Information disclosure in Exportform/RouteSubscriber

Related issue exposes another incompatibility.
entity access should be a part of access, user could have no access for some fields but gets access to all

1. +++ b/src/RouteSubscriber.php
   @@ -3,36 +3,73 @@
   +        $link_template = $definition->getLinkTemplate('canonical');
   +        if (strpos($link_template, '/') !== FALSE) {
   +          $base_path = '/' . $link_template;
   +        }
   

   Link templates must start with a /, this is baby-sitting broken code, we shouldn't do that. AFAIK, core validates this now somewhere.

2. +++ b/src/RouteSubscriber.php
   @@ -3,36 +3,73 @@
   +          }
   +          $base_path = $entity_route->getPath();
   +        }
   +
   +        $path = $base_path . '/export';
   +        $route = new Route(
   

   I've seen a different pattern for this. There, you first define an export link template in hook_entity_type_alter() and then create the route based on that. The advantage is that it allows entity types to define a link template with a different path if they want.

   Devel does that for example, not sure if it is worth it here.

Thanx for pointer, both means core \Drupal\content_translation\Routing\ContentTranslationRouteSubscriber::alterRoutes should be cleaned as well

There's no more export form