Restrict access to user 1 so that Account Admins cannot edit it.

2023-08-26 15:58:12 -04:00 · 2023-08-26 15:58:12 -04:00 · 05a3b374bb
parent 501d573b19
commit 05a3b374bb
2 changed files with 61 additions and 0 deletions
--- a/modules/core/role/modules/account_admin/farm_role_account_admin.module
+++ b/modules/core/role/modules/account_admin/farm_role_account_admin.module
@ -0,0 +1,22 @@
+<?php
+
+/**
+ * @file
+ * Hooks implemented by the farmOS Account Admin Role module.
+ */
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Implements hook_ENTITY_TYPE_access().
+ */
+function farm_role_account_admin_user_access(EntityInterface $entity, $operation, AccountInterface $account) {
+
+  // Only user 1 can access user 1.
+  if ($entity->id() == 1 && $account->id() != 1) {
+    return AccessResult::forbidden();
+  }
+  return AccessResult::neutral();
+}
--- a/modules/core/role/modules/account_admin/tests/src/Functional/UserAccessTest.php
+++ b/modules/core/role/modules/account_admin/tests/src/Functional/UserAccessTest.php
@ -0,0 +1,39 @@
+<?php
+
+namespace Drupal\Tests\farm_role_account_admin\Functional;
+
+use Drupal\Tests\farm_test\Functional\FarmBrowserTestBase;
+
+/**
+ * Tests access to user 1.
+ *
+ * @group farm
+ */
+class UserAccessTest extends FarmBrowserTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $modules = [
+    'farm_role_account_admin',
+  ];
+
+  /**
+   * Test user 1 access.
+   */
+  public function testUser1Access() {
+
+    // Create and login a user with farm_account_admin role.
+    $user = $this->createUser();
+    $user->addRole('farm_account_admin');
+    $user->save();
+    $this->drupalLogin($user);
+
+    // Confirm that the user cannot access user 1.
+    $this->drupalGet('user/1');
+    $this->assertSession()->statusCodeEquals(403);
+    $this->drupalGet('user/1/edit');
+    $this->assertSession()->statusCodeEquals(403);
+  }
+
+}