Deleting a menu link from the node edit form does not apply hook_ENTITY_TYPE_access()

Created on 23 November 2020, over 4 years ago
Updated 27 February 2025, about 2 months ago

Problem/Motivation

We have a hook_ENTITY_TYPE_access() that forbids users from deleting some menu links.
It works correctly when editing the menu itself (clicking the Delete button on one of these menu items correctly displays an error).
However, it is still possible to delete the menu link from the node edit form. Unchecking Provide a menu link and saving the node will delete the menu link even if the user does not have the permission to do so.

Steps to reproduce

  1. Create a menu link that references a node.
  2. Create a hook similar to this:
    function foo_menu_link_content_access(EntityInterface $entity, $operation) {
      if ($operation == 'delete' && $entity instanceof MenuLinkContentInterface) {
        return AccessResult::forbidden();
      }
    }
    
  3. Rebuild permissions.
  4. Browse to the node edit page, uncheck Provide a menu link and save the node
  5. The menu link will be deleted

Proposed resolution

menu_ui_form_node_form_submit() should check the access before deletinf the menu link.

User interface changes

The Provide a menu link checkbox could be disabled when the menu link can't be deleted.

πŸ› Bug report
Status

Active

Version

11.0 πŸ”₯

Component

menu system

Created by

πŸ‡«πŸ‡·France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024