EntityAccessController documents the invocation of hook_entity_access(), however no hook is ever called.
A generic hook_entity_access should be added which is called for all entities, in the spirit of hook_entity_create/view/presave/load/delete etc.
core/lib/Drupal/Core/Entity/EntityAccessController.php
// Invoke hook_entity_access(), hook results take precedence over overridden
// implementations of EntityAccessController::checkAccess(). Entities
// that have checks that need to be done before the hook is invoked should
// do so by overridding this method.
????? nothing here ?????
// We grant access to the entity if both of these conditions are met:
// - No modules say to deny access.
// - At least one module says to grant access.
$access = module_invoke_all($entity->entityType() . '_access', $entity->getBCEntity(), $operation, $account, $langcode);
References
- Commit #7dd31494
- #1979094: Separate create access operation entity access controllers to avoid costly EntityNG instantiation
Proposal
Implement hook_entity_(create_)access() in addition to the existing hook_ENTITY_TYPE_access() and document hook_ENTITY_TYPE_ACCESS() because it is already being called.
API changes
None. Documentation will be fixed and two hooks will be added.
Issues blocked on this
#1839516: Introduce entity operation providers is blocked on this, because field_ui needs to hook into entity access control for any entity type and not just specific ones, in order to check access for the entity operations it defines. This is why a hook_entity_access() is required and hook_ENTITY_TYPE_access() can technically not be used.
Comment | File | Size | Author |
---|---|---|---|
#29 | interdiff.txt | 1.04 KB | Xano |
#29 | drupal_2057377_29.patch | 9.01 KB | Xano |
#27 | interdiff.txt | 1.03 KB | Xano |
#27 | drupal_2057377_27.patch | 9.01 KB | Xano |
#22 | drupal_2057377_22.patch | 9.01 KB | Xano |
Comments
Comment #1
dpiTagging
Comment #2
clemens.tolboomI couldn't find documentation about hook_entity_access on https://api.drupal.org/api/drupal/8/search/hook_entity_access while trying to work on tour_ui: #2031163: Main page is broken on 'admin/config/user-interface/tour'
Don't we need the API documentation first :)
Comment #3
XanoComment #4
XanoComment #5
XanoComment #7
XanoComment #9
XanoComment #10
tim.plunkett#2041333: Inject the module handler into the entity access controller will help clean up this patch a bit.
Comment #12
jibran#2041333: Inject the module handler into the entity access controller is in.
Comment #13
XanoComment #14
jibranLittle description will help.
desc missing here.
@see should be at the end of the documentation.
Comment #16
XanoComment #18
Xano#16: drupal_2057377_16.patch queued for re-testing.
Comment #20
XanoComment #21
jibranI think we need tests here.
Comment #22
XanoComment #23
dawehnerJust wondering whether we should use AccessInterface::ALLOW DENY and KILL on the longrun for these values?
Oh since when do we use protected for test functions ... are they even called with that?
Comment #24
XanoAccessInterface is for routes. These are API hooks.
They're called from within the class and don't need to be public.
Comment #25
dawehnerI know that it is for routes, though the interface is not part of the routing namespace, just saying ... and this might add some clarity
Regarding protected ... well let's just keep that, even it is inconsistent with like 99% of core.
Comment #25.0
dawehnerformatting
Comment #25.1
Xano.
Comment #25.2
Xano.
Comment #26
fagoThe patch looks good to me, just the hook docs could use some improvement I think:
I don't think "Checks access" is a good description here. The hook does not check access for you, you can use the hook to do it yourself! I.e. you implement the hook to "control access" or "change access", not to check it.
hook_node_access() seems to go with "control access" so I'd suggest following that.
Comment #27
XanoComment #28
fagoI think it should be "Check entity create access." - without the s. If you look at other hook documentations they are about you doing something, not about a function doing something for you.
Comment #29
XanoComment #30
fagoThanks! Back to RTBC then.
Comment #31
alexpottCommitted 2891848 and pushed to 8.x. Thanks!
Comment #32
Xano@alexpott Thank you!
Comment #33
XanoThe change notice is at https://drupal.org/node/2095227.
Comment #35
xjmPlease remove the tag when the change notification task is completed.
Comment #35.0
xjm.