Issue #2799049 by AaronBauman, jungle, hussainweb, Neograph734, a_mitch, anmolgoyal74, Hardik_Patel_12, geek-merlin, cilefen, eblue, fmueller_previon, Anas_maw, rensingh99, Abhijith S, yepa, Ruchi Joshi, Stephen Ollman, dww, alexpott, catch, benjifisher, Wim Leers: Add new permission to view user email field
catch
parent
90f67d0985
commit
84c8b1e1d9
|
|
@ -412,6 +412,18 @@ class UserTest extends ResourceTestBase {
|
||||||
$this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
|
$this->assertArrayNotHasKey('mail', $doc['data'][2]['attributes']);
|
||||||
$this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
|
$this->assertSame($user_b->uuid(), $doc['data'][count($doc['data']) - 1]['id']);
|
||||||
$this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
|
$this->assertArrayHasKey('mail', $doc['data'][count($doc['data']) - 1]['attributes']);
|
||||||
|
|
||||||
|
// Now grant permission to access user mail and verify.
|
||||||
|
$this->grantPermissionsToTestedRole(['access user mail']);
|
||||||
|
// Viewing user A as user B: "mail" field should be accessible.
|
||||||
|
$response = $this->request('GET', $user_a_url, $request_options);
|
||||||
|
$doc = Json::decode((string) $response->getBody());
|
||||||
|
$this->assertArrayHasKey('mail', $doc['data']['attributes']);
|
||||||
|
// Also when looking at the collection.
|
||||||
|
$response = $this->request('GET', $collection_url, $request_options);
|
||||||
|
$doc = Json::decode((string) $response->getBody());
|
||||||
|
$this->assertSame($user_a->uuid(), $doc['data']['2']['id']);
|
||||||
|
$this->assertArrayHasKey('mail', $doc['data'][2]['attributes']);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -113,10 +113,15 @@ class UserAccessControlHandler extends EntityAccessControlHandler {
|
||||||
return AccessResult::neutral();
|
return AccessResult::neutral();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case 'mail':
|
||||||
|
// Only check for the access user mail permission and a view operation.
|
||||||
|
// Use case fall-through for all other cases.
|
||||||
|
if ($operation == 'view' && $account->hasPermission('access user mail')) {
|
||||||
|
return AccessResult::allowed()->cachePerPermissions();
|
||||||
|
}
|
||||||
case 'preferred_langcode':
|
case 'preferred_langcode':
|
||||||
case 'preferred_admin_langcode':
|
case 'preferred_admin_langcode':
|
||||||
case 'timezone':
|
case 'timezone':
|
||||||
case 'mail':
|
|
||||||
// Allow view access to own mail address and other personalization
|
// Allow view access to own mail address and other personalization
|
||||||
// settings.
|
// settings.
|
||||||
if ($operation == 'view') {
|
if ($operation == 'view') {
|
||||||
|
|
|
||||||
|
|
@ -32,6 +32,13 @@ class UserAccessControlHandlerTest extends UnitTestCase {
|
||||||
*/
|
*/
|
||||||
protected $viewer;
|
protected $viewer;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The mock user account with 'access user mail' permission.
|
||||||
|
*
|
||||||
|
* @var \Drupal\Core\Session\AccountInterface
|
||||||
|
*/
|
||||||
|
protected $emailViewer;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The mock user account that is able to change their own account name.
|
* The mock user account that is able to change their own account name.
|
||||||
*
|
*
|
||||||
|
|
@ -96,6 +103,18 @@ class UserAccessControlHandlerTest extends UnitTestCase {
|
||||||
->method('hasPermission')
|
->method('hasPermission')
|
||||||
->will($this->returnValue(TRUE));
|
->will($this->returnValue(TRUE));
|
||||||
|
|
||||||
|
$this->emailViewer = $this->createMock('\Drupal\Core\Session\AccountInterface');
|
||||||
|
$this->emailViewer
|
||||||
|
->expects($this->any())
|
||||||
|
->method('hasPermission')
|
||||||
|
->will($this->returnValueMap([
|
||||||
|
['access user mail', TRUE],
|
||||||
|
]));
|
||||||
|
$this->emailViewer
|
||||||
|
->expects($this->any())
|
||||||
|
->method('id')
|
||||||
|
->will($this->returnValue(3));
|
||||||
|
|
||||||
$entity_type = $this->createMock('Drupal\Core\Entity\EntityTypeInterface');
|
$entity_type = $this->createMock('Drupal\Core\Entity\EntityTypeInterface');
|
||||||
|
|
||||||
$this->accessControlHandler = new UserAccessControlHandler($entity_type);
|
$this->accessControlHandler = new UserAccessControlHandler($entity_type);
|
||||||
|
|
@ -240,6 +259,14 @@ class UserAccessControlHandlerTest extends UnitTestCase {
|
||||||
'view' => TRUE,
|
'view' => TRUE,
|
||||||
'edit' => TRUE,
|
'edit' => TRUE,
|
||||||
];
|
];
|
||||||
|
$access_info[] = [
|
||||||
|
'field' => $field,
|
||||||
|
'viewer' => 'emailViewer',
|
||||||
|
'target' => 'owner',
|
||||||
|
'view' => $field === 'mail',
|
||||||
|
// See note above.
|
||||||
|
'edit' => TRUE,
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
return $access_info;
|
return $access_info;
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,9 @@ administer users:
|
||||||
restrict access: true
|
restrict access: true
|
||||||
access user profiles:
|
access user profiles:
|
||||||
title: 'View user information'
|
title: 'View user information'
|
||||||
|
access user mail:
|
||||||
|
title: 'View user email addresses'
|
||||||
|
description: 'Users without this permission will not have access to email addresses on user pages or other places where they might be shown, such as Views and JSON:API responses.'
|
||||||
change own username:
|
change own username:
|
||||||
title: 'Change own username'
|
title: 'Change own username'
|
||||||
select account cancellation method:
|
select account cancellation method:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue