#296693: Restrict access to empty top level administration pages introduced a bug where if a user does not have access to the child items of the first item of an admin page, the page gives an access denied, even if the user does have access to some other items. For me the first item was entity.taxonomy_vocabulary.collection, so denying access to that item resulted in the user not being able to access /admin/structure even though they did have access to add/edit menus.
composer create-project drupal/recommended-project drupal.local
cd drupal.local
composer require drush/drush
vendor/bin/drush site:install
vendor/bin/drush user:create Jelle
vendor/bin/drush user:role:add content_editor Jelle
vendor/bin/drush role:perm:add content_editor "access taxonomy overview"
# Login as user 2 and check the toolbar, "Structure" should be there
composer require drupal/scheduler
vendor/bin/drush en scheduler
# Login as user 2 and check the toolbar, "Structure" is gone
Only do an early return in \Drupal\system\Access\SystemAdminMenuBlockAccessCheck::hasAccessToChildMenuItems if a child menu item is found where the user does have access to. Don't just check the first one.
Write/apply the patch.
Fix tests so they fail without the fix, these were broken in the reroll see #39
N/A
N/A
N/A
If users have access to a child of an admin page, but not its first child, they will now have access to that admin page.
| Comment | File | Size | Author |
|---|---|---|---|
| #37 | user-toolbar-menus.png | 102.09 KB | flyke |
| #37 | user-menu-permissions.png | 136.18 KB | flyke |
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
jelle_sComment #3
smustgrave commentedThe linked issue hasn't been committed so instead of a separate issue think this should be closed and that issue moved back to Needs work.
Will need test coverage either way.
Comment #4
jelle_sMy bad! I linked the wrong issue, the code definitely is already in core. Fixed that part.
Comment #5
jelle_sComment #6
luenemannThis should be converted to a Merge Request. Change Status to Needs Review if you think it's ready.
#3381929: Restrict access to empty top level administration pages for overview controller touches the same function as this patch. Is that issue fixing the same problem?
Comment #7
jelle_sNo, that tackles a different issue. I'll have a look at creating an MR if I find the time today.
Comment #10
taraskorpachI've created a PR to simplify Jelle_S's life. I'm not sure if the code will work properly, but based on #7, I'm marking the issue as 'Needs Review'.
Comment #11
smustgrave commentedThanks but MR should target 11.x
And will need test coverage
Comment #12
taraskorpachShould I create a new branch based on the 11.x?
Comment #13
smustgrave commentedYou can change the target branch on the current MR, will have to rebase most likely though just FYI.
11.x is the current development branch. So issues land there first and then backported to other supported branches when committed.
Comment #14
taraskorpachComment #15
taraskorpachAs I mentioned in #10, I'm unsure if the code is correct, so I followed the steps from the summary. Unfortunately, I'm unable to reproduce the issue.
My user has the 'Administer menus and menu links' permission but lacks the 'Access the taxonomy vocabulary overview page' permission. In this case, I have access to /admin/structure, and the 'Structure' link also appears in the menu.
I'm marking this as postponed since we need more information to reproduce it.
Comment #16
jelle_sI've managed to reproduce it on a clean Drupal 10.2.1 install, with the contrib Scheduler module. Unfortunately, in this case, this patch does not seem to work, so there's more going on. Here are the steps to reproduce:
Comment #17
jelle_sComment #18
jelle_sIt seems to have something to do with this view (display) in scheduler, but I can't figure out what's going wrong:
https://git.drupalcode.org/project/scheduler/-/blob/2.0.1/config/optiona...
Comment #19
jelle_sAfter some further digging:
The scheduler module adds the view linked above, which creates a menu link item with
entity.taxonomy_vocabulary.collectionas its parent. So if you follow the steps to reproduce, you create a user that does have access toentity.taxonomy_vocabulary.collection, but does not have access to its child created by the scheduler module:views_view:views.scheduler_scheduled_taxonomy_term.overviewI'm still trying to wrap my head around the correct implementation details, but basically: once an element in the tree is found that is accessible, and is an actual page, not just an overview of its sublinks, the access check should pass, which it doesn't right now.
Comment #20
jelle_s@taraskorpach I don't have push access to your MR, but I did find a fix for the problem described above. Not sure how to write a test for this exactly, but in the mean time people experiencing this issue can use the patch attached.
Comment #21
jelle_sRemoved the extra whitespace at the end of the file
Comment #22
jelle_sStill no access to the MR, but here's the above patch with tests included, and one patch with only the tests to prove they fail.
Comment #23
taraskorpachI've updated MR according to your patch. Can I grant access to the MR, or does it solely belong to me?
Comment #24
jelle_sSorry, I didn't see the big green "Get push access button"... Thanks @taraskorpach for adding the latest patch to the MR :)
EDIT: So I do have push access now.
Comment #25
luenemannTest only job failed with expected message: https://git.drupalcode.org/issue/drupal-3413508/-/jobs/614074#L54
Comment #26
smustgrave commentedHiding patches for clarity.
Confirmed test-only job (same as #25)
Issue summary appears to be complete and solution matches change. Believe this is good.
Comment #27
malcomio commentedI don't think that this is specific to 11.x after the changes for #296693: Restrict access to empty top level administration pages - see #3415709: Users with access taxonomy overview permission cannot access admin/structure, which is on 10.2.x
As noted there, the equivalent change for 10.2 seems to fix the problem.
Comment #28
tlo405 commentedI was also seeing this problem on my site. The latest patch does fix the problem for me (I'm on 10.2.x).
Comment #29
randalv commentedAlso noticed this issue on a 10.2.x site.
Copied the diff locally, used it as patch with composer -> it works!
Comment #30
makbay commentedI also noticed this on 10.2.x site and the patch fixed it.
Comment #31
kufliievskyi commentedConfirm that I also noticed this on the 10.2.2 site and the patch fixed it.
Comment #32
neclimdulThis seriously affects the ability to administer sites without a documented work around so bumping the priority.
The code is pretty confusing and its not clear to me how it fixes the problem but i don't seen anything broken.
Comment #33
flocondetoileSame issue here. Users with no permissions for the first link get an access denied. MR 6100 fix the issue
Comment #35
smustgrave commentedClosed as duplicate.
Comment #36
ultimikeMR6100 works for my use case as well - see https://github.com/drush-ops/drush/issues/5864
-mike
Comment #37
flyke commentedOur project is on Drupal 10.2.1.
I was breaking my head about why a content editor cannot see the Structure menu tab, even though he has permissions to edit certain menus and taxonomies and view webform subscriptions.
I looked through the issie queues of admin_toolbar, admin_toolbar_links_access_filter, gin_toolbar, gin, ... but could not find it.
The MR6100 applies and the admin -> structure links are again available in the toolbar for the content editor
BUT
The user now sees all menus, not only the ones he has access to via permissions.
Also, its not just listing, he can also edit all the menus he's not supposed to be able to, like the administration menu.
That should not be possible, security wise. Can anyone confirm ?
UPDATE
Apparently, now I suddenly must no longer grant the permission 'Administer menus and menu links'. If that permission is granted, user can see and edit ALL possible menus. Without that permission, all is working as expected and user only has access to those menus that are granted via 'Menu Admin per Menu' permissions.
Comment #38
acbramley commentedMarked #3421825: Access denied on system.admin_structure route when Admin Toolbar Extra Tools is enabled and #3423502: Missing Top Level Menu Item as duplicates of this.
Comment #39
acbramley commentedThis has some huge conflicts with #3381929: Restrict access to empty top level administration pages for overview controller going to try and resolve them today. Unfortunately both used a 4th child with similar but slightly different access rules.
Comment #40
acbramley commentedI've done my best to merge in the conflicts, but the tests were quite mind bending to get passing.
I've also replaced "super" with "grand" in most cases as that seemed to be a large part of the conflicts.
Comment #41
acbramley commentedThe test only changes passed so something isn't right...
Comment #42
aaron.ferris commentedMR 6100 fixes this issue in my 10.2 install.
Not sure if something else is amiss, but im not seeing the issues from #37 with a user who has 'administer menu' permissions.
Comment #43
acbramley commentedYeah it sounds like from the UPDATE in #37 that it was user error.
Comment #44
acbramley commentedComment #45
acbramley commentedDOH! Took me far too long to figure out what I'd done wrong... I hadn't put the test menu items back in the merge conflict madness.
Now that I've done that and fixed up the tests, they are correctly failing without the fix:
EDIT: Worth mentioning that I also tried to get around adding more menu items, but we need some that aren't using the menu overview controller hence the new ones are required.
Comment #46
alina.basarabeanu commentedWith the changes pushed with the last commit, we could not apply the patch to Drupal Core 10.2.3.
Can you please add a patch file for 10.2.3 version?
Comment #47
smustgrave commentedRan test-only feature
Issue summary appears correct.
Verified the solution does fix the problem described.
Comment #48
acbramley commented@Alina Basarabeanu does https://www.drupal.org/files/issues/2024-01-11/3413508-22.patch still work for you on 10.2?
Comment #49
alina.basarabeanu commentedYes,
Previously I was using the merge request as was pointing to 10.x branch.
Thanks
Comment #50
eduardo morales albertiSame error here on 10.2.3, the patch https://www.drupal.org/files/issues/2024-01-11/3413508-22.patch solves our issue.
Comment #51
alexpottAdded some comments to the MR.
Also I think we need a change record and a release note. This change might result in users seeing menus items they couldn't before. I think that this means we should tell users about this.
Comment #52
acbramley commentedAdded the CR https://www.drupal.org/node/3431191
Comment #53
acbramley commentedBrief release note added, feel free to make amendments.
Random fail on unit tests in the pipeline, have rerun.
Comment #54
smustgrave commentedRebased the MR and that Unit test failure was random.
Feedback appears to be addressed, release note seems good. Mentions the problem that is solved.
Comment #57
catchCommitted/pushed to 11.x and cherry-picked to 10.3.x, thanks!
Comment #61
tarik.cipix commentedPatch #22 is still needed on the latest version of Drupal Core 10.2.6. I don't know why this is only cherry picked to 10.3.x? This is a necessary fix for all Drupal sites since it's now only checking the first menu item instead of any menu item.
Please re-open and add code change to 10.2.x as well, patch can be used in the meantime. (Until a stable version of 10.3.x is released for production)
Comment #62
aaronbaumanOpened bug report against 10.2 with MR of same cherry-pick, please review: #3460872: Admin page access denied even when access is given to child items (requesting 10.2 backport)