Issue #2940193 by arnoldbird, Mile23: Clarify purpose of admin_permission with getAdminPermission() in checkCreateAccess()

Author: arnoldbird

content_entity_example/src/ContactAccessControlHandler.php

@@ -8,19 +8,23 @@
 use Drupal\Core\Session\AccountInterface;
 
 /**
- * Access controller for the comment entity.
- *
- * @see \Drupal\comment\Entity\Comment.
+ * Access controller for the contact entity.
  */
 class ContactAccessControlHandler extends EntityAccessControlHandler {
 
   /**
    * {@inheritdoc}
    *
-   * Link the activities to the permissions. checkAccess is called with the
+   * Link the activities to the permissions. checkAccess() is called with the
    * $operation as defined in the routing.yml file.
    */
   protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
+    // Check the admin_permission as defined in your @ContentEntityType
+    // annotation.
+    $admin_permission = $this->entityType->getAdminPermission();
+    if (\Drupal::currentUser()->hasPermission($admin_permission)) {
+      return AccessResult::allowed();
+    }
     switch ($operation) {
       case 'view':
         return AccessResult::allowedIfHasPermission($account, 'view contact entity');
@@ -31,16 +35,22 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
       case 'delete':
         return AccessResult::allowedIfHasPermission($account, 'delete contact entity');
     }
-    return AccessResult::allowed();
+    return AccessResult::neutral();
   }
 
   /**
    * {@inheritdoc}
    *
-   * Separate from the checkAccess because the entity does not yet exist, it
+   * Separate from the checkAccess because the entity does not yet exist. It
    * will be created during the 'add' process.
    */
   protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
+    // Check the admin_permission as defined in your @ContentEntityType
+    // annotation.
+    $admin_permission = $this->entityType->getAdminPermission();
+    if (\Drupal::currentUser()->hasPermission($admin_permission)) {
+      return AccessResult::allowed();
+    }
     return AccessResult::allowedIfHasPermission($account, 'add contact entity');
   }
 

content_entity_example/src/Entity/Contact.php

@@ -89,7 +89,7 @@
  *   },
  *   list_cache_contexts = { "user" },
  *   base_table = "contact",
- *   admin_permission = "administer content_entity_example entity",
+ *   admin_permission = "administer contact entity",
  *   entity_keys = {
  *     "id" = "id",
  *     "label" = "name",

content_entity_example/tests/src/Functional/ContentEntityExampleTest.php

@@ -4,6 +4,7 @@
 
 use Drupal\content_entity_example\Entity\Contact;
 use Drupal\Tests\examples\Functional\ExamplesBrowserTestBase;
+use Drupal\Core\Url;
 
 /**
  * Tests the basic functions of the Content Entity Example module.
@@ -244,4 +245,63 @@ public function testAddFields() {
     $this->assertEquals($expected_path, $current_path);
   }
 
+  /**
+   * Ensure admin and permissioned users can create contacts.
+   */
+  public function testCreateAdminPermission() {
+    $assert = $this->assertSession();
+    $add_url = Url::fromRoute('content_entity_example.contact_add');
+
+    // Create a Contact entity object so that we can query it for it's annotated
+    // properties. We don't need to save it.
+    /* @var $contact \Drupal\content_entity_example\Entity\Contact */
+    $contact = Contact::create();
+
+    // Create an admin user and log them in. We use the entity annotation for
+    // admin_permission in order to validate it. We also have to add the view
+    // list permission because the add form redirects to the list on success.
+    $this->drupalLogin($this->drupalCreateUser([
+      $contact->getEntityType()->getAdminPermission(),
+      'view contact entity',
+    ]));
+
+    // Post a contact.
+    $edit = [
+      'name[0][value]' => 'Test Admin Name',
+      'first_name[0][value]' => 'Admin First Name',
+      'gender' => 'female',
+      'role' => 'administrator',
+    ];
+    $this->drupalPostForm($add_url, $edit, 'Save');
+    $assert->statusCodeEquals(200);
+    $assert->pageTextContains('Test Admin Name');
+
+    // Create a user with 'add contact entity' permission. We also have to add
+    // the view list permission because the add form redirects to the list on
+    // success.
+    $this->drupalLogin($this->drupalCreateUser([
+      'add contact entity',
+      'view contact entity',
+    ]));
+
+    // Post a contact.
+    $edit = [
+      'name[0][value]' => 'Mere Mortal Name',
+      'first_name[0][value]' => 'Mortal First Name',
+      'gender' => 'male',
+      'role' => 'user',
+    ];
+    $this->drupalPostForm($add_url, $edit, 'Save');
+    $assert->statusCodeEquals(200);
+    $assert->pageTextContains('Mere Mortal Name');
+
+    // Finally, a user who can only view should not be able to get to the add
+    // form.
+    $this->drupalLogin($this->drupalCreateUser([
+      'view contact entity',
+    ]));
+    $this->drupalGet($add_url);
+    $assert->statusCodeEquals(403);
+  }
+
 }