123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309 |
- <?php
- namespace Drupal\node;
- use Drupal\Core\Access\AccessResult;
- use Drupal\Core\Database\Connection;
- use Drupal\Core\Database\Query\SelectInterface;
- use Drupal\Core\Database\Query\Condition;
- use Drupal\Core\Extension\ModuleHandlerInterface;
- use Drupal\Core\Language\LanguageManagerInterface;
- use Drupal\Core\Session\AccountInterface;
- /**
- * Defines a storage handler class that handles the node grants system.
- *
- * This is used to build node query access.
- *
- * @ingroup node_access
- */
- class NodeGrantDatabaseStorage implements NodeGrantDatabaseStorageInterface {
- /**
- * The database connection.
- *
- * @var \Drupal\Core\Database\Connection
- */
- protected $database;
- /**
- * The module handler.
- *
- * @var \Drupal\Core\Extension\ModuleHandlerInterface
- */
- protected $moduleHandler;
- /**
- * The language manager.
- *
- * @var \Drupal\Core\Language\LanguageManagerInterface
- */
- protected $languageManager;
- /**
- * Constructs a NodeGrantDatabaseStorage object.
- *
- * @param \Drupal\Core\Database\Connection $database
- * The database connection.
- * @param \Drupal\Core\Extension\ModuleHandlerInterface $module_handler
- * The module handler.
- * @param \Drupal\Core\Language\LanguageManagerInterface $language_manager
- * The language manager.
- */
- public function __construct(Connection $database, ModuleHandlerInterface $module_handler, LanguageManagerInterface $language_manager) {
- $this->database = $database;
- $this->moduleHandler = $module_handler;
- $this->languageManager = $language_manager;
- }
- /**
- * {@inheritdoc}
- */
- public function access(NodeInterface $node, $operation, AccountInterface $account) {
- // Grants only support these operations.
- if (!in_array($operation, ['view', 'update', 'delete'])) {
- return AccessResult::neutral();
- }
- // If no module implements the hook or the node does not have an id there is
- // no point in querying the database for access grants.
- if (!$this->moduleHandler->getImplementations('node_grants') || !$node->id()) {
- // Return the equivalent of the default grant, defined by
- // self::writeDefault().
- if ($operation === 'view') {
- return AccessResult::allowedIf($node->isPublished())->addCacheableDependency($node);
- }
- else {
- return AccessResult::neutral();
- }
- }
- // Check the database for potential access grants.
- $query = $this->database->select('node_access');
- $query->addExpression('1');
- // Only interested for granting in the current operation.
- $query->condition('grant_' . $operation, 1, '>=');
- // Check for grants for this node and the correct langcode.
- $nids = $query->andConditionGroup()
- ->condition('nid', $node->id())
- ->condition('langcode', $node->language()->getId());
- // If the node is published, also take the default grant into account. The
- // default is saved with a node ID of 0.
- $status = $node->isPublished();
- if ($status) {
- $nids = $query->orConditionGroup()
- ->condition($nids)
- ->condition('nid', 0);
- }
- $query->condition($nids);
- $query->range(0, 1);
- $grants = static::buildGrantsQueryCondition(node_access_grants($operation, $account));
- if (count($grants) > 0) {
- $query->condition($grants);
- }
- // Only the 'view' node grant can currently be cached; the others currently
- // don't have any cacheability metadata. Hopefully, we can add that in the
- // future, which would allow this access check result to be cacheable in all
- // cases. For now, this must remain marked as uncacheable, even when it is
- // theoretically cacheable, because we don't have the necessary metadata to
- // know it for a fact.
- $set_cacheability = function (AccessResult $access_result) use ($operation) {
- $access_result->addCacheContexts(['user.node_grants:' . $operation]);
- if ($operation !== 'view') {
- $access_result->setCacheMaxAge(0);
- }
- return $access_result;
- };
- if ($query->execute()->fetchField()) {
- return $set_cacheability(AccessResult::allowed());
- }
- else {
- return $set_cacheability(AccessResult::neutral());
- }
- }
- /**
- * {@inheritdoc}
- */
- public function checkAll(AccountInterface $account) {
- $query = $this->database->select('node_access');
- $query->addExpression('COUNT(*)');
- $query
- ->condition('nid', 0)
- ->condition('grant_view', 1, '>=');
- $grants = static::buildGrantsQueryCondition(node_access_grants('view', $account));
- if (count($grants) > 0) {
- $query->condition($grants);
- }
- return $query->execute()->fetchField();
- }
- /**
- * {@inheritdoc}
- */
- public function alterQuery($query, array $tables, $op, AccountInterface $account, $base_table) {
- if (!$langcode = $query->getMetaData('langcode')) {
- $langcode = FALSE;
- }
- // Find all instances of the base table being joined -- could appear
- // more than once in the query, and could be aliased. Join each one to
- // the node_access table.
- $grants = node_access_grants($op, $account);
- foreach ($tables as $nalias => $tableinfo) {
- $table = $tableinfo['table'];
- if (!($table instanceof SelectInterface) && $table == $base_table) {
- // Set the subquery.
- $subquery = $this->database->select('node_access', 'na')
- ->fields('na', ['nid']);
- // If any grant exists for the specified user, then user has access to the
- // node for the specified operation.
- $grant_conditions = static::buildGrantsQueryCondition($grants);
- // Attach conditions to the subquery for nodes.
- if (count($grant_conditions->conditions())) {
- $subquery->condition($grant_conditions);
- }
- $subquery->condition('na.grant_' . $op, 1, '>=');
- // Add langcode-based filtering if this is a multilingual site.
- if (\Drupal::languageManager()->isMultilingual()) {
- // If no specific langcode to check for is given, use the grant entry
- // which is set as a fallback.
- // If a specific langcode is given, use the grant entry for it.
- if ($langcode === FALSE) {
- $subquery->condition('na.fallback', 1, '=');
- }
- else {
- $subquery->condition('na.langcode', $langcode, '=');
- }
- }
- $field = 'nid';
- // Now handle entities.
- $subquery->where("$nalias.$field = na.nid");
- $query->exists($subquery);
- }
- }
- }
- /**
- * {@inheritdoc}
- */
- public function write(NodeInterface $node, array $grants, $realm = NULL, $delete = TRUE) {
- if ($delete) {
- $query = $this->database->delete('node_access')->condition('nid', $node->id());
- if ($realm) {
- $query->condition('realm', [$realm, 'all'], 'IN');
- }
- $query->execute();
- }
- // Only perform work when node_access modules are active.
- if (!empty($grants) && count($this->moduleHandler->getImplementations('node_grants'))) {
- $query = $this->database->insert('node_access')->fields(['nid', 'langcode', 'fallback', 'realm', 'gid', 'grant_view', 'grant_update', 'grant_delete']);
- // If we have defined a granted langcode, use it. But if not, add a grant
- // for every language this node is translated to.
- $fallback_langcode = $node->getUntranslated()->language()->getId();
- foreach ($grants as $grant) {
- if ($realm && $realm != $grant['realm']) {
- continue;
- }
- if (isset($grant['langcode'])) {
- $grant_languages = [$grant['langcode'] => $this->languageManager->getLanguage($grant['langcode'])];
- }
- else {
- $grant_languages = $node->getTranslationLanguages(TRUE);
- }
- foreach ($grant_languages as $grant_langcode => $grant_language) {
- // Only write grants; denies are implicit.
- if ($grant['grant_view'] || $grant['grant_update'] || $grant['grant_delete']) {
- $grant['nid'] = $node->id();
- $grant['langcode'] = $grant_langcode;
- // The record with the original langcode is used as the fallback.
- if ($grant['langcode'] == $fallback_langcode) {
- $grant['fallback'] = 1;
- }
- else {
- $grant['fallback'] = 0;
- }
- $query->values($grant);
- }
- }
- }
- $query->execute();
- }
- }
- /**
- * {@inheritdoc}
- */
- public function delete() {
- $this->database->truncate('node_access')->execute();
- }
- /**
- * {@inheritdoc}
- */
- public function writeDefault() {
- $this->database->insert('node_access')
- ->fields([
- 'nid' => 0,
- 'realm' => 'all',
- 'gid' => 0,
- 'grant_view' => 1,
- 'grant_update' => 0,
- 'grant_delete' => 0,
- ])
- ->execute();
- }
- /**
- * {@inheritdoc}
- */
- public function count() {
- return $this->database->query('SELECT COUNT(*) FROM {node_access}')->fetchField();
- }
- /**
- * {@inheritdoc}
- */
- public function deleteNodeRecords(array $nids) {
- $this->database->delete('node_access')
- ->condition('nid', $nids, 'IN')
- ->execute();
- }
- /**
- * Creates a query condition from an array of node access grants.
- *
- * @param array $node_access_grants
- * An array of grants, as returned by node_access_grants().
- * @return \Drupal\Core\Database\Query\Condition
- * A condition object to be passed to $query->condition().
- *
- * @see node_access_grants()
- */
- protected static function buildGrantsQueryCondition(array $node_access_grants) {
- $grants = new Condition("OR");
- foreach ($node_access_grants as $realm => $gids) {
- if (!empty($gids)) {
- $and = new Condition('AND');
- $grants->condition($and
- ->condition('gid', $gids, 'IN')
- ->condition('realm', $realm)
- );
- }
- }
- return $grants;
- }
- }
|