Add entity access checks to other entity loads. (#895)

ndrake0027 · fubhy · commit d2bff1c7f43e · 2019-09-10T22:53:48.000+02:00
diff --git a/doc/producers/built-in.md b/doc/producers/built-in.md
@@ -22,14 +22,14 @@ This list includes all available data producers inside GraphQL to this day and b
 * **Entity id** (`entity_id`) : Returns the entity identifier.
 * **Entity label** (`entity_label`) : Returns the entity label given an entity such as a node.
 * **Entity language** (`entity_language`) : Returns the entity language.
-* **Entity load** (`entity_load`) : Loads a single entity given parameters like type, id (optional), language (optional) or bundles (optional)
-* **Entity load multiple** (`entity_load_multiple`) : Loads a multiple entities given parameters like type, ids (optional), language (optional) or bundles (optional)
-* **Entity load by uuid** (`entity_load_by_uuid`) : Loads a single entity by Uuid.
+* **Entity load** (`entity_load`) : Loads a single entity given parameters like type, id (optional), language (optional) bundles (optional), access (TRUE by default), access_user (current user by default) or access_operation ("view" by default).
+* **Entity load multiple** (`entity_load_multiple`) : Loads a multiple entities given parameters like type, ids (optional), language (optional), bundles (optional), access (TRUE by default), access_user (current user by default) or access_operation ("view" by default)
+* **Entity load by uuid** (`entity_load_by_uuid`) : Loads a single entity by Uuid with access control parameters: access (TRUE by default), access_user (current user by default) or access_operation ("view" by default).
 * **Entity owner** (`entity_owner`) : Returns the entity owner given an entity such as a node.
 * **Entity published** (`entity_published`) : Returns whether the entity is published given an entity such as a node.
 * **Entity rendered** (`entity_rendered`) : Returns the rendered entity.
-* **Entity translation** (`entity_translation`) : Returns the translated entity.
-* **Entity translations** (`entity_translations`) : Returns all available translations of an entity.
+* **Entity translation** (`entity_translation`) : Returns the translated entity with access control parameters: access (TRUE by default), access_user (current user by default) or access_operation ("view" by default).
+* **Entity translations** (`entity_translations`) : Returns all available translations of an entity with access control parameters: access (TRUE by default), access_user (current user by default) or access_operation ("view" by default).
 * **Entity type** (`entity_type_id`) : Returns an entity's entity type.
 * **Entity url** (`entity_url`) : Returns the entity's url.
 * **Entity uuid** (`entity_uuid`) : Returns the entity's uuid.
diff --git a/src/Plugin/GraphQL/DataProducer/Entity/EntityLoad.php b/src/Plugin/GraphQL/DataProducer/Entity/EntityLoad.php
@@ -40,15 +40,18 @@
  *     ),
  *     "access" = @ContextDefinition("boolean",
  *       label = @Translation("Check access"),
- *       required = FALSE
+ *       required = FALSE,
+ *       default_value = TRUE
  *     ),
  *     "access_user" = @ContextDefinition("entity:user",
  *       label = @Translation("User"),
- *       required = FALSE
+ *       required = FALSE,
+ *       default_value = NULL
  *     ),
  *     "access_operation" = @ContextDefinition("string",
  *       label = @Translation("Operation"),
- *       required = FALSE
+ *       required = FALSE,
+ *       default_value = "view"
  *     )
  *   }
  * )
@@ -136,7 +139,7 @@ public function __construct(
    *
    * @return \GraphQL\Deferred
    */
-  public function resolve($type, $id = NULL, $language = NULL, $bundles = NULL, $access = TRUE, AccountInterface $accessUser = NULL, string $accessOperation = 'view', FieldContext $context) {
+  public function resolve($type, $id, $language, $bundles, ?bool $access, ?AccountInterface $accessUser, ?string $accessOperation, FieldContext $context) {
     $resolver = $this->entityBuffer->add($type, $id);
 
     return new Deferred(function () use ($type, $id, $language, $bundles, $resolver, $context, $access, $accessUser, $accessOperation) {
diff --git a/src/Plugin/GraphQL/DataProducer/Entity/EntityLoadByUuid.php b/src/Plugin/GraphQL/DataProducer/Entity/EntityLoadByUuid.php
@@ -6,6 +6,7 @@
 use Drupal\Core\Entity\EntityTypeManagerInterface;
 use Drupal\Core\Entity\TranslatableInterface;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
+use Drupal\Core\Session\AccountInterface;
 use Drupal\graphql\GraphQL\Buffers\EntityUuidBuffer;
 use Drupal\graphql\GraphQL\Execution\FieldContext;
 use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
@@ -36,6 +37,21 @@
  *       label = @Translation("Entity bundle(s)"),
  *       multiple = TRUE,
  *       required = FALSE
+ *     ),
+ *     "access" = @ContextDefinition("boolean",
+ *       label = @Translation("Check access"),
+ *       required = FALSE,
+ *       default_value = TRUE
+ *     ),
+ *     "access_user" = @ContextDefinition("entity:user",
+ *       label = @Translation("User"),
+ *       required = FALSE,
+ *       default_value = NULL
+ *     ),
+ *     "access_operation" = @ContextDefinition("string",
+ *       label = @Translation("Operation"),
+ *       required = FALSE,
+ *       default_value = "view"
  *     )
  *   }
  * )
@@ -116,14 +132,17 @@ public function __construct(
    * @param $uuid
    * @param array|string $language
    * @param array|string $bundles
+   * @param bool $access
+   * @param \Drupal\Core\Session\AccountInterface|NULL $accessUser
+   * @param string $accessOperation
    * @param \Drupal\graphql\GraphQL\Execution\FieldContext $context
    *
    * @return \GraphQL\Deferred
    */
-  public function resolve($type, $uuid, $language = NULL, $bundles = NULL, FieldContext $context) {
+  public function resolve($type, $uuid, $language, $bundles, ?bool $access, ?AccountInterface $accessUser, ?string $accessOperation, FieldContext $context) {
     $resolver = $this->entityBuffer->add($type, $uuid);
 
-    return new Deferred(function () use ($type, $language, $bundles, $resolver, $context) {
+    return new Deferred(function () use ($type, $language, $bundles, $resolver, $context, $access, $accessUser, $accessOperation) {
       if (!$entity = $resolver()) {
         // If there is no entity with this id, add the list cache tags so that the
         // cache entry is purged whenever a new entity of this type is saved.
@@ -134,6 +153,17 @@ public function resolve($type, $uuid, $language = NULL, $bundles = NULL, FieldCo
         return NULL;
       }
 
+      // Check if the passed user (or current user if none is passed) has access
+      // to the entity, if not return NULL.
+      if ($access) {
+        /* @var $accessResult \Drupal\Core\Access\AccessResultInterface */
+        $accessResult = $entity->access($accessOperation, $accessUser, TRUE);
+        $context->addCacheableDependency($accessResult);
+        if ($accessResult->isForbidden()) {
+          return NULL;
+        }
+      }
+
       if (isset($bundles) && !in_array($entity->bundle(), $bundles)) {
         // If the entity is not among the allowed bundles, don't return it.
         $context->addCacheableDependency($entity);
diff --git a/src/Plugin/GraphQL/DataProducer/Entity/EntityLoadMultiple.php b/src/Plugin/GraphQL/DataProducer/Entity/EntityLoadMultiple.php
@@ -6,6 +6,7 @@
 use Drupal\Core\Entity\EntityTypeManagerInterface;
 use Drupal\Core\Entity\TranslatableInterface;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
+use Drupal\Core\Session\AccountInterface;
 use Drupal\graphql\GraphQL\Buffers\EntityBuffer;
 use Drupal\graphql\GraphQL\Execution\FieldContext;
 use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
@@ -37,6 +38,21 @@
  *       label = @Translation("Entity bundle(s)"),
  *       multiple = TRUE,
  *       required = FALSE
+ *     ),
+ *     "access" = @ContextDefinition("boolean",
+ *       label = @Translation("Check access"),
+ *       required = FALSE,
+ *       default_value = TRUE
+ *     ),
+ *     "access_user" = @ContextDefinition("entity:user",
+ *       label = @Translation("User"),
+ *       required = FALSE,
+ *       default_value = NULL
+ *     ),
+ *     "access_operation" = @ContextDefinition("string",
+ *       label = @Translation("Operation"),
+ *       required = FALSE,
+ *       default_value = "view"
  *     )
  *   }
  * )
@@ -113,18 +129,21 @@ public function __construct(
   }
 
   /**
-   * @param string $type
-   * @param int[] $ids
-   * @param string $language
-   * @param string[] $bundles
+   * @param $type
+   * @param array $ids
+   * @param null $language
+   * @param array|NULL $bundles
+   * @param bool $access
+   * @param \Drupal\Core\Session\AccountInterface|NULL $accessUser
+   * @param string $accessOperation
    * @param \Drupal\graphql\GraphQL\Execution\FieldContext $context
    *
    * @return \GraphQL\Deferred
    */
-  public function resolve($type, array $ids, $language = NULL, array $bundles = NULL, FieldContext $context) {
+  public function resolve($type, array $ids, $language, array $bundles, ?bool $access, ?AccountInterface $accessUser, ?string $accessOperation, FieldContext $context) {
     $resolver = $this->entityBuffer->add($type, $ids);
 
-    return new Deferred(function () use ($type, $ids, $language, $bundles, $resolver, $context) {
+    return new Deferred(function () use ($type, $ids, $language, $bundles, $resolver, $context, $access, $accessUser, $accessOperation) {
       /** @var \Drupal\Core\Entity\EntityInterface[] $entities */
       if (!$entities = $resolver()) {
         // If there is no entity with this id, add the list cache tags so that
@@ -150,15 +169,15 @@ public function resolve($type, array $ids, $language = NULL, array $bundles = NU
           $entities[$id]->addCacheContexts(["static:language:{$language}"]);
         }
 
-        $access = $entity->access('view', NULL, TRUE);
-        $context->addCacheableDependency($access);
-
-        if (!$access->isAllowed()) {
-          // Do not return the entity if access is denied.
-          unset($entities[$id]);
-          continue;
+        if ($access) {
+          /* @var $accessResult \Drupal\Core\Access\AccessResultInterface */
+          $accessResult = $entity->access($accessOperation, $accessUser, TRUE);
+          $context->addCacheableDependency($accessResult);
+          if ($accessResult->isForbidden()) {
+            unset($entities[$id]);
+            continue;
+          }
         }
-
       }
 
       return $entities;
diff --git a/src/Plugin/GraphQL/DataProducer/Entity/EntityTranslation.php b/src/Plugin/GraphQL/DataProducer/Entity/EntityTranslation.php
@@ -7,6 +7,7 @@
 use Drupal\Core\Entity\EntityRepositoryInterface;
 use Drupal\Core\Entity\TranslatableInterface;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
+use Drupal\Core\Session\AccountInterface;
 use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 
@@ -24,6 +25,21 @@
  *     ),
  *     "language" = @ContextDefinition("string",
  *       label = @Translation("Language")
+ *     ),
+ *     "access" = @ContextDefinition("boolean",
+ *       label = @Translation("Check access"),
+ *       required = FALSE,
+ *       default_value = TRUE
+ *     ),
+ *     "access_user" = @ContextDefinition("entity:user",
+ *       label = @Translation("User"),
+ *       required = FALSE,
+ *       default_value = NULL
+ *     ),
+ *     "access_operation" = @ContextDefinition("string",
+ *       label = @Translation("Operation"),
+ *       required = FALSE,
+ *       default_value = "view"
  *     )
  *   }
  * )
@@ -74,13 +90,25 @@ public function __construct(array $configuration, $pluginId, $pluginDefinition,
   /**
    * @param \Drupal\Core\Entity\EntityInterface $entity
    * @param $language
+   * @param bool $access
+   * @param \Drupal\graphql\Plugin\GraphQL\DataProducer\Entity\AccountInterface|NULL $accessUser
+   * @param string $accessOperation
    *
-   * @return \Drupal\Core\Entity\TranslatableInterface|null
+   * @return |null
    */
-  public function resolve(EntityInterface $entity, $language) {
+  public function resolve(EntityInterface $entity, $language, ?bool $access, ?AccountInterface $accessUser, ?string $accessOperation) {
     if ($entity instanceof TranslatableInterface && $entity->isTranslatable()) {
       $entity = $entity->getTranslation($language);
       $entity->addCacheContexts(["static:language:{$language}"]);
+      // Check if the passed user (or current user if none is passed) has access
+      // to the entity, if not return NULL.
+      if ($access) {
+        /* @var $accessResult \Drupal\Core\Access\AccessResultInterface */
+        $accessResult = $entity->access($accessOperation, $accessUser, TRUE);
+        if ($accessResult->isForbidden()) {
+          return NULL;
+        }
+      }
       return $entity;
     }
 
diff --git a/src/Plugin/GraphQL/DataProducer/Entity/EntityTranslations.php b/src/Plugin/GraphQL/DataProducer/Entity/EntityTranslations.php
@@ -8,6 +8,7 @@
 use Drupal\Core\Entity\TranslatableInterface;
 use Drupal\Core\Language\LanguageInterface;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
+use Drupal\Core\Session\AccountInterface;
 use Drupal\graphql\Plugin\GraphQL\DataProducer\DataProducerPluginBase;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 
@@ -24,6 +25,21 @@
  *   consumes = {
  *     "entity" = @ContextDefinition("entity",
  *       label = @Translation("Entity")
+ *     ),
+ *     "access" = @ContextDefinition("boolean",
+ *       label = @Translation("Check access"),
+ *       required = FALSE,
+ *       default_value = TRUE
+ *     ),
+ *     "access_user" = @ContextDefinition("entity:user",
+ *       label = @Translation("User"),
+ *       required = FALSE,
+ *       default_value = NULL
+ *     ),
+ *     "access_operation" = @ContextDefinition("string",
+ *       label = @Translation("Operation"),
+ *       required = FALSE,
+ *       default_value = "view"
  *     )
  *   }
  * )
@@ -73,17 +89,27 @@ public function __construct(array $configuration, $pluginId, $pluginDefinition,
 
   /**
    * @param \Drupal\Core\Entity\EntityInterface $entity
+   * @param bool $access
+   * @param \Drupal\Core\Session\AccountInterface|NULL $accessUser
+   * @param string $accessOperation
    *
-   * @return \Drupal\Core\Entity\TranslatableInterface|null
+   * @return array|null
    */
-  public function resolve(EntityInterface $entity) {
+  public function resolve(EntityInterface $entity, ?bool $access , ?AccountInterface $accessUser, ?string $accessOperation) {
     if ($entity instanceof TranslatableInterface && $entity->isTranslatable()) {
       $languages = $entity->getTranslationLanguages();
 
-      return array_map(function (LanguageInterface $language) use ($entity) {
+      return array_map(function (LanguageInterface $language) use ($entity, $access, $accessOperation, $accessUser) {
         $langcode = $language->getId();
         $entity = $entity->getTranslation($langcode);
         $entity->addCacheContexts(["static:language:{$langcode}"]);
+        if ($access) {
+          /* @var $accessResult \Drupal\Core\Access\AccessResultInterface */
+          $accessResult = $entity->access($accessOperation, $accessUser, TRUE);
+          if ($accessResult->isForbidden()) {
+            return NULL;
+          }
+        }
         return $entity;
       }, $languages);
     }
