JSON API gives out 403 error for anonymous users when trying to get menu details [#2967986]

Patch #3 in https://www.drupal.org/project/drupal/issues/2915792 helps partially.

After applying patch #3 - JSON for menu_link_content/menu_link_content starts showing up fine for anonymous users.

But the problem occurs when we have fields referring to menus and we add includes to those fields in our JSON query. The include in such a scenario fails with a 403 error, as anonymous users do not have access to menu.

Comment	File	Size	Author
#4	jsonapi_menu_403_fix-2967986-4.patch	1.59 KB	alex.skrypnyk
#2	jsonapi_menu_403_fix-2967986-2.patch	1.53 KB	gargsuchi

Comments

Comment #1

30 April 2018 at 06:17

gargsuchi created an issue. See original summary.

Comment #2

gargsuchi commented 30 April 2018 at 06:23

Status	File	Size
new	jsonapi_menu_403_fix-2967986-2.patch	1.53 KB

Patch attached for fix.

Comment #3

gabesullice

English

commented 30 April 2018 at 07:05

Status:

Active

» Closed (works as designed)

+++ b/src/Controller/EntityResource.php
@@ -124,7 +124,7 @@ class EntityResource {
+      throw new EntityAccessDeniedHttpException($entity, $entity_access, '/data', 'The current user is not allowed to GET 1 the selected resource.');

I'm not sure what the "1" here is supposed to mean, can you explain?

```
+++ b/src/Controller/EntityResource.php
@@ -937,7 +937,12 @@ class EntityResource {
-    $access = $entity->access('view', NULL, TRUE);
+    if (($entity->entityTypeId == 'menu') OR ($entity->entityTypeId == 'menu_link_content')) {
```
I don't think JSON API module should start making special exceptions for entity types. Unfortunately, I can't take this patch as is.

I would recommend implementing hook_entity_access in a custom module for the menu and menu_link_content entity types and/or giving anonymous users the appropriate permissions to view them. Then, those access rules will be picked up automatically and honored by JSON API.

Thanks for the report and patch though!