AccessAwareRouter.php is returning AccessDenied when the results it gets is Neutral. I wonder is it right, or is it too restrictive?
Shouldn' the Neutral access be giving access to nodes?
Implementing the hook_node_access and not returning, so that the checkRequest call gets a Neutral access, then since the access_result is not allowed, one would get a 403.
protected function checkAccess(Request $request) {
// The cacheability (if any) of this request's access check result must be
// applied to the response.
$access_result = $this->accessManager->checkRequest($request, $this->account, TRUE);
// Allow a master request to set the access result for a subrequest: if an
// access result attribute is already set, don't overwrite it.
if (!$request->attributes->has(AccessAwareRouterInterface::ACCESS_RESULT)) {
$request->attributes->set(AccessAwareRouterInterface::ACCESS_RESULT, $access_result);
}
if (!$access_result->isAllowed()) {
if ($access_result instanceof CacheableDependencyInterface && $request->isMethodCacheable()) {
throw new CacheableAccessDeniedHttpException($access_result, $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
}
else {
throw new AccessDeniedHttpException($access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
}
}
}
switch that if ( !$access_result->isAllowed() into if ( $access_result->isForbidden()
Active
10.3 ✨
Returning 403 on AccessResult::neutral() is by design, and it's documented at
https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout... →