Faulty toolbar subtree hash breaks asynchonous loading of admin menu content

Open on Drupal.org →

Created on 23 April 2020, over 4 years ago

Updated 5 August 2024, 3 months ago

Problem/Motivation

The toolbar subtrees use a hash to determine if access to the subtree should be allowed in ToolbarController::checkSubTreeAccess(). In certain situations the hash does not match, resulting in a JavaScript error and the subtrees not dynamically loading. Temporarily commenting out the hash check from ToolbarController::checkSubTreeAccess() makes the toggles appear again.

The toolbar module relies on _toolbar_get_subtrees_hash function to generate hash based on admin menu subtrees' length. This information is not same when you call it via `hook_toolbar` and via /toolbar/subtrees Ajax route. This difference is due to multiple reasons, few are:
1. If you are on admin pages, subtree uses stable template to generate html while Ajax uses toolbar module template
2. If there is a customization like adding destination to any of the link then hook_toolbar attaches current page url while Ajax attaches /toolbar/subtrees as destination

Steps to reproduce

Set the admin menu in vertical mode.
Make sure to have a site with 2 languages.
Enable the Account administration pages on Language negotiation > Detection and selection.
Set the default language to something non-english.
Set an admin language in your user profile other than the default site language (e.g. english).
Go to a content page in your content language.
Refresh the cache (I did this from the content page with devel module).
Navigate to an admin page.
Observe that the toolbar submenu toggles (blue arrows) are not shown and there is a JavaScript error.

Proposed resolution

The hash is calculated from the rendered subtrees, but if the rendered content changes, the hash no longer matches with the sent one and the access check fails.

Proposed solution is to use $hash = Crypt::hashBase64(serialize(array_keys($subtrees))); instead of $hash = Crypt::hashBase64(serialize($subtrees));. So that the hash is based on structure, rather than content.

Remaining tasks

Understand the purpose of the hash(?). Is it related to CSRF, MITM, permissions?
Agree on an alternative hash input.

User interface changes

Hopefully none

API changes

Probably none

Data model changes

Release notes snippet

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Last updated 10 days ago

Maintained by
🇫🇷France @nod_

Created by

🇮🇳India ash2303

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Needs issue summary update
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.1 & MySQL 5.7
last update about 1 year ago
30,332 pass, 1 fail
Status changed to Needs review 8 months ago5:52pm 20 March 2024
Comment 8 months ago →
🇮🇳India zeeshan_khan
This one fixes the problem for me.
Status changed to Needs work 8 months ago6:00pm 20 March 2024
Comment 8 months ago →
🇺🇸United States smustgrave
Will need test coverage showing the problem.

Issue summary is also incomplete, recommend using the standard issue template
Comment 8 months ago →
🇳🇱Netherlands neograph734 Netherlands
I have updated the IS and merged it with the content of 🐛 Toolbar causes a Javascript error if the subtrees content changes between page loads Closed: duplicate .

The patch from #2 and #9 does not appear to work. It makes the issue go away, but when a new module is installed, the menu does not update and the new links don't become visible. So the hash might be too generic(?).

The patch from #13 removes the has check alltogether. Without knowing what it is supposed to do, that feels too big of change.

Should we perhaps try hasing the raw menu tree structure or something instead?
Comment 8 months ago →
🇳🇱Netherlands neograph734 Netherlands
Comment 6 months ago →
🇧🇪Belgium matthiasm11
Combining the patches from #9 to generate the hash and #13 to fix the caching seems to fix the issue.
Disabling a module makes the corresponding menu item disappear, enabling the module again makes it appear again.
No console errors anymore. I've not investigated this any further.
Comment 3 months ago →
🇨🇿Czech Republic milos.kroulik
I can confirm observations made in #17. So I'm going to create a combined patch.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024