[regression] Do not bypass route access with 'link to any page' permissions for menu links

Created on 1 April 2015, over 9 years ago
Updated 13 March 2024, 9 months ago

Problem/Motivation

Menu links are always rendered for any user with the link to any page permission. This permission should not control the display of menu links. This results in (for example) users with the permission seeing menu links that they do not have access to the route of, or any children of them. A common example of this is seeing Configuration, Structure, Extend, Appearance, etc menu items without having permission to those pages. (see #50)

Original report

In #2323721-24: [sechole] Link field item and menu link information leakage โ†’ this check was added.
This is caused by following code \Drupal\Core\Menu\DefaultMenuLinkTreeManipulators::menuLinkCheckAccess()

  protected function menuLinkCheckAccess(MenuLinkInterface $instance) {
    if ($this->account->hasPermission('link to any page')) {
      return TRUE;
    }
    // Use the definition here since that's a lot faster than creating a Url
    // object that we don't need.
    $definition = $instance->getPluginDefinition();
    // 'url' should only be populated for external links.
    if (!empty($definition['url']) && empty($definition['route_name'])) {
      $access = TRUE;
    }
    else {
      $access = $this->accessManager->checkNamedRoute($definition['route_name'], $definition['route_parameters'], $this->account);
    }
    return $access;
  }

In D7 there was hook_translated_menu_link_alter() but it was removed according CR https://www.drupal.org/node/2226481 โ†’
So there's no way except overriding menu.default_tree_manipulators service (protected method) to hide menu links.

Background: working on masquerade module port for 8.x I need to hide Unmasquerade link while there's no flag in session pointing that user masqueraded.

Proposed resolution

Remove this check, and try to separate render access permissions from route.
Add a new menu tree manipulator to menu_ui so that inaccessible menu items can still be managed in the backend

Remaining tasks



Fix failures

User interface changes

Menu links could be hidden for users with link to any page permissions and UID1 too.

API changes

New MenuUiMenuTreeManipulators to allow access to all menu items when in the context of menu_ui

๐Ÿ› Bug report
Status

Fixed

Version

10.3 โœจ

Component
Menu systemย  โ†’

Last updated about 22 hours ago

Created by

๐Ÿ‡ซ๐Ÿ‡ทFrance andypost

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !3118[D11.x] Drupal 11.x version โ†’ (Closed) created by claudiu.cristea
  • First commit to issue fork.
  • Status changed to Needs work almost 2 years ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request โ†’ as a guide.

    Reviewing change record - explains the behavior before and how this broke things. The background was good feature explaining

    Hiding patches as fixes are being addressed in MR 3118
    Removing credit for myself for the rebase to see if tests pass.

    The MR is targeted against 9.5.x but did verify it applies cleanly to 10.1.x

    Tested this out on Drupal 10.1.x with a standard install
    Created a test editor with "administer menu" permission but not "link to any"
    As admin user created a menu link under tools menu
    Logged into separate browser and verified I don't see that link
    Applied fix
    In browser with editor I can see the link now but when I click edit I getAccess denied.

    Based on the change record I should be able to edit the menu links. If that's not the change then this needs a change record update to be more clear.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States DamienMcKenna NH, USA

    FWIW with this applied to core the test coverage added in #3271001 passes as expected, that the link to end the visitor's masquerading session only shows when it's supposed to, instead of all the time for user 1.

  • Status changed to Needs review over 1 year ago
  • ๐Ÿ‡ท๐Ÿ‡ดRomania claudiu.cristea Arad ๐Ÿ‡ท๐Ÿ‡ด

    @smustgrave, I think the test is self-explanatory

        // The menu link admin is able to administer the link but cannot access the
        // route as is not granted with 'bypass node access' permission.
        $this->clickLink($item->getTitle());
        $this->assertSession()->statusCodeEquals(403);
    

    Yes, you should see the link but you should not be able to access it

  • Status changed to Needs work over 1 year ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Then think the CR will need updating.

    Also the MR needs to be updated for 11.x

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States DamienMcKenna NH, USA

    This is the MR in patch format for 11.x; there were a few line offsets but one adjustment for fuzz:

    $ curl https://git.drupalcode.org/project/drupal/-/merge_requests/2978.diff|patch -p1
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 17095    0 17095    0     0  13238      0 --:--:--  0:00:01 --:--:-- 13293
    patching file core/lib/Drupal/Core/Menu/DefaultMenuLinkTreeManipulators.php
    Hunk #1 succeeded at 212 (offset 17 lines).
    patching file core/modules/menu_ui/menu_ui.services.yml
    patching file core/modules/menu_ui/src/Menu/MenuUiMenuTreeManipulators.php
    patching file core/modules/menu_ui/src/MenuForm.php
    patching file core/modules/menu_ui/tests/src/Functional/MenuUiTest.php
    Hunk #1 succeeded at 712 (offset 44 lines).
    Hunk #2 succeeded at 1190 (offset 44 lines).
    patching file core/modules/views_ui/tests/src/Functional/DisplayPathTest.php
    Hunk #1 succeeded at 216 (offset 2 lines).
    patching file core/tests/Drupal/KernelTests/Core/Menu/MenuLinkTreeTest.php
    patching file core/tests/Drupal/Tests/Core/Menu/DefaultMenuLinkTreeManipulatorsTest.php
    Hunk #1 succeeded at 205 (offset 10 lines).
    Hunk #2 succeeded at 218 (offset 10 lines).
    Hunk #3 succeeded at 240 (offset 10 lines).
    Hunk #4 succeeded at 366 with fuzz 1 (offset 10 lines).
    
  • last update over 1 year ago
    29,825 pass, 29 fail
  • ๐Ÿ‡ท๐Ÿ‡ดRomania claudiu.cristea Arad ๐Ÿ‡ท๐Ÿ‡ด

    I'm working now to rebase MR on 11.x. Please don't open new patches or MRs

  • ๐Ÿ‡ซ๐Ÿ‡ทFrance andypost

    Usually it's faster/easier to squash commits and create new MR or patch

  • last update over 1 year ago
    29,907 pass, 2 fail
  • Status changed to Needs review over 1 year ago
  • ๐Ÿ‡ท๐Ÿ‡ดRomania claudiu.cristea Arad ๐Ÿ‡ท๐Ÿ‡ด

    OK, I read once again the CR and it seems pretty clear for me. Is just saying that a menu administrator can manage menu link even they cannot access the link's underlying route. However, I've added a new phrase that might clear more the explanation. I'm not a native English speaker so, maybe the CR is confusing.

  • Status changed to Needs work over 1 year ago
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia acbramley

    Tweaked the CR very slightly, otherwise it's reading well!

  • ๐Ÿ‡ช๐Ÿ‡ธSpain akalam

    I'm uploading a patch based on the latest version of the MR to ensure it can be applied safety via composer. Tested and working fine in Drupal 10.1.7. Thanks!

  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia acbramley

    acbramley โ†’ changed the visibility of the branch 2463753-menu to hidden.

  • Pipeline finished with Failed
    about 1 year ago
    Total: 536s
    #67140
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia acbramley

    Trying to help get this across the line - the final fail is

    Drupal\Tests\system\Functional\System\AdminTest::testAdminPages
    Behat\Mink\Exception\ExpectationException: Link with label Inaccessible not found.
    

    This is due to the Content link not being visible on /admin, debugging through it's because the admin/content route is getting _access_admin_menu_block_page = TRUE added, which then gets access denied in SystemAdminMenuBlockAccessCheck::hasAccessToChildMenuItems

    I'm not sure if this is expected behaviour and therefore the testAdminPages needs to filter out inaccessible pages, or we need some other modification to get the menu item showing again.

  • Pipeline finished with Failed
    about 1 year ago
    Total: 503s
    #67152
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia acbramley

    Updated IS a bit.

  • Status changed to Needs review about 1 year ago
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia acbramley

    Discussed with @larowlan, we agreed that the link should not be rendered (this is by design and is the very intention of this issue). Updated test to test for just that.

  • Pipeline finished with Success
    12 months ago
    Total: 435789s
    #67161
  • Status changed to RTBC 12 months ago
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    Ran the test-only feature to verify coverage

    https://git.drupalcode.org/issue/drupal-2463753/-/jobs/521505 which correctly shows.

    From what I can tell open threads are addressed/questions.

    All green.

    Only concern is if this could land in D10 since it's a permission change, but may just be me and won't let be a blocker.

  • last update 12 months ago
    25,906 pass, 1,850 fail
  • last update 12 months ago
    25,887 pass, 1,834 fail
  • last update 12 months ago
    25,905 pass, 1,828 fail
  • Status changed to Needs work 12 months ago
  • ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    Oh, another old issue, so nice to see these at RTBC.

    I read the issue summary and comments here. I did not find any unanswered questions.

    I did not #109 where @claudiu.cristea commented that the CR was confusing. I then read the CR and yes, it is confusing to me as a native English speaker. I am tagging for change record updates. I suggest rewording it to use plain English. There is plenty of information online to learn about it. If it were not so late right now I would have a go at improving it.

    I left some suggestions on the MR as well. Those are also about the complexity of language in the comments.

    I did not do a code review.

  • Pipeline finished with Failed
    12 months ago
    Total: 322s
    #70150
  • Status changed to RTBC 12 months ago
  • ๐Ÿ‡ท๐Ÿ‡ดRomania claudiu.cristea Arad ๐Ÿ‡ท๐Ÿ‡ด

    @quietone, thank you for looking at this.

    Iโ€™ve applied the suggestions from MR. Regarding the CR, in #109 I didnโ€™t say that the CR is confusing. I said that it might be confusing. For me is not confusing at all but I might be wrong as Iโ€™m not a native English speaker. Then, in #111, @acbramley said that he tweaked the CR and itโ€™s โ€reading wellโ€. What can I do more, youโ€™re both native English speakers?

    I will tentatively set back to RTBC, leaving you (or the core committers) to weight on the CR. I would fix it myself but not clear for me whatโ€™s confusing there

  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia acbramley

    I've simplified the title of the CR even more, I don't really see how much more rewording is possible unless someone wants to completely rewrite it. It is a somewhat confusing thing to explain though as access related issues are :)

  • last update 12 months ago
    Custom Commands Failed
  • ๐Ÿ‡ฆ๐Ÿ‡ทArgentina anairamzap Buenos Aires

    Hello, the last modifications to the MR include a syntax error on a comment :S

    In the core/modules/menu_ui/src/MenuForm.php file line 234

    diff --git a/core/modules/menu_ui/src/MenuForm.php b/core/modules/menu_ui/src/MenuForm.php
    index 9d90ac5a607d90f27b5776b722ed9f4feb60fefb..86fa319c74c4c19ececbf74aea8e84308faedd38 100644
    --- a/core/modules/menu_ui/src/MenuForm.php
    +++ b/core/modules/menu_ui/src/MenuForm.php
    @@ -231,7 +231,13 @@ protected function buildOverviewForm(array &$form, FormStateInterface $form_stat
         // We indicate that a menu administrator is running the menu access check.
         $this->getRequest()->attributes->set('_menu_admin', TRUE);
         $manipulators = [
    -      ['callable' => 'menu.default_tree_manipulators:checkAccess'],
    +   + // Use a dedicated menu tree access check manipulator as users editing
    +   * // this form, granted with 'administer menu' permission, should be able to
    +   * // access menu links with inaccessible routes. The default menu tree
    +   * // manipulator only allows the access to menu links with accessible routes.
    +      // @see \Drupal\Core\Menu\DefaultMenuLinkTreeManipulators::checkAccess()
    +      // @see \Drupal\menu_ui\Menu\MenuUiMenuTreeManipulators::checkAccess()
    +      ['callable' => 'menu_ui.menu_tree_manipulators:checkAccess'],
           ['callable' => 'menu.default_tree_manipulators:generateIndexAndSort'],
         ];
    

    I'll try to fix that now on the MR

  • Pipeline finished with Failed
    12 months ago
    Total: 178s
    #71124
  • Pipeline finished with Success
    12 months ago
    Total: 665s
    #71129
  • ๐Ÿ‡ท๐Ÿ‡ดRomania claudiu.cristea Arad ๐Ÿ‡ท๐Ÿ‡ด

    Thank you, @anairamzap

  • last update 12 months ago
    Build Successful
  • ๐Ÿ‡ฉ๐Ÿ‡ชGermany AndrewTur

    Hi, I've been using this patch on a Drupal 9.5.11 version and I cannot apply it anymore.

  • last update 12 months ago
    25,994 pass, 1,826 fail
  • last update 12 months ago
    25,995 pass, 1,840 fail
  • ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone
  • Pipeline finished with Failed
    11 months ago
    Total: 189s
    #87934
  • ๐Ÿ‡ณ๐Ÿ‡ฟNew Zealand quietone

    This was failing spell check so I rebased.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States bkosborne New Jersey, USA

    Oh yes, big +1 to this. I think it should solve ๐Ÿ› "Login" link shows up for logged-in users as well Needs work .

    • catch โ†’ committed 719f1684 on 10.3.x
      Issue #2463753 by claudiu.cristea, acbramley, gg24, anairamzap,...
    • catch โ†’ committed fa1d8ce3 on 11.x
      Issue #2463753 by claudiu.cristea, acbramley, gg24, anairamzap,...
  • Status changed to Fixed 10 months ago
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    Committed/pushed to 11.x and cherry-picked to 10.3.x, thanks! This is a big enough change I don't think we should try to cherry-pick/backport to 10.2.x

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States bkosborne New Jersey, USA

    Agreed on keeping this for 10.3

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States DamienMcKenna NH, USA

    It's fantastic to see this finally committed, thank you all!

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024