Problem/Motivation

The current access check implemented on SystemAdminMenuBlockAccessCheck doesn't work if the configured menu item uses the attribute url.

Steps to reproduce

  1. Install the latest Drupal version.
  2. Create a module test_link and implement the following route on test_link.routing.yml:
    test_link.admin:
  path: "/admin/test-link"
  defaults:
    _controller: '\Drupal\system\Controller\SystemController::systemAdminMenuBlockPage'
    _title: "Test Link"
  requirements:
    _permission: "access content"
  3. Implement the following menu links on `test_link.links.menu.yml`:
    test_link.admin:
  title: "Test Link Admin"
  route_name: "test_link.admin"
  parent: system.admin_content

test_link.admin.content:
  title: "Content List"
  url: "internal:/admin/content"
  description: "Content listing"
  parent: test_link.admin
  4. Enable the module
  5. With an admin user, access the page /admin/test-link

Proposed resolution

We need to check if the menu link doesn't have a route associated with it and implement a logic to validate the cases where the link has the url attribute.

Remaining tasks

Implement the new logic;
Implement the automated tests;

User interface changes

N/A

Introduced terminology

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

CommentFileSizeAuthor
#12 image (1).png122.1 KBjoaopauloc.dev
#12 image.png118.91 KBjoaopauloc.dev
#8 access-denied.png180.63 KBjoaopauloc.dev
#8 ok.png171.12 KBjoaopauloc.dev
#5 image (1).png143.91 KBjoaopauloc.dev
#5 image.png151.61 KBjoaopauloc.dev

Issue fork drupal-3522754

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

hfernandes created an issue. See original summary.

hfernandes opened merge request !12039

hfernandes’s picture

hfernandes commented
Title: Access to systemAdminMenuBlockPage is denied if it contains routes using the url attribute » Access to systemAdminMenuBlockPage is denied if it contains links using the url attribute
hfernandes’s picture

hfernandes commented
Status: Active » Needs review
joaopauloc.dev’s picture

joaopauloc.dev commented
Status: Needs review » Reviewed & tested by the community
StatusFileSize
new image.png151.61 KB
new image (1).png143.91 KB

I can confirm that the fix works.

I followed these steps.
Install Drupal 11
Create a custom module test link
Create the route and the menu link files as mentioned above.
Enabled the module.
Access the following url: /admin/test-link

Without the fix, I couldn't access the page.
access denied
After the fix was applied, I could access it.
access allowed

catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Needs work

One comment on the MR.

hfernandes’s picture

hfernandes commented
Issue summary: View changes
Status: Needs work » Needs review
joaopauloc.dev’s picture

joaopauloc.dev commented
Status: Needs review » Reviewed & tested by the community
StatusFileSize
new ok.png171.12 KB
new access-denied.png180.63 KB

I confirm that after the code review changes the issue still fixed.

Same steps followed of comment #5

Access denied in without the fix.
access denied
Could access with the fix applied.
allowed access

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work

This looks nearly ready - I think we can use API rather than exceptions to skip unrouted routes in the child link checking...

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
hfernandes’s picture

hfernandes commented
Status: Needs work » Needs review
joaopauloc.dev’s picture

joaopauloc.dev commented
Status: Needs review » Reviewed & tested by the community
StatusFileSize
new image.png118.91 KB
new image (1).png122.1 KB

I confirmed that still working.
Without the fix getting access denied.
access denied
With fix applied.
link working as expected

  • catch committed fb06e64f on 11.x 
    Issue #3522754 by hfernandes, catch, joaopauloc.dev, alexpott: Access to...

  • catch committed 3ed2ee36 on 11.2.x 
    Issue #3522754 by hfernandes, catch, joaopauloc.dev, alexpott: Access to...
catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed

This looks good now. Committed/pushed to 11.x and cherry-picked to 11.2.x, thanks!

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.

catch closed merge request !12039

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.