summaryrefslogtreecommitdiffstats
path: root/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
diff options
context:
space:
mode:
authorAlex Pott2017-02-09 19:19:36 +0000
committerAlex Pott2017-02-09 19:56:28 +0000
commit1fcd3d5c56ee9511d4dd620d332f29a5d9656212 (patch)
tree1bb104b7725e5c4ab1460659b1d5e73dea5167f7 /core/modules/rest/src/Plugin/rest/resource/EntityResource.php
parentb52ac5eb58ccea29dd906efd0e7cef3e7dfe43f4 (diff)
Issue #2808233 by gnuget, dawehner, Wim Leers, tedbow, Chi, dysrama: REST 403 responses don't tell the user *why* access is not granted: requires deep Drupal understanding to figure out
Diffstat (limited to 'core/modules/rest/src/Plugin/rest/resource/EntityResource.php')
-rw-r--r--core/modules/rest/src/Plugin/rest/resource/EntityResource.php37
1 files changed, 30 insertions, 7 deletions
diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index a1631bd..3e35f83 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -120,7 +120,7 @@ class EntityResource extends ResourceBase implements DependentPluginInterface {
public function get(EntityInterface $entity) {
$entity_access = $entity->access('view', NULL, TRUE);
if (!$entity_access->isAllowed()) {
- throw new AccessDeniedHttpException();
+ throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'view'));
}
$response = new ResourceResponse($entity, 200);
@@ -160,8 +160,9 @@ class EntityResource extends ResourceBase implements DependentPluginInterface {
throw new BadRequestHttpException('No entity content received.');
}
- if (!$entity->access('create')) {
- throw new AccessDeniedHttpException();
+ $entity_access = $entity->access('create', NULL, TRUE);
+ if (!$entity_access->isAllowed()) {
+ throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'create'));
}
$definition = $this->getPluginDefinition();
// Verify that the deserialized entity is of the type that we expect to
@@ -215,8 +216,9 @@ class EntityResource extends ResourceBase implements DependentPluginInterface {
if ($entity->getEntityTypeId() != $definition['entity_type']) {
throw new BadRequestHttpException('Invalid entity type');
}
- if (!$original_entity->access('update')) {
- throw new AccessDeniedHttpException();
+ $entity_access = $original_entity->access('update', NULL, TRUE);
+ if (!$entity_access->isAllowed()) {
+ throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'update'));
}
// Overwrite the received properties.
@@ -279,8 +281,9 @@ class EntityResource extends ResourceBase implements DependentPluginInterface {
* @throws \Symfony\Component\HttpKernel\Exception\HttpException
*/
public function delete(EntityInterface $entity) {
- if (!$entity->access('delete')) {
- throw new AccessDeniedHttpException();
+ $entity_access = $entity->access('delete', NULL, TRUE);
+ if (!$entity_access->isAllowed()) {
+ throw new AccessDeniedHttpException($entity_access->getReason() ?: $this->generateFallbackAccessDeniedMessage($entity, 'delete'));
}
try {
$entity->delete();
@@ -295,6 +298,26 @@ class EntityResource extends ResourceBase implements DependentPluginInterface {
}
/**
+ * Generates a fallback access denied message, when no specific reason is set.
+ *
+ * @param \Drupal\Core\Entity\EntityInterface $entity
+ * The entity object.
+ * @param string $operation
+ * The disallowed entity operation.
+ *
+ * @return string
+ * The proper message to display in the AccessDeniedHttpException.
+ */
+ protected function generateFallbackAccessDeniedMessage(EntityInterface $entity, $operation) {
+ $message = "You are not authorized to {$operation} this {$entity->getEntityTypeId()} entity";
+
+ if ($entity->bundle() !== $entity->getEntityTypeId()) {
+ $message .= " of bundle {$entity->bundle()}";
+ }
+ return "{$message}.";
+ }
+
+ /**
* {@inheritdoc}
*/
public function permissions() {