Problem
As it stands, the menu system checks all menu paths pointing to internal links (ie, node/add or user/logout) upon submission to verify:
Furthermore, when a menu is being rendered, paths that the current user does not have access to are not rendered in the menu.
The problem begins when the user creates a menu item using an absolute URL pointing to an internal system path. For example, with Clean URLs, the user could create a menu item using the path 'http://www.example.com/admin'.
This avoids all the access checks that are made when the path is entered as an internal path.
The other problem is that the site is no longer portable as links will break when migrated between Dev, Staging and Prod environments (or the domain is changed entirely).
This has happened on several client's sites when they add menu items by surfing to the page they want to add, copying the URL from the address bar, then pasting into the menu form.
Proposed solution
I would suggest that when the menu system parses absolute URLs, it should check:
I am putting this on my list of 'bugs to fix'. However, I can't guarantee I will get around to it soon. If someone wants to take a crack at it, please, take ownership and tackle it. Chances are you are more familiar with the menu system than I am anyways!
Needs work
11.0 π₯
menu system
Makes Drupal easier to use. Preferred over UX, D7UX, etc.
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Can the issue summary be cleaned up some. Using some hybrid template (maybe that was the template back then haha) but updating it would help with reviews.
I updated the summary to use the current template.