Contrib.social

Users can 'Add child' link even if they don't have the add new links permission

Open on Drupal.org →
Created on 14 August 2024, 3 months ago
Updated 12 September 2024, 2 months ago

Problem/Motivation

When a user does not have permission to add new links:

  1. Users can 'Add child' links in the menu from the menu interface.
  2. UI displays "There are no menu links yet. Add link." in the menu UI when the menu is empty.

Steps to reproduce

Users can 'Add child' links in the menu from the menu interface.
Use the Main navigation menu:

  • Edit "Menu Perms per Menu" permissions for the user you are testing with.
  • User should have the "Administer Main navigation menu items" permission but should not have permission "Add new links to Main navigation menu from the menu interface".
  • Create a few pages (node/add/page), Provide a menu link and place them under the Main navigation Parent link
  • Go back to the menu UI: admin/structure/menu/manage/main/
  • Users can 'Add child' links in the menu. See dropdown under "Operations" column:

UI displays "There are no menu links yet. Add link." in the menu UI when the menu is empty. The "Add link" should not be displayed when the user does not have permission to add new links for that menu.

  • Create a "Test" menu: /admin/structure/menu/add.
  • Edit "Menu Perms per Menu" permissions for the user you are testing with.
  • User should have the "Administer Test menu items" permission but should not have permission "Add new links to Test menu from the menu interface".
  • Go back to the menu UI: admin/structure/menu/manage/test. You will see "There are no menu links yet. Add link."

Proposed resolution

In menu_perms_per_menu_form_menu_edit_form_alter() alter hook add:

      // Restrict access to 'Add child' in menu link operation dropdown.
      // Adding a child link is equivalent of creating/adding a new menu link.
      if (!$account->hasPermission('add new links to ' . $menu->id() . ' menu from menu interface')) {
        unset($form['links']['links'][$menu_link_id]['operations']['#links']['add-child']);
      }

Remaining tasks

🐛 Bug report
Status

Fixed

Version

1.0

Component

Code

Created by

🇨🇦Canada karolinam

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024