EntityAccessDeniedHttpException example

      // @see \Drupal\jsonapi\JsonApiResource\ResourceObject::extractContentEntityFields()       // @todo: eliminate this special casing in https://www.drupal.org/project/drupal/issues/3079254.       if ($resource_type->getEntityTypeId() === 'user') {
        $field_mapping = array_diff($field_mapping[$resource_type->getPublicName('display_name')]);
      }
      foreach (['attributes', 'relationships'] as $data_member_name) {
        if (isset($document['data'][$data_member_name])) {
          foreach (array_intersect_key(array_flip($field_mapping)$document['data'][$data_member_name]) as $internal_field_name) {
            $field_access = $parsed_entity->get($internal_field_name)->access('edit', NULL, TRUE);
            if (!$field_access->isAllowed()) {
              $public_field_name = $field_mapping[$internal_field_name];
              throw new EntityAccessDeniedHttpException(NULL, $field_access, "/data/$data_member_name/$public_field_name", sprintf('The current user is not allowed to POST the selected field (%s).', $public_field_name));
            }
          }
        }
      }
    }

    static::validate($parsed_entity);

    // Return a 409 Conflict response in accordance with the JSON:API spec. See     // http://jsonapi.org/format/#crud-creating-responses-409.     if ($this->entityExists($parsed_entity)) {
      
$includes = is_null($includes) ? new IncludedData([]) : $includes;
    foreach ($include_tree as $field_name => $children) {
      $references = [];
      foreach ($data as $resource_object) {
        // Some objects in the collection may be LabelOnlyResourceObjects or         // EntityAccessDeniedHttpException objects.         assert($resource_object instanceof ResourceIdentifierInterface);
        $public_field_name = $resource_object->getResourceType()->getPublicName($field_name);

        if ($resource_object instanceof LabelOnlyResourceObject) {
          $message = "The current user is not allowed to view this relationship.";
          $exception = new EntityAccessDeniedHttpException($resource_object->getEntity(), AccessResult::forbidden("The user only has authorization for the 'view label' operation."), '', $message$public_field_name);
          $includes = IncludedData::merge($includesnew IncludedData([$exception]));
          continue;
        }
        elseif (!$resource_object instanceof ResourceObject) {
          continue;
        }

        // Not all entities in $entity_collection will be of the same bundle and         // may not have all of the same fields. Therefore, calling         // $resource_object->get($a_missing_field_name) will result in an         // exception.
if (!$access->isAllowed()) {
      // If this is the default revision or the entity is not revisionable, then       // check access to the entity label. Revision support is all or nothing.       if (!$entity->getEntityType()->isRevisionable() || $entity->isDefaultRevision()) {
        $label_access = $entity->access('view label', NULL, TRUE);
        $entity->addCacheableDependency($label_access);
        if ($label_access->isAllowed()) {
          return LabelOnlyResourceObject::createFromEntity($resource_type$entity);
        }
        $access = $access->orIf($label_access);
      }
      return new EntityAccessDeniedHttpException($entity$access, '/data', 'The current user is not allowed to GET the selected resource.');
    }
    return ResourceObject::createFromEntity($resource_type$entity);
  }

  /** * Checks access to the given entity. * * @param \Drupal\Core\Entity\EntityInterface $entity * The entity for which access should be evaluated. * @param string $operation * The entity operation for which access should be evaluated. * @param \Drupal\Core\Session\AccountInterface $account * (optional) The account with which access should be checked. Defaults to * the current user. * * @return \Drupal\Core\Access\AccessResultInterface|\Drupal\Core\Access\AccessResultReasonInterface * The access check result. */
Home | Imprint | This part of the site doesn't use cookies.