MenuExtension not allowing access without management permission

Created on 31 October 2024, 22 days ago

Problem/Motivation

Categorized as bug because behavior seems to deviate from core.
Currently menuByName(name: MAIN) { only seems to work if a user has the permissions to manage a menu.
This is because MenuExtension uses the entity_load producer with the default access_operation which is view.
However, cores MenuAccessControlHandler doesn't implement a view operation.
So without a 3rd-party module or custom code that integrates a "view" permission one doesn't seem to be able to provide the menu structure to users without the menu management permission.

Steps to reproduce

Enable Menu Extension in Server Schema

Run the following query with a use without menu management permissions:

query MenuTest {
      menuByName(name: MAIN) {
    		label
        links {
            link {
              label
            }
        }
    }
}

Proposed resolution

In order to align with core we should only use the available permissions.
Hence I'd suggest to use the view label permission for entity_load in the MenuExtension.

Another approach would be to provide a menu view permission ourselves, because other contrib modules are missing that permission too (checked simple_menu_permissions → or menu_perms_per_menu → )

Remaining tasks

Write code
Decide on path forward - this is a somewhat big change in behavior even though it seems to align with core. Do we need a config in order to maintain behavior in existing installs?
Code-Review
Merge

User interface changes

Maybe new config setting.

API changes

menuByName() will always allow access since "view label" permission is unrestricted by core. Link filtering is in place as before.

Data model changes

Maybe new config setting.

🐛 Bug report

Status

Needs work

Version

1.0

Component

Code

Created by

🇨🇭Switzerland das-peter

Live updates comments and jobs are added and updated live.

Merge Requests

!23MenuExtension not allowing access without management permission
Open
🇨🇭Switzerland das-peter
updated 22 days ago

Comments & Activities

Issue created by @das-peter
Merge request !23Issue #3484865: MenuExtension not allowing access without management permission → (Open) created by das-peter
Comment 22 days ago →
🇨🇭Switzerland das-peter
Pipeline finished with Success
22 days ago
Total: 196s
#325873
Comment 16 days ago →
🇨🇭Switzerland ayalon
We have doumented this under security:
https://graphql-core-schema.netlify.app/basics/security.html

There you can also see an example of a custom module. Because we claim to be secure by default, I would like to avoid any code that could possible expose data, that is not accessible via core.

I recommend using the proposed hook:

/** * Implements hook_ENTITY_TYPE_access(). */ function MY_MODULE_menu_access(EntityInterface $entity, $operation, AccountInterface $account) { // Grant view access to the main menu to everyone. $id = $entity->id(); if ($operation === 'view' && $id === 'main') { return AccessResult::allowed(); } return AccessResult::neutral(); }

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024