Access permission to /admin/ changed between 10.1 and 10.2

Created on 19 December 2023, 12 months ago
Updated 12 January 2024, 11 months ago

Problem/Motivation

When using this module, version 2.0.1, with Drupal 10.2, and a user without the "view scheduled taxonomy_term" permission,
the view configuration "views.view.scheduler_scheduled_taxonomy_term.yml" makes the Access Check for menu /admin/structure render as "AccessNeutral", whereas core/lib/Drupal/Core/Routing/AccessAwareRouter.php (line 115) expects "isAllowed()".
This eventually ends up with an "CacheableAccessDeniedHttpException" aka. HTTP 403 error. The menu item "structure" is also not visible within the admin menu.

Steps to reproduce

- Install module
- Setup an underprivileged user which do not have the "view scheduled taxonomy_term" permission but do have access to other items within the admin structure menu like taxonomies, webforms or blocks.
- Try to access the /admin/structure with and without the "view scheduled taxonomy_term" permission.

Proposed resolution

In some way the view "views.view.scheduler_scheduled_taxonomy_term.yml" property "default.display_options.access" shouldn't bubble up all the way up onto the menu.
Unsure how it could be archived.

Remaining tasks

User interface changes

API changes

Data model changes

💬 Support request
Status

Closed: duplicate

Version

2.0

Component

Code

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @flemming.fridthjof
  • 🇬🇧United Kingdom jonathan1055

    Hi flemming.fridthjof,
    Thanks for reporting this. I noticed on another issue (on a different module) that the permissions checking for admin urls has been tightened between Core 10.1 and 10.2 so this is probably related.

    I will try to replicate the problem locally. Also it would be good to expand our test coverage so that this is checked, as the tests all pass currently, even on 10.2.

  • 🇬🇧United Kingdom jonathan1055

    I have tested this thoroughly and problem you are getting is actually due to changes between Core 10.1 and 10.2, it is not a Scheduler bug.

    Here is the scenario which I think replicates what you had before, in Core 10.1

    1. Create a user with a role that has the admin permission 'access taxonomy overview'.
    2. The url admin/structure/taxonomy/ is OK and can be accessed. But admin/structure/ and admin/ are both denied
    3. Add the permission 'Access administration pages and help'. This gives acces to both admin/structure/ and admin/

    But in core 10.2 it is slightly different

    1. Create a user with a role that has the admin permission 'access taxonomy overview'.
    2. The url admin/structure/taxonomy/ is OK and can be accessed. But admin/structure/ and admin/ are both denied
    3. Add the permission 'access administration pages'. This give acces to admin/structure/ and it needs another permissions in the structure group, such as 'administer blocks' or 'administer menus'. Permissions such as 'administer views' also does not give admin/structure/ even though the link to admin views does appear there.
    4. There does not appear to be any permission which gives access to /admin (is that only for user id 1?)

    I hope this explains your situation. I have not managed to find out the actual core issues which made these changes between 10.1 and 10.2. It would be useful to have that info.

  • 🇬🇧United Kingdom jonathan1055

    The results for Core 10.2 above were using a development site with an out-of-date 10.2 branch, dated 21 November. I have now switched to an updated core 10.2 and the result is different. The permission 'Use administration pages' enough to get access to admin/structure and the top-level admin.

  • Status changed to Closed: duplicate 11 months ago
  • 🇧🇪Belgium jelle_s Antwerp, Belgium

    For anyone experiencing this issue: the patch/merge request over at 🐛 Admin page access denied even when access is given to child items RTBC should fix it for you.

  • 🇬🇧United Kingdom jonathan1055

    Thanks @Jelle_S for linking that issue.

Production build 0.71.5 2024