Contrib.social

Add checkNodeAccess to the manipulators used to load menu options

Open on Drupal.org →
Created on 11 February 2019, almost 6 years ago
Updated 24 April 2023, over 1 year ago

The parent_menu_item options array is built by MenuParentFormSelector::getParentSelectOptions with menu.default_tree_manipulators:checkNodeAccess as one of the manipulators, which will mark unpublished nodes as inaccessible and exclude them from the array.

We should add this check to MenuSelect::menuTreeMachineNameLoad() so that entries which are not in the core options dialog are not added to the available list of menu links, which both exposes their titles to users who may not be able to otherwise view them and creates a situation where their selection in the menu_select list will not be saved.

🐛 Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

🇺🇸United States i.mcbride

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇫🇮Finland heikkiy Oulu

    I tested the current 2.0.x branch and I noticed that this issue is still present. I can basically select a disabled menu item as the parent and then when editing the node, I cannot access the menu tree anymore.

    Happens with the Administrator role.

    When I checked the code from https://git.drupalcode.org/project/menu_select/-/blob/2.0.x/src/MenuSele... it seems like the file name has changed from MenuSelect.php to MenuSelectTreeBuilder.php and the changes to the $data->access->isAllowed() is not present.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024