Problem/Motivation

In #296693: Restrict access to empty top level administration pages we were testing routes that had the _access_admin_menu_block_page access tag which gets added in \Drupal\system\EventSubscriber\AccessRouteAlterSubscriber::accessAdminMenuBlockPage for routes that use Drupal\system\Controller\SystemController::systemAdminMenuBlockPage

Unfortunately we(meaning me, sorry) used admin/people which I thought used systemAdminMenuBlockPage but looking at the route 

entity.user.collection:
  path: '/admin/people'
  defaults:
    _entity_list: 'user'
    _title: 'People'
  requirements:
    _permission: 'administer users'

It does not use that callback.

Steps to reproduce

Proposed resolution

Replace the use of admin/people with admin/reports(or another route that uses systemAdminMenuBlockPage).
Check if we are using any other routes that don't use that controller.

We can leave routes that are using \Drupal\system\Controller\SystemController::overview because that is being addressed in #3381929: Restrict access to empty top level administration pages for overview controller

Remaining tasks

Issue fork drupal-3399537

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

tedbow created an issue. See original summary.

tedbow opened merge request !5261

tedbow’s picture

tedbow
he/him
Primary language English
Location Ithaca, NY, USA
commented
Status: Active » Needs review
kunal.sachdev’s picture

kunal.sachdev commented
Status: Needs review » Needs work

Looks good, needs work for some comments in MR.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.