Add access checking to link render structures

Created on 5 September 2014, over 10 years ago

Updated 31 March 2025, 2 days ago

Problem/Motivation

#2302563: Access check Url objects → added access checking to Url::toRenderArray(). There are a good number of other render arrays created with similar structure and purpose. Core has a number of subtle bugs around this. For example, ConfigEntityListBuilder::getDefaultOperations lacks access checking and presents enable / disable even if the user can't do either.

Proposed resolution

Add the #access_callback wherever we find #route_parameters and #route_name. Except those few places (shortcut seems to be the only one) where render array visibility matters.

Remaining tasks

Add tests.

User interface changes

API changes

📌 Task

Status

Postponed: needs info

Version

11.0 🔥

Component

entity system

Created by

🇨🇦Canada chx

Live updates comments and jobs are added and updated live.

stale-issue-cleanup
To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 2 days ago →
🇺🇸United States smustgrave
Thank you for creating this issue to improve Drupal.

We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

Thanks!

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024