Permissions not checked for "Si Prepublish" and "Si Recheck" task links

Believe the problem was the base route and route name were switched. See if this works.

Tested and working on version 3.0.2. Thanks!

I don't see this fix in the 3.0.2 version.

I tested on 3.0.2 and not worked too.

Adding the patch file:

I'm moving this to needs work as the patch causes error accessing the settings form:

he website encountered an unexpected error. Try again later.

Drupal\Core\Access\AccessException: entity.node.latest_version is not a valid entity route. The LatestRevisionCheck access checker may only be used with a route that has a single entity parameter. in Drupal\content_moderation\Access\LatestRevisionCheck->loadEntity() (line 96 of core/modules/content_moderation/src/Access/LatestRevisionCheck.php).
Drupal\content_moderation\Access\LatestRevisionCheck->access(Object, Object, Object)
call_user_func_array(Array, Array) (Line: 160)
Drupal\Core\Access\AccessManager->performCheck('access_check.latest_revision', Object) (Line: 136)
Drupal\Core\Access\AccessManager->check(Object, Object, NULL, 1) (Line: 93)
Drupal\Core\Access\AccessManager->checkNamedRoute('entity.node.latest_version', Array, Object, 1) (Line: 327)
Drupal\Core\Menu\LocalTaskManager->getTasksBuild('siteimprove.settings_form', Object) (Line: 358)
Drupal\Core\Menu\LocalTaskManager->getLocalTasks('siteimprove.settings_form', 0) (Line: 106)
Drupal\Core\Menu\Plugin\Block\LocalTasksBlock->build() (Line: 171)
Drupal\block\BlockViewBuilder::preRender(Array)
call_user_func_array('Drupal\block\BlockViewBuilder::preRender', Array) (Line: 113)
Drupal\Core\Render\Renderer->doTrustedCallback('Drupal\block\BlockViewBuilder::preRender', Array, 'Render #pre_render callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. See https://www.drupal.org/node/2966725', 'exception', 'Drupal\Core\Render\Element\RenderCallbackInterface') (Line: 870)
Drupal\Core\Render\Renderer->doCallback('#pre_render', 'Drupal\block\BlockViewBuilder::preRender', Array) (Line: 432)
Drupal\Core\Render\Renderer->doRender(Array) (Line: 504)
Drupal\Core\Render\Renderer->doRender(Array, ) (Line: 248)
Drupal\Core\Render\Renderer->render(Array) (Line: 484)
Drupal\Core\Template\TwigExtension->escapeFilter(Object, Array, 'html', NULL, 1) (Line: 58)
__TwigTemplate_dce0afb8f08ddefe6f658f4a16527566->doDisplay(Array, Array) (Line: 388)
Twig\Template->yield(Array, Array) (Line: 344)
Twig\Template->display(Array) (Line: 359)
Twig\Template->render(Array) (Line: 51)
Twig\TemplateWrapper->render(Array) (Line: 33)
twig_render_template('core/themes/claro/templates/page.html.twig', Array) (Line: 348)
Drupal\Core\Theme\ThemeManager->render('page', Array) (Line: 491)
Drupal\Core\Render\Renderer->doRender(Array, ) (Line: 248)
Drupal\Core\Render\Renderer->render(Array) (Line: 484)
Drupal\Core\Template\TwigExtension->escapeFilter(Object, Array, 'html', NULL, 1) (Line: 91)
__TwigTemplate_4fe79ed86ad73411981c8085e342dd06->doDisplay(Array, Array) (Line: 388)
Twig\Template->yield(Array, Array) (Line: 344)
Twig\Template->display(Array) (Line: 359)
Twig\Template->render(Array) (Line: 51)
Twig\TemplateWrapper->render(Array) (Line: 33)
twig_render_template('core/themes/claro/templates/classy/layout/html.html.twig', Array) (Line: 348)
Drupal\Core\Theme\ThemeManager->render('html', Array) (Line: 491)
Drupal\Core\Render\Renderer->doRender(Array, ) (Line: 248)
Drupal\Core\Render\Renderer->render(Array) (Line: 158)
Drupal\Core\Render\MainContent\HtmlRenderer->Drupal\Core\Render\MainContent\{closure}() (Line: 638)
Drupal\Core\Render\Renderer->executeInRenderContext(Object, Object) (Line: 153)
Drupal\Core\Render\MainContent\HtmlRenderer->renderResponse(Array, Object, Object) (Line: 90)
Drupal\Core\EventSubscriber\MainContentViewSubscriber->onViewRenderArray(Object, 'kernel.view', Object)
call_user_func(Array, Object, 'kernel.view', Object) (Line: 111)
Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch(Object, 'kernel.view') (Line: 186)
Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object, 1) (Line: 76)
Symfony\Component\HttpKernel\HttpKernel->handle(Object, 1, 1) (Line: 53)
Drupal\Core\StackMiddleware\Session->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object, 1, 1) (Line: 28)
Drupal\Core\StackMiddleware\ContentLength->handle(Object, 1, 1) (Line: 263)
Drupal\shield\ShieldMiddleware->bypass(Object, 1, 1) (Line: 130)
Drupal\shield\ShieldMiddleware->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object, 1, 1) (Line: 51)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object, 1, 1) (Line: 36)
Drupal\Core\StackMiddleware\AjaxPageState->handle(Object, 1, 1) (Line: 51)
Drupal\Core\StackMiddleware\StackedHttpKernel->handle(Object, 1, 1) (Line: 741)
Drupal\Core\DrupalKernel->handle(Object) (Line: 19)

For now, for the project I removed the local tasks at all:

/**
 * Implements hook_local_tasks_alter().
 */
function hook_local_tasks_alter(&$local_tasks) {
  // Remove site improve tasks from local tasks.
  $site_improve_tasks = [
    'siteimprove.recheck',
    'siteimprove.prepublish_check',
  ];

  foreach ($site_improve_tasks as $task) {
    if (isset($local_tasks[$task])) {
      unset($local_tasks[$task]);
    }
  }
}

You can't add access checks to local tasks, as far I know.
And reusing the 'siteimprove.settings_form' route gives an error on the settings form.

To make this work for the local tasks I added 2 new routes and a controller so you can have separate permissions for those links.
I didn't know another way for the routes to work so I added the SiteimproveController, I think you will never access the redirect because of the javascript logic.

The 2 links now have working access checks.