Contrib.social

Deleting a menu link from the node edit form does not apply hook_ENTITY_TYPE_access()

Open on Drupal.org β†’
Created on 23 November 2020, over 4 years ago
Updated 27 February 2025, about 1 month ago

Problem/Motivation

We have a hook_ENTITY_TYPE_access() that forbids users from deleting some menu links.
It works correctly when editing the menu itself (clicking the Delete button on one of these menu items correctly displays an error).
However, it is still possible to delete the menu link from the node edit form. Unchecking Provide a menu link and saving the node will delete the menu link even if the user does not have the permission to do so.

Steps to reproduce

  1. Create a menu link that references a node.
  2. Create a hook similar to this:
    function foo_menu_link_content_access(EntityInterface $entity, $operation) {
  if ($operation == 'delete' && $entity instanceof MenuLinkContentInterface) {
    return AccessResult::forbidden();
  }
}
  3. Rebuild permissions.
  4. Browse to the node edit page, uncheck Provide a menu link and save the node
  5. The menu link will be deleted

Proposed resolution

menu_ui_form_node_form_submit() should check the access before deletinf the menu link.

User interface changes

The Provide a menu link checkbox could be disabled when the menu link can't be deleted.

πŸ› Bug report
Status

Active

Version

11.0 πŸ”₯

Component

menu system

Created by

πŸ‡«πŸ‡·France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 month ago β†’
    πŸ‡«πŸ‡·France prudloff Lille
  • Comment about 1 month ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    There is a similar problem with hook_menu_link_content_create_access().
    If you add this hook:

    function test_menu_link_content_create_access() {
  return Drupal\Core\Access\AccessResult::forbidden();
}

    Users with the "administer menu" permission can't use the menu link add form, but can still add a menu link when using the node edit form.

  • Merge request !11321Resolve #3184181 "Deleting a menu" β†’ (Open) created by prudloff
  • Pipeline finished with Failed
    about 1 month ago
    Total: 128s
    #436119
  • Pipeline finished with Failed
    about 1 month ago
    Total: 606s
    #436132
  • Pipeline finished with Success
    about 1 month ago
    Total: 444s
    #436138
  • Comment about 1 month ago β†’
    πŸ‡«πŸ‡·France prudloff Lille
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States nicxvan

    Is the inverse also true where users without permissions can create menu items through the node edit page?

  • Comment about 1 month ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    Is the inverse also true where users without permissions can create menu items through the node edit page?

    Without the patch: users explicitly need the "administer menu" permission to create menu items through the node edit page.
    With the patch: users need menu link create access (this can be achieved with the "administer menu permission" or with some custom hoook_create_access).

  • Pipeline finished with Failed
    about 1 month ago
    Total: 130s
    #436569
  • Pipeline finished with Success
    about 1 month ago
    Total: 5556s
    #436574
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Left some small comments in MR

    If you are another contributor eager to jump in, please allow the previous poster at least 48 hours to respond to feedback first, so they have the opportunity to finish what they started!

  • Pipeline finished with Failed
    about 1 month ago
    Total: 427s
    #437149
  • Comment about 1 month ago β†’
    πŸ‡«πŸ‡·France prudloff Lille
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Believe feedback has been addressed on this one.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024