Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
I have a react API that is MENU items data from drupal to build the menu UI on the fornt-end.
After the update from RC3 to 2.1 stable, MENU items are not accessible for anonymous users.
The only reason I can think of this happening is that the new access_filter hooks are not implemented for the menu_link_content type.
Drupal's standard behavior is to allow READ access to all MENU items, so people can navigate the website. Should that be implemented in JSON:API defaults as well?
Note that with an logged in admin account I can see the items, so it's access issue. There is no dedicated permission for seeing menu items in Drupal as well.
As I see it, they should be allowed by default.
Proposed resolution
Have the hook be implemented in there as well.
/**
* Implements hook_jsonapi_ENTITY_TYPE_filter_access() for 'menu_link_content'.
*/
function jsonapi_jsonapi_menu_link_content_filter_access() {
return ([
# ...
]);
}
Remaining tasks
Discussion, Patch (maybe).
User interface changes
None.
API changes
None.
Data model changes
None.
Release notes snippet
Allowing access to all MENU ITEMS that are enabled on the site to be visible.
Comments
Comment #2
ndobromirov commentedHere is a PoC I can have a patch for if deemed OK.
Comment #3
ndobromirov commentedFrom the research I had in this, the only way to see menu items as anonymous was to have the
administer menus and menu itemspermission given to anonymous.From any perspective this is broken, so I will consider this a valid bug (jsonapi or a core one).
Comment #4
wim leersSee
\Drupal\menu_link_content\MenuLinkContentAccessControlHandler::checkAccess():In other words, JSON:API just respects core's access permissions. For now, you can customize it for your project with your own less restricting access control, but long-term you/we will need to make core support this…
Comment #5
wim leersForgot to say: I'm sorry for the trouble this is causing you 😔 If core had not been buggy this way, then JSON:API would not have exposed it before, but that of course doesn't help you today.
Just searched and found the relevant core issue: #2915792: MenuLinkContentAccessControlHandler does not allow "view" access without admin permission, making these entities inaccessible via REST, JSON API and GraphQL and entity reference fields. Please help out there! 🙏
Comment #6
wim leers@gabesullice just pointed out in chat that #2732283: Menus: ability to retrieve all menu links for a given menu, regardless of whether a menu link is defined in content/config/code is also related.
Comment #7
ndobromirov commentedThanks for pointing the related issues in core. I reached to the same conclusion and it seems more like a core issue to be resolved outside JSON:API.
I am closing as works as designed.
Comment #8
wim leers👍
Comment #9
oscarino commentedHello everyone. I was having the same issue, and found a solution by using two drupal hooks. One fo the hooks I used was posted above, but it needs another one to make it work.
Please see this link to check it out, so I don't duplicate the answer
https://www.drupal.org/project/drupal/issues/2915792#comment-13727406