I created a custom block type with an entity renference field to custom menu items. After that, I created a block of this type with some references to existing menu items.

The problem is, anonymous users does not see this block, while uid=1 does see it. Caches cleared in every possible way.

Comments

EdgarPE created an issue. See original summary.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented

I'd wondering which URL did you placed inside there? Could this link itself be maybe not accessible for the anonymous user?

EdgarPE’s picture

EdgarPE CreditAttribution: EdgarPE commented

The custom menu items are in a separate menu. This menu's block is placed in the sidebar, and anonymous user can see the menu items and access the pages just fine.

krlucas’s picture

krlucas CreditAttribution: krlucas at Genuine commented

I have this same issue. I want to render a View of Blocks with entity reference field to menu items so the blocks can act as menu flyouts. I want to use the menu item id as a data attribute on the rendered block/row.

  1. Create a menu with menu links to nodes.
  2. Create a block type with entity reference field to menu links.
  3. Create blocks of the new block type that reference the menu items in 1.
  4. Create a view of the blocks from 3. Configure the view to display the "Entity ID" from the entity reference field.

Result: Anonymous can see and click on the menu items in the actual menu and access the destination nodes. Anonymous users can't see the entity_id of the menu items in the view.

It appears at some point, to render the entity reference, there's a check to see if the user can *edit* the referenced menu item.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

josecastrop’s picture

josecastrop CreditAttribution: josecastrop commented

¿Anyone knows a solution to this problem? In 8.5.3 the issue persist. Impossible to see the menu link as entity reference without administrator role.

matthiasm11’s picture

matthiasm11 CreditAttribution: matthiasm11 at Randstad Digital commented

I had the same problem: menu items referenced from a node were getting a -Restricted access-.
Found out that the language of the menu item needs to be the same as the language of the node where the reference field resides.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

blake.thompson’s picture

blake.thompson CreditAttribution: blake.thompson at Slalom commented

Just came across this issue myself. I have a custom block type with an entity reference field for a menu link item. I'm placing the block through layout builder and that field is not rendered for anonymous users. I don't have language options for my node or my menu item, so I'm not sure how to address that.

edit: I checked and my node, block and menu link all seem to have the same langcode.

kitzinger’s picture

kitzinger CreditAttribution: kitzinger commented

Ridiculously, this issue persists in 8.7.6.

When creating an entity reference field for Custom menu item, anonymous users are unable to view the referenced item.

bratej’s picture

bratej CreditAttribution: bratej commented

I also have this issue on 8.7.1. For this to work anonymous users would have to have the permission "System->Administer menus and menu items" set, which of course you don't want to do.

It looks like if the display type is "Entity ID" the value is not printed (no permission?). If you display the entity label it prints just fine.

My workaround in a twig template is the following:

{% set menu_id = content.field_YOURMENU_ENTITY_REFERENCE_FIELD[0]['#options']['entity'].id() %}

The menu_id gets the value of the Entity ID. I then print the menu with the Twig Tweak contributed module:

{{ drupal_menu(menu_id) }}

Not the prettiest thing in the world but it works :P.

kitzinger’s picture

kitzinger CreditAttribution: kitzinger commented

@bratej - this is wrong. With the display type as label, nothing is printed for anonymous users either.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Lendude’s picture

Lendude
Primary language Dutch
Location Amsterdam
CreditAttribution: Lendude as a volunteer and at iO commented
Status: Active » Closed (duplicate)
Issue tags: +Bug Smash Initiative

This came up as a Bug Smash daily triage issue.

Discussed this with @catch and we agree that we should close this as a duplicate of #2915792: MenuLinkContentAccessControlHandler does not allow "view" access without admin permission, making these entities inaccessible via REST, JSON API and GraphQL and entity reference fields. There seems to be more activity on that issue and we should tackle the problem with entity references in the same issue.

Feel free to open this back up if you feel these are two separate issues or that there is a good reason not to solve these issues at the same time.