diff --git a/core/modules/settings_tray/tests/src/FunctionalJavascript/SettingsTrayBlockFormTest.php b/core/modules/settings_tray/tests/src/FunctionalJavascript/SettingsTrayBlockFormTest.php index d505a0befcb33e1d05b4dec5c8853cd7dd9c7b57..bd23c50a4c3ad7fec204e401d11cb423ad97c01b 100644 --- a/core/modules/settings_tray/tests/src/FunctionalJavascript/SettingsTrayBlockFormTest.php +++ b/core/modules/settings_tray/tests/src/FunctionalJavascript/SettingsTrayBlockFormTest.php @@ -30,6 +30,7 @@ protected function setUp() { $user = $this->createUser([ 'administer blocks', + 'access administration pages', 'access contextual links', 'access toolbar', 'administer nodes', diff --git a/core/modules/toolbar/tests/src/Functional/ToolbarAdminMenuTest.php b/core/modules/toolbar/tests/src/Functional/ToolbarAdminMenuTest.php index 9585c86eb4a18475202b7b5335b86faaa3f86e14..cd0dd2d72dfb0fc439377074da16786e28f877b6 100644 --- a/core/modules/toolbar/tests/src/Functional/ToolbarAdminMenuTest.php +++ b/core/modules/toolbar/tests/src/Functional/ToolbarAdminMenuTest.php @@ -394,6 +394,23 @@ public function testExternalLink() { $this->assertRaw('title="External URL & escaped"'); } + /** + * Tests that there is no Manage tab in the Toolbar for authenticated users. + * + * The authorized user should not have a Manage tab simply with the 'access + * toolbar' permission. They need 'access administration pages' for that. + */ + public function testEmptyMenuTray() { + // Log out the admin user because we're testing restricted access. + $this->drupalLogout(); + $this->drupalLogin($this->drupalCreateUser(['access toolbar'])); + $this->assertResponse(200); + // @todo The toolbar div itself still has the id "toolbar-administration". + // @see https://www.drupal.org/project/drupal/issues/1044090 + $this->assertSession()->elementExists('css', 'div[id=toolbar-administration]'); + $this->assertSession()->elementNotExists('css', 'a[id=toolbar-item-administration]'); + } + /** * Get the hash value from the admin menu subtrees route path. * diff --git a/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarIntegrationTest.php b/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarIntegrationTest.php index fd163985e75068ffcde1865bae949ea11d8bccd4..c3cda9174c14e1bdd9c2d663a6e71f3f50b26cb6 100644 --- a/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarIntegrationTest.php +++ b/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarIntegrationTest.php @@ -22,6 +22,7 @@ class ToolbarIntegrationTest extends WebDriverTestBase { public function testToolbarToggling() { $admin_user = $this->drupalCreateUser([ 'access toolbar', + 'access administration pages', 'administer site configuration', 'access content overview', ]); diff --git a/core/modules/toolbar/toolbar.module b/core/modules/toolbar/toolbar.module index 044d7490e4f5e451022ffdb4953549e5d80274dc..6a900c67c59dbb5eeae7b8e536679256e5d6a853 100644 --- a/core/modules/toolbar/toolbar.module +++ b/core/modules/toolbar/toolbar.module @@ -159,6 +159,18 @@ function toolbar_toolbar() { '#weight' => -20, ]; + // If the current user cannot access administration pages, we can save a large + // amount of unnecessary work by ending here. It'd be better to actually know + // if the admin menu tree is empty for them, but trying to load that tree only + // happens in a #pre_render callback, and at that point, it's too late. The + // entire toolbar is rendered with the 'user.permissions' #cache context, so + // we can safely do this here and it'll still be cached correctly. + // @see toolbar_prerender_toolbar_administration_tray() + // @see toolbar_page_top() + if (!\Drupal::currentUser()->hasPermission('access administration pages')) { + return $items; + } + // To conserve bandwidth, we only include the top-level links in the HTML. // The subtrees are fetched through a JSONP script that is generated at the // toolbar_subtrees route. We provide the JavaScript requesting that JSONP