Menu items on Admin Toolbar still shown when access denied

Created on 25 May 2023, over 1 year ago
Updated 29 June 2024, 6 months ago

Problem/Motivation

In the Project Browser we want to disable the "Install new module" page, as this is confusing when shown alongside project browser, and is somewhat obsolete as it does not install with Composer.

Using a RouteSubscriber service allows the page to be disabled. This causes it to not be shown on a regular Drupal menu, but it is still displayed on the "Extend" drop-down.

Steps to reproduce

In a module create a RouteSubscriber service containing the following:

  protected function alterRoutes(RouteCollection $collection) {
    foreach ($collection->all() as $route) {
      // Disable access to the "Add new module" route for all users.
      if (strpos($route->getPath(), '/admin/modules/install') === 0) {
        $route->setRequirement('_access', 'FALSE');
      }
    }
  }

Add a sidebar block containing the Administration menu to level 3.

"Install new module" does not appear in sidebar menu, but does appear in Admin Toolbar drop-down.

Proposed resolution

The menu item with access removed should not appear in the toolbar menu for consistency with Drupal built in menus.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

🇮🇪Ireland lostcarpark

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @lostcarpark
  • 🇬🇧United Kingdom omahm Belfast

    I have the same issue with a custom access handler that extends NodeAccessControlHandler. The custom handler restricts create access to certain content types and this works when viewing /node/add, but the content types still appear in the admin toolbar Content -> add dropdown.

  • 🇺🇸United States sassafrass

    I have the same issue.

  • 🇺🇸United States w01f

    Seeing this as well for regular authenticated users that want to make use of the toolbar for easy (permitted) content adding and editing, but don't need to see Configuration, Reports, etc. that they only get "Access denied" for anyway.

    Wondering if this can/will be fixed, or if the idea is to wait and swap to the new core admin toolbar coming in... 11?

  • 🇺🇸United States gslexie

    I stumbled across this while searching for something else and I'm pretty sure this issue has been resolved in Core 10.2 by https://www.drupal.org/node/296693 . There is also a submodule included in admin_toolbar called admin_toolbar_links_access_filter that was supposed to workaround the issue for earlier versions.

  • 🇺🇸United States w01f

    We figured out the issue we were experiencing - both System permissions "Link to any page" or "Use the site in maintenance mode" will override the access limitations if granted to a role. Removing both of these allows access to work as expected.

Production build 0.71.5 2024