Problem/Motivation

Given this menu link:

menu_test.current:
  title: 'Link to current page'
  route_name: '<current>'
  menu_name: account

An anonymous will not see it in the "account" menu. This is because the access to the route is denied. But if a user reached a page is supposed to be able to reach it again. So, the access to the <current> route should always be granted.

The bug is proved by the attached patch.

Steps to reproduce via UI:
1. Install vanila Drupal and log in as admin
2. Go to /admin/structure/menu/manage/main/add
3. Create a test menu link item. Important: Use route:<current> as link.
4. Save.
5. Check frontend as admin user. The link is visible.
6. Check frontend as anonymous user. The link is NOT visible.

Proposed resolution

Always allow the access to <current> route.

Remaining tasks

None.

User interface changes

None.

API changes

None.

Data model changes

None.

CommentFileSizeAuthor
#24 After Patch 3008889 Anonymous.png278.58 KBchetanbharambe
#24 Before Patch 3008889 Anonymous.png274.91 KBchetanbharambe
#24 Before Patch 3008889 Admin.png329.68 KBchetanbharambe
#22 3008889-interdiff-18-22.txt723 bytesfeyp
#22 3008889-22.patch2.03 KBfeyp
#22 3008889-22-tests-only.patch1.63 KBfeyp
#18 3008889-interdiff-03-18.txt545 bytesfeyp
#18 3008889-18.patch2.02 KBfeyp
#18 3008889-18-tests-only.patch1.62 KBfeyp
#15 Screenshot 2021-05-21 at 12.01.44.png52 KBgauravvvv
#13 After patch.png144.74 KBmanojithape
#13 Before patch.png140.05 KBmanojithape
#11 3008889-after.png3.53 KBabhijith s
#11 3008889-before.png2.18 KBabhijith s
#3 3008889-3.patch1.95 KBclaudiu.cristea
access-current-page-route-test-only.patch1.55 KBclaudiu.cristea

Comments

claudiu.cristea created an issue. See original summary.

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented
Status: Active » Needs review
claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented
StatusFileSize
new 3008889-3.patch1.95 KB

The fix.

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented
Issue tags: +Security
sk33lz’s picture

sk33lz commented
Version: 8.6.x-dev » 8.8.x-dev

The patch in #3 still applies cleanly to 8.8.x. I added an additional test to the patch comment.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

feyp’s picture

feyp commented
Issue summary: View changes
Issue tags: +Needs security review

I just closed #3052019: Menu item with <current> path not visible to anonymous users as a duplicate issue, since it looks like the same issue and the patch is identical. Although the other issue is older, I decided to keep this issue since it already has tests and is ready for review. Carrying over "Needs security review" tag, since I think it is a good idea. Added steps to reproduce via UI from the other issue to the summary.

abhijith s’s picture

abhijith s commented
StatusFileSize
new 3008889-before.png2.18 KB
new 3008889-after.png3.53 KB

Applied patch #3.After applying this patch the menu link targeting the current page is accessible for anonymous user.

Before patch:
before

After patch:
after

manojithape’s picture

manojithape commented
Assigned: Unassigned » manojithape
manojithape’s picture

manojithape commented
StatusFileSize
new Before patch.png140.05 KB
new After patch.png144.74 KB

Verified and tested patch #3 on the drupal 9.3.x-dev version. Patch applied successfully and looks good to me.

Testing Steps:

1. Install vanilla Drupal and log in as admin
2. Go to /admin/structure/menu/manage/main/add
3. Create a test menu link item. Important: Use route: as link.
4. Save.
5. Check frontend as an admin user. Observe the link is visible.
6. Check frontend as an anonymous user and observed the link is NOT visible.
7. Now apply the patch and clear the cache.
8. Again check the frontend as an anonymous user and verify the link should visible.

Testing Results:

After applying the patch for anonymous users current link is visible.
Please refer attached Before patch and After patch images for reference.

Moving this ticket to RTBC.

manojithape’s picture

manojithape commented
Assigned: manojithape » Unassigned
Status: Needs review » Reviewed & tested by the community
gauravvvv’s picture

gauravvvv commented
StatusFileSize
new Screenshot 2021-05-21 at 12.01.44.png52 KB

Just out of curiosity, I have a question. Since the link is active for the same page always. means click on the click will refresh the page and nothing to do with it. Do we need an anchor tag over it? Is it useful to have a link for the same page?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Reviewed & tested by the community » Needs review
Issue tags: +Bug Smash Initiative

Unchecking credit for those who provided screenshots when we already had them.

Can we get a fail/pass patch here to demonstrate the new test fails as expected.

Thanks

gauravvvv’s picture

gauravvvv commented
feyp’s picture

feyp commented
StatusFileSize
new 3008889-18-tests-only.patch1.62 KB
new 3008889-18.patch2.02 KB
new 3008889-interdiff-03-18.txt545 bytes

> Can we get a fail/pass patch here to demonstrate the new test fails as expected.

Yes, we can.

The last submitted patch, 18: 3008889-18-tests-only.patch, failed testing. View results

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented
Status: Needs review » Needs work

Looks good!

Nit:

+++ b/core/tests/Drupal/FunctionalTests/Menu/MenuLinkCurrentPageTest.php
@@ -0,0 +1,39 @@
+  public function testMenuLinkCurrentPage() {

Let's strict type the method's return to void.

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented
Issue summary: View changes

Ref: #15:

Just out of curiosity, I have a question. Since the link is active for the same page always. means click on the click will refresh the page and nothing to do with it. Do we need an anchor tag over it? Is it useful to have a link for the same page?

Yes, some might want to add an anchor link.

feyp’s picture

feyp commented
Status: Needs work » Needs review
StatusFileSize
new 3008889-22-tests-only.patch1.63 KB
new 3008889-22.patch2.03 KB
new 3008889-interdiff-18-22.txt723 bytes

Thanks Claudiu for your review. Added the return type hint.

And expanding on #21: You could also use GET parameters, doesn't need to be an anchor. My use case is this module, which currently includes a workaround for this issue that I would like to remove.

The last submitted patch, 22: 3008889-22-tests-only.patch, failed testing. View results

chetanbharambe’s picture

chetanbharambe commented
Status: Needs review » Reviewed & tested by the community
StatusFileSize
new Before Patch 3008889 Admin.png329.68 KB
new Before Patch 3008889 Anonymous.png274.91 KB
new After Patch 3008889 Anonymous.png278.58 KB

Verified and tested patch #22. (https://www.drupal.org/files/issues/2021-08-16/3008889-22.patch)
Patch applied successfully and looks good to me.

Testing Steps:
# Goto: Install vanilla Drupal and log in as admin
# Go to /admin/structure/menu/manage/main/add
# Create a test menu link item. Important: Use route:<current> as link.
# Save it
# Check frontend as an admin user. The link is visible.
# Check frontend as an anonymous user. The link is NOT visible.

Expected Results:
# User should see link should be visible for anonymous user.

Actual Results:
# Currently, the user is able to see link for admin users only and not for anonymous.

Please refer attached screenshots for the same.
Looks good to me.
Can be a move to RTBC.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work

This is still marked "needs security review". Before this can be RTBC someone needs to do that. I would think we need a comment that shows:

  • access caching for the route that is being referred to as current is unaffected
  • if access for the route is changed after someone lands on the page and they click the link that goes to the current page it would then be denied if the access change would deny them access.

My gut feel is that this change is fine but we need to do some careful thinking about consequences. And we need to do the work.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.