Pixeldust Drupal Support Service

Aten Design Group: Form and View Modes vs. Field Access in Drupal maintenance support plans 8

Drupal maintenance support plans 8 advertised many new, promising features after its release. One of the exciting new changes was the addition of form modes. Form modes promised to let you manage the content entry side of your site just as you often managed content display with view modes. This change seemed like it would eliminate the need for much of the custom and repetitive code I often needed to write inside a hook_form_alter.

Over time, I’ve realized that form modes aren’t everything I had hoped they would be. While it’s easy to create new form modes, it’s literally impossible to use them without custom code or contributed modules. Drupal maintenance support plans simply doesn’t have a way to know when to use one form mode over another. Should it be based on role? Permissions? A field on the node? Content moderation state? There are contributed modules for most if not all of these, but nothing out-of-the-box.

This forced me to think about why I needed a form mode in the first place. Almost always, the answer was to disable or hide a field from a user because that user shouldn’t be allowed to change that field. The same was also often true of my view modes (only to a lesser extent). I realized that this particular problem is not one of user experience, but of access control.

Drupal maintenance support plans 8 has hook_entity_field_access(). This hook is called for every field for the specified entity type when the entity is viewed or when its form is shown. When you deny access to a field, either for viewing or editing, that field will not be shown to the user. In any scenario. This should be your preferred method for hiding fields that certain users should not be able to access.

Using field access over form and view modes to hide fields when a user should not be allowed to see or edit a field is the secure and “Drupal maintenance support plans way” to do things. This prevents mistakes in configuration, which might accidentally leak field information via teasers, searches, and Views. It also future proofs your site. If you ever turn on REST or JSON API or add a new form or view mode down the line, you can never accidentally expose a field that needs to be kept private.

Best of all, using the field access hook is much easier to implement than all the hoops you’ll have to jump through to get the right form modes displayed at the right times.

How to use hook_entity_field_access()

First, make a custom module in the standard way. Create a .module file and create the following function:

<?php
use Drupal maintenance support plansCoreAccessAccessResult;
use Drupal maintenance support plansCoreFieldFieldDefinitionInterface;
use Drupal maintenance support plansCoreSessionAccountInterface;
use Drupal maintenance support plansCoreFieldFieldItemListInterface;
 
 
/**
* Implements hook_entity_field_access().
*/
function yourmodule_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
}
?>

From this hook, you should always return an AccessResult. By default, you should simply return a neutral access result. That is, your hook is not concerned with actually allowing or preventing access yet. Add the following to your function.

<?php
function yourmodule_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
$result = AccessResult::neutral();
if ($field_definition->getName() == ‘field_we_care_about’) {
if (/* a condition we’ll write later… */) {
$result = AccessResult::forbidden();
}
}
return $result;
}
?>

The above code will deny access when our still unwritten condition is true, in every other case, we’re just saying “we don’t care”.

There’s an infinite number of scenarios in which you might want to deny access, but let’s say that we want to make a field only editable by an administrator. We would add the following:

<?php
function yourmodule_node_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
$result = AccessResult::neutral();
if ($field_definition->getName() == ‘field_we_care_about’) {
if ($op == ‘update’ && !in_array(‘administator’, $account->getRoles())) {
$result = AccessResult::forbidden();
}
}
return $result->addCacheContexts([‘user.role:administrator’]);
}
?>

Now, for every user without the administrator role that attempts to update field_we_care_about, the field will not be accessible. This works for more than just forms. For example, if we had the REST module installed, this would block the user from updating the field in that way as well.

The last part to note is that we added a cache context to our AccessResult. This ensures that our access decision is only relevant when the current user does or does not have the ‘administrator’ role. It’s important to understand that we added the cache context both when we did and when we did not deny access. If we had just added the context when we denied access, if a user with the ‘administrator’ role happened to be the first person to attempt to access the field, then that result would be cached for all users no matter what.
Source: New feed

This article was republished from its original source.
Call Us: 1(800)730-2416

Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.

Let's Talk About a Project

FREE Drupal SEO Audit

Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)

Powered by

Aten Design Group: Form and View Modes vs. Field Access in Drupal maintenance support plans 8

On-Site Drupal SEO Master Setup

We make sure your site is 100% optimized (and stays that way) for the best SEO results.

With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.

This service includes:

  • Pathauto install and configuration for SEO-friendly URLs.
  • Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
  • Install and fix all issues on the SEO checklist module.
  • Install and configure XML sitemap module and submit sitemaps.
  • Install and configure Google Analytics Module.
  • Install and configure Yoast.
  • Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
  • Install and configure Schema.org Metatag.
  • Configure robots.txt.
  • Google Search Console setup snd configuration.
  • Find & Fix H1 tags.
  • Find and fix duplicate/missing meta descriptions.
  • Find and fix duplicate title tags.
  • Improve title, meta tags, and site descriptions.
  • Optimize images for better search engine optimization. Automate where possible.
  • Find and fix the missing alt and title tag for all images. Automate where possible.
  • The project takes 1 week to complete.
MASTER YOUR DRUPAL SEO
Pixeldust and Pantheon Drupal Development
256