Contrib.social

Access check prevents content menu items showing in menu linkset API

Open on Drupal.org →
Created on 1 July 2025, 3 days ago

Problem/Motivation

When accessing content through the menu linkset API as an anonymous user (without the "access ui route" permission), no links are returned for node content items, as the menu system runs an access check on each route which is then denied by the DisableUiAccessCheck.

Proposed resolution

Possible solution:

  1. Inject the current route match service into the DisableUiAccessCheck service.
  2. Add the route match parameter to the access check in DisableUiAccessCheck.
  3. In DisableUiAccessCheck::access() check if the current route match does not match the route passed into the access callback, and the current route is exempt from Disable UI then bypass the additional permission check.

I think that should solve the issue, so we only do the permission check if it's the main request, any additional access checks done while generating the page would bypass the additional permission.

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇦🇺Australia richard.thomas

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @richard.thomas
  • First commit to issue fork.
  • Merge request !9Only check access for the route of the main request → (Merged) created by dieterholvoet
  • Comment 3 days ago
    🇧🇪Belgium dieterholvoet Brussels

    I haven't been able to properly test this, could you?

  • Comment 3 days ago
    🇦🇺Australia richard.thomas

    I did some local testing, the previous version didn't work as we still need to return allowed rather than neutral (as I understand it route access checks need to all return allowed to pass).

    However while digging I found a more straightforward way of detecting if we're checking the main request, the access check can receive an optional request parameter, and according to the docs https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21Access%21... the request parameter is only supplied when checking the main request. I've pushed up the change now, and it works on my local testing.

    I noticed there's no CI tests for the module at the moment, but I'd be happy to write some as part of this change? Just covering the basic functionality plus checking the menu linkset endpoint to ensure this change works.

  • Pipeline finished with Success
    3 days ago
    Total: 217s
    #536726
  • Pipeline finished with Success
    3 days ago
    Total: 165s
    #536755
  • Pipeline finished with Success
    3 days ago
    Total: 153s
    #536760
  • Comment 3 days ago
    🇦🇺Australia richard.thomas

    OK I've written some tests to ensure the menu linkset feature works as well as some general tests of the functionality of the module.

    I've added in the template .gitlab-ci.yml file for contrib projects and disabled the linting stuff for now, so it's just running the PHPUnit tests.

  • Pipeline finished with Skipped
    2 days ago
    #537184
  • Comment 2 days ago
    System Message
  • Comment 2 days ago
    🇧🇪Belgium dieterholvoet Brussels

    I re-enabled linting and fixed some cs issues, all green now. Thanks a lot for your efforts! These new tests are very valuable.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024