Contrib.social

MenuForm::buildOverviewTreeForm() does not check access to operations

Open on Drupal.org β†’
Created on 6 October 2021, over 3 years ago
Updated 8 February 2023, about 2 years ago

Problem/Motivation

We use a hook_ENTITY_TYPE_access() to restrict access to editing some menu links.
It works fine but the Edit button is still displayed when editing the menu, so it is confusing for users.

Steps to reproduce

Create a hook like this:

function foo_menu_link_content_access(MenuLinkContentInterface $entity, string $operation) {
  if (in_array($operation, ['update', 'delete'])) {
    return AccessResult::forbidden();
  }
}

Then browse to /admin/structure/menu/manage/yourmenu.

Proposed resolution

MenuForm::buildOverviewTreeForm() should check access to each link before adding the operation.

Remaining tasks

I will submit a patch.

πŸ› Bug report
Status

Needs work

Version

9.5

Component
Menu systemΒ  β†’

Last updated about 18 hours ago

Created by

πŸ‡«πŸ‡·France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024