summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Pott2017-03-20 12:02:15 (GMT)
committerAlex Pott2017-03-20 12:02:15 (GMT)
commit6c37e3edc81d45f2cda4337a55391ae35fb3714a (patch)
tree3a05b8b7abef4fed01ddf45f8d2921a223a6ee51
parent36c53a275b73f1d3713b1a9ae67259c79f7ea14f (diff)
Issue #2492513 by JeroenT, Nitesh Pawar, wturrell, Jo Fitzgerald, rashidkhan, alx_benjamin, gaurav.kapoor, NikitaJain, amit.drupal, Shabbir, alexpott, xjm, cilefen: Cannot edit the user/login menu link as an admin
-rw-r--r--core/modules/menu_link_content/src/MenuLinkContentAccessControlHandler.php7
-rw-r--r--core/modules/menu_link_content/src/Tests/MenuLinkContentFormTest.php45
2 files changed, 47 insertions, 5 deletions
diff --git a/core/modules/menu_link_content/src/MenuLinkContentAccessControlHandler.php b/core/modules/menu_link_content/src/MenuLinkContentAccessControlHandler.php
index c69349e..eadf045 100644
--- a/core/modules/menu_link_content/src/MenuLinkContentAccessControlHandler.php
+++ b/core/modules/menu_link_content/src/MenuLinkContentAccessControlHandler.php
@@ -59,11 +59,12 @@ class MenuLinkContentAccessControlHandler extends EntityAccessControlHandler imp
return AccessResult::neutral("The 'administer menu' permission is required.")->cachePerPermissions();
}
else {
- // If there is a URL, this is an external link so always accessible.
+ // Assume that access is allowed.
$access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
/** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */
- // We allow access, but only if the link is accessible as well.
- if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
+ // If the link is routed determine whether the user has access unless
+ // they have the 'link to any page' permission.
+ if (!$account->hasPermission('link to any page') && ($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
$link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE);
$access = $access->andIf($link_access);
}
diff --git a/core/modules/menu_link_content/src/Tests/MenuLinkContentFormTest.php b/core/modules/menu_link_content/src/Tests/MenuLinkContentFormTest.php
index c8244fe..1e726fc 100644
--- a/core/modules/menu_link_content/src/Tests/MenuLinkContentFormTest.php
+++ b/core/modules/menu_link_content/src/Tests/MenuLinkContentFormTest.php
@@ -2,6 +2,7 @@
namespace Drupal\menu_link_content\Tests;
+use Drupal\menu_link_content\Entity\MenuLinkContent;
use Drupal\simpletest\WebTestBase;
/**
@@ -21,12 +22,52 @@ class MenuLinkContentFormTest extends WebTestBase {
];
/**
+ * User with 'administer menu' and 'link to any page' permission.
+ *
+ * @var \Drupal\user\Entity\User
+ */
+
+ protected $adminUser;
+
+ /**
+ * User with only 'administer menu' permission.
+ *
+ * @var \Drupal\user\Entity\User
+ */
+
+ protected $basicUser;
+
+ /**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
- $web_user = $this->drupalCreateUser(['administer menu']);
- $this->drupalLogin($web_user);
+ $this->adminUser = $this->drupalCreateUser(['administer menu', 'link to any page']);
+ $this->basicUser = $this->drupalCreateUser(['administer menu']);
+ $this->drupalLogin($this->adminUser);
+ }
+
+ /**
+ * Tests the 'link to any page' permission for a restricted page.
+ */
+ public function testMenuLinkContentFormLinkToAnyPage() {
+ $menu_link = MenuLinkContent::create([
+ 'title' => 'Menu link test',
+ 'provider' => 'menu_link_content',
+ 'menu_name' => 'admin',
+ 'link' => ['uri' => 'internal:/user/login'],
+ ]);
+ $menu_link->save();
+
+ // The user should be able to edit a menu link to the page, even though
+ // the user cannot access the page itself.
+ $this->drupalGet('/admin/structure/menu/item/' . $menu_link->id() . '/edit');
+ $this->assertResponse(200);
+
+ $this->drupalLogin($this->basicUser);
+
+ $this->drupalGet('/admin/structure/menu/item/' . $menu_link->id() . '/edit');
+ $this->assertResponse(403);
}
/**