Data producer "menu_links" is not checking access

Prepared MR and attached patch.

Started with some unfinished test coverage, not done yet.

@andriy khomych I added cache context and 2 test cases.

Do you need the access result neutral check? We should not allow neutral access results, right? Only menu links where the user has access should be returned.

@andriy khomych I added cache context and 2 test cases.

Do you need the access result neutral check? We should not allow neutral access results, right? Only menu links where the user has access should be returned.

Yup, Drupa core allows only allowed links.
MenuLinkTree::buildItems

      // Only render accessible links.
      if ($data->access instanceof AccessResultInterface && !$data->access->isAllowed()) {
        continue;
      }

Unfortunately, I cannot add a review note to my MR, overall, it looks good.
One more moment about cache:
$context->addCacheableDependency($item->access);
I think we might add a menu object as well. I'm unsure when we have a menu link removed or added so that correct information is displayed.

Thanks for the review, good point about the menu itself.

I added the cache context for the menu as well. Not sure if this even has an effect, as I did not understand the connection between menu and menu links. But I think further testing on adding/removing menu links and caching is out of scope for this issue. I also think menus don't change that often, so should only be a minor issue.

Let's fix the inaccessible links here and postpone any further work to a new issue if it is a problem.

And merged, should appear here soon.

Uploading patch file for composer patches.

Thanks, Klausi! Well done, it looks good to me.

Automatically closed - issue fixed for 2 weeks with no activity.