Contrib.social

ECA Endpoint: support menu links with proper access checks

Open on Drupal.org →
Created on 11 July 2025, 22 days ago

Problem/Motivation

The ECA Endpoint module allows to specify custom pages, like "/eca/test1/test2" and by using the event "ECA Endpoint Response" we can render arbitrary contents as a page, for example using "Render: text".

The endpoint needs a second event "ECA Endpoint Access" to check whether a specified endpoint is accessible. This access check is being invoked when directly requesting the endpoint by its specified path. However this access logic is not invoked, for example when a menu link points to that specific path.

The current custom access implementation is this:
https://git.drupalcode.org/project/eca/-/blob/3.0.x/modules/endpoint/src...

Steps to reproduce

1. Create endpoint with an access check
2. See the access logic is respected when access the endpoint's path
3. Add a menu link pointing to the endpoint's path, see that this link always shows up even if the access check would result to be forbidden

Proposed resolution

Hard to say what to do to not break existing endpoint logic. Maybe add a third ECA Endpoint event that allows to specify access inside of the custom access logic linked above, maybe called "ECA Endpoint menu access" or something more general but not to confuse with the already existing access event.

The already existing event cannot be used directly in the custom access handler because it may contain logic depending on values from the given path, URL query parameters, GET / POST etc. Therefore I think we instead need to introduce a separate event for this.

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Active

Version

3.0

Component

Code

Created by

🇩🇪Germany mxh Offenburg

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mxh
  • Comment 18 days ago
    🇩🇪Germany jurgenhaas Gottmadingen

    Hmm, I'm not sure yet, if we really need to introduce a new access control here. Other routes are not doing that either, so why should that ECA controlled route have to do it? Shouldn't "both" access checks always come to the same result? So, a menu item should not display if clicking on it would then show a 403, or the other way round, when it's missing, although the user has permission, that also not what we want.

    It feels like we need to enhance the existing access check to make sure it works in both contexts, aren't we?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024