Issue #2135445 by dww, Sam152, jessebeach, Mile23, Kristen Pol, Wim Leers,...

Issue #2135445 by dww, Sam152, jessebeach, Mile23, Kristen Pol, Wim Leers, larowlan: Toolbar displays Manage tab even if the user is not permitted to see it

Issue #2135445 by dww, Sam152, jessebeach, Mile23, Kristen Pol, Wim Leers,...
211c6641 · Lee Rowlands · 8b4ced17 · 211c6641 · 211c6641 · 211c6641
Verified Commit 211c6641 authored 6 years ago by Lee Rowlands
--- a/core/modules/settings_tray/tests/src/FunctionalJavascript/SettingsTrayBlockFormTest.php
+++ b/core/modules/settings_tray/tests/src/FunctionalJavascript/SettingsTrayBlockFormTest.php
@@ -30,6 +30,7 @@ protected function setUp() {

    $user = $this->createUser([
      'administer blocks',
+      'access administration pages',
      'access contextual links',
      'access toolbar',
      'administer nodes',

--- a/core/modules/toolbar/tests/src/Functional/ToolbarAdminMenuTest.php
+++ b/core/modules/toolbar/tests/src/Functional/ToolbarAdminMenuTest.php
@@ -394,6 +394,23 @@ public function testExternalLink() {
    $this->assertRaw('title="External URL &amp; escaped"');
  }

+  /**
+   * Tests that there is no Manage tab in the Toolbar for authenticated users.
+   *
+   * The authorized user should not have a Manage tab simply with the 'access
+   * toolbar' permission. They need 'access administration pages' for that.
+   */
+  public function testEmptyMenuTray() {
+    // Log out the admin user because we're testing restricted access.
+    $this->drupalLogout();
+    $this->drupalLogin($this->drupalCreateUser(['access toolbar']));
+    $this->assertResponse(200);
+    // @todo The toolbar div itself still has the id "toolbar-administration".
+    // @see https://www.drupal.org/project/drupal/issues/1044090
+    $this->assertSession()->elementExists('css', 'div[id=toolbar-administration]');
+    $this->assertSession()->elementNotExists('css', 'a[id=toolbar-item-administration]');
+  }
+
  /**
   * Get the hash value from the admin menu subtrees route path.
   *

--- a/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarIntegrationTest.php
+++ b/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarIntegrationTest.php
@@ -22,6 +22,7 @@ class ToolbarIntegrationTest extends WebDriverTestBase {
  public function testToolbarToggling() {
    $admin_user = $this->drupalCreateUser([
      'access toolbar',
+      'access administration pages',
      'administer site configuration',
      'access content overview',
    ]);

--- a/core/modules/toolbar/toolbar.module
+++ b/core/modules/toolbar/toolbar.module
@@ -159,6 +159,18 @@ function toolbar_toolbar() {
    '#weight' => -20,
  ];

+  // If the current user cannot access administration pages, we can save a large
+  // amount of unnecessary work by ending here. It'd be better to actually know
+  // if the admin menu tree is empty for them, but trying to load that tree only
+  // happens in a #pre_render callback, and at that point, it's too late. The
+  // entire toolbar is rendered with the 'user.permissions' #cache context, so
+  // we can safely do this here and it'll still be cached correctly.
+  // @see toolbar_prerender_toolbar_administration_tray()
+  // @see toolbar_page_top()
+  if (!\Drupal::currentUser()->hasPermission('access administration pages')) {
+    return $items;
+  }
+
  // To conserve bandwidth, we only include the top-level links in the HTML.
  // The subtrees are fetched through a JSONP script that is generated at the
  // toolbar_subtrees route. We provide the JavaScript requesting that JSONP