Route access is not checked when Operations (Edit/Delete) are rendered
- Create a RouteSubscriber service (like described in https://www.drupal.org/docs/drupal-apis/routing-system/altering-existing... → )
- Add a custom access requirement. Example:
...
if ($route = $collection->get('entity.node.edit_form')) {
$route->setRequirement('_custom_access', 'Drupal\my_custom_module\Controller\CustomAccessController::checkEditAccess');
}
...
- update CheckEditAccess so it forbids access to edit_form route
- if you navigate to a node - "Edit" operation is visible, but clicking on "edit" or navigating to edit route will return Access Denied.
Expected: Edit operation should not be rendered
Note: if any route/operations are forbidden in hook_ENTITY_TYPE_access() - there are no issues - route is forbidden and operation "Edit" is not rendered
Note: Delete operation behaves the same - if delete route is forbidden, operation is displayed in local tasks
Note: see Related issues. #2473873 fixes ops in views when route is forbidden by custom access check
- either ops should check routes permissions or
- or create OperationsSubscriber to override ops or
- update documentation how to restrict operation when overriding route in case route access and operations are not related
- fix issue
- update tests
- none
Active
10.5 ✨
routing system
Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies → . Also mentioned on the version → section of the list of issue fields documentation.