Menu items with path set to <current> are not rendered for anonymous users.

Steps to reproduce:
1. Install vanila Drupal and log in as admin
2. Go to /admin/structure/menu/manage/main/add
3. Create a test menu link item. Important: Use route:<current> as link.
4. Save.
5. Check frontend as admin user. The link is visible.
6. Check frontend as anonymous user. The link is NOT visible.

Issue is resolved by granting 'Link to any page' or 'Access any content' permission to anonymous users which obviously is not something we want to do.

CommentFileSizeAuthor
#6 3052019-current-route-link-6.patch844 bytesKittenDestroyer
#3 3052019-1.patch388 byteswebiator gmbh

Comments

artur.thiessen created an issue. See original summary.

cilefen’s picture

cilefen commented
Component: routing system » menu system
Issue summary: View changes
Issue tags: -menu, -Routing, -permissions, -anonymous user

I surrounded the code samples in the report with the proper tags so as to make them visible.

webiator gmbh’s picture

webiator gmbh commented
Version: 8.6.x-dev » 8.7.x-dev
Status: Active » Needs review
StatusFileSize
new 3052019-1.patch388 bytes

I tried simply adding 

requirements:
    _access: 'TRUE'

to the <current> route and it seems to work. Check out my patch.
Security seems fine to me although I am not an expert.

borisson_’s picture

borisson_
Primary language Dutch
Location Mechelen, 🇧🇪
commented
Status: Needs review » Needs work
Issue tags: +Needs security review

Patch doesn't apply on 8.7 or 8.8. I am not sure about the security implications of this. I don't think it will be a big problem, but tagging this with needs security review.

dawehner’s picture

dawehner
Primary language German
commented

I think the right question to be asked here is: Why is this link not visible in the first place? Figuring this out would be better than just plain giving access.
If I understand correctly it's because no access means access denied, but why is it visible for the authenticated user then?

KittenDestroyer’s picture

KittenDestroyer commented
StatusFileSize
new 3052019-current-route-link-6.patch844 bytes

Added the same fix for 8.8.x. I see no better solution for this problem, since all similar in logic links have the same access requirements. Also I manually tested admin links on anonymous.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.9 was released on November 6 and is the final full bugfix release for the Drupal 8.7.x series. Drupal 8.7.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.8.0 on December 4, 2019. (Drupal 8.8.0-beta1 is available for testing.)

Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

feyp’s picture

feyp commented
Status: Needs work » Closed (duplicate)
Related issues: +#3008889: Menu link targeting the current page is not accessible

I'm closing this as a duplicate of #3008889: Menu link targeting the current page is not accessible, since it looks like the same issue (with an identical patch even) and although this issue is older, the other issue already has tests and is ready for review.