account) || (user_access('edit own ' . $type . ' content', $account) && ($account->id() == $node->getAuthorId()))) {
...
-      if (user_access('delete any ' . $type . ' content', $account) || (user_access('delete own ' . $type . ' content', $account) && ($account->id() == $node->getAuthorId()))) {
+      if ($account->hasPermission('delete any ' . $type . ' content')
+          || ($account->hasPermission('delete own ' . $type . ' content')
+              && ($account->id() == $node->getAuthorId()))) {

+++ b/core/modules/node/node.module
@@ -83,7 +83,7 @@ function node_help($path, $arg) {
   if ($path != 'admin/reports/status/rebuild' && $path != 'batch' && strpos($path, '#') === FALSE
-      && user_access('access administration pages') && node_access_needs_rebuild()) {
+      && \Drupal::currentUser()->hasPermission('access administration pages') && node_access_needs_rebuild()) {

It was used before patch so I think it's fine

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Reviewed & tested by the community » Closed (duplicate)

Thanks for your work on this! See #2048171-17: [meta] Replace user_access() calls with $account->hasPermission() wherever possible..