Problem/Motivation

If you have some pages in your menu that are unpublished, and they have child links, making changes to the menu order in the menu admin page results in the child links moving to the top level of the menu if the node is then saved by a user without menu admin permissions.

I wasn't able to reproduce this when all pages were published.

There are quite a few ways to reproduce this but here is an example in vanilla Drupal 8.7.1:

Screenshot of the menu admin page:
menu original

Screenshot after admin makes changes in menu admin page (move Article 2 to be a child of Article 1):
menu before

Screenshot of the menu after Article 5 was saved by a user without administer menus:
menu after

Steps to reproduce:

  1. Create user with permission to edit content but without permission to administer menus
  2. As admin user, create some published and unpublished pages and add them to the menu with varying levels
  3. Re-parent one of the links that has children
  4. Edit one of the children
  5. See the edited node moves to the top level of the menu

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#4 30597890.patch1.15 KBlarowlan
Screenshot 2019-06-06 11.13.53.png16.51 KBpameeela
Screenshot 2019-06-06 11.14.51.png16.58 KBpameeela
Screenshot 2019-06-06 11.14.14.png16.74 KBpameeela
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pameeela created an issue. See original summary.

pameeela’s picture

pameeela CreditAttribution: pameeela as a volunteer commented
Title: If pages in the menu are unpublished, changes to child links » If pages in the menu are unpublished, changes made in the menu UI can be lost when node is saved
pameeela’s picture

pameeela CreditAttribution: pameeela as a volunteer commented
Issue summary: View changes
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan as a volunteer and at PreviousNext commented
Version: 8.7.x-dev » 8.8.x-dev
Issue tags: +Needs tests
FileSize
30597890.patch1.15 KB

I think the issue is caused by \Drupal\Core\Menu\MenuParentFormSelector::getParentSelectOptions

which includes a call to \Drupal\Core\Menu\DefaultMenuLinkTreeManipulators::checkNodeAccess which removes nodes the user has no access to from the parent list.

A possible solution would be for \Drupal\Core\Menu\MenuParentFormSelector::parentSelectOptionsTreeWalk to instead show these items as redacted as per the attached patch.

amateescu’s picture

amateescu CreditAttribution: amateescu for Pfizer, Inc. commented
Status: Active » Needs work 
+++ b/core/lib/Drupal/Core/Menu/MenuParentFormSelector.php
@@ -167,14 +167,17 @@ protected function parentSelectOptionsTreeWalk(array $tree, $menu_name, $indent,
+        $title = $this->t('[Redacted]');

Can we use - Restricted access - to match \Drupal\Core\Entity\Element\EntityAutocomplete::getEntityLabels()?

Otherwise I think the patch looks good :)

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

pameeela’s picture

pameeela CreditAttribution: pameeela as a volunteer commented
Status: Needs work » Closed (duplicate)
Issue tags: -Needs tests +Bug Smash Initiative
Related issues: +#2807629: Allow menu items which link to unpublished nodes to be selected in the parent item selector

Just found #2807629: Allow menu items which link to unpublished nodes to be selected in the parent item selector which is older and has more progress, so I'll close this.