We've already talked about quite a few topics in the previous chapters, but we have been purposefully omitting an important aspect in many of them--access control. Much of what we covered deals in some way or another with access, but we have kept it out of our discussions to keep things more to the point. However, access control is an immensely important topic for Drupal development because it has implications in almost everything we do. So, for this purpose, we have a chapter dedicated to it in which we will cover the most important things you need to know in order to keep your application secure.

When I say secure I don't mean writing code in a secure way to avoid your site getting hacked. For that, we have an appendix at the end of the book to give you some pointers. Instead, I mean handling access control programmatically to ensure that your pages and any other resources are only accessible to the right users.

In this chapter, aside from introducing new concepts that stand on their own, we'll be revisiting some of the previous topics and seeing how we can apply access control in that context. We will start by talking about how Drupal sees access restrictions at a high level, but then dive deep into more specific and complex examples. Also, as usual, we will see code in order to better understand what we talk about.

However, what exactly are we going to learn in this chapter?

First, we will introduce the Drupal access system of roles and permissions and see how we can create them in our code. Even more important for us as module developers, we will see how we can check whether users have permissions programmatically. This is still while keeping things general.

Next, we will dive into more exciting things by looking at route permissions. We have an enormous flexibility here and will explore a number of approaches we can use to restrict access to custom and existing routes--ranging from simply permission-based access control to dynamic service-oriented access handlers.

After covering routes, we will look at entities and how access control works with them. In doing so, we will work a bit on the Product entity we created in Chapter 7, Your Own Custom Entity and Plugin Types. Moreover, we will also talk about the Node Access Grants system, which is a powerful way to control access specific to the Node entity type.

Finally, we will also look at Block plugins and see how we can control access and ensure that they are rendered on the page. Blocks can have certain contextual rules that determine whether they are displayed on a certain page in the region they have been added to. So, we will talk about that a bit as well.

The purpose of this chapter is to bring together all aspects related to access control that you need to get started as a Drupal 8 module developer. However, you can expect even more than that, and for this reason, it can also serve as a resource for coming back and reading up on certain approaches to access control you may want to use in your own project, rather than having them scattered across the book.