function hook_jsonapi_ENTITY_TYPE_filter_access(\Drupal\Core\Entity\EntityTypeInterface
$entity_type, \Drupal\Core\Session\AccountInterface
$account) { return ([ JSONAPI_FILTER_AMONG_ALL => AccessResult::
allowedIfHasPermission($account, 'administer llamas'
),
JSONAPI_FILTER_AMONG_PUBLISHED => AccessResult::
allowedIfHasPermission($account, 'view all published llamas'
),
JSONAPI_FILTER_AMONG_OWN => AccessResult::
allowedIfHasPermissions($account,
['view own published llamas', 'view own unpublished llamas'
], 'AND'
),
]);
}/**
* Restricts filtering access to the given field.
*
* Some fields may contain sensitive information. In these cases, modules are
* supposed to implement hook_entity_field_access(). However, this hook receives
* an optional `$items` argument and often must return AccessResult::neutral()
* when `$items === NULL`. This is because access may or may not be allowed
* based on the field items or based on the entity on which the field is
* attached (if the user is the entity owner, for example).
*
* Since JSON:API must check field access prior to having a field item list
* instance available (access must be checked before a database query is made),
* it is not sufficiently secure to check field 'view' access alone.
*
* This hook exists so that modules which cannot return
* AccessResult::forbidden() from hook_entity_field_access() can still secure
* JSON:API requests where necessary.
*
* If a corresponding implementation of hook_entity_field_access() *can* be
* forbidden for one or more values of the `$items` argument, this hook *MUST*
* return AccessResult::forbidden().
*
* @param \Drupal\Core\Field\FieldDefinitionInterface $field_definition
* The field definition of the field to be filtered upon.
* @param \Drupal\Core\Session\AccountInterface $account
* The account for which to check access.
*
* @return \Drupal\Core\Access\AccessResultInterface
* The access result.
*/