Issue #1541094 by c31ck, Antti J. Salminen | TravisCarden: Added 'access shortcuts' permission.

core/modules/shortcut/shortcut.module

@@ -38,7 +38,7 @@ function shortcut_help($route_name, Request $request) {
     case 'shortcut.set_add':
     case 'shortcut.set_edit':
       $user = \Drupal::currentUser();
-      if ($user->hasPermission('switch shortcut sets')) {
+      if ($user->hasPermission('access shortcuts') && $user->hasPermission('switch shortcut sets')) {
         $output = '<p>' . t('Define which shortcut set you are using on the <a href="@shortcut-link">Shortcuts tab</a> of your account page.', array('@shortcut-link' => url("user/{$user->id()}/shortcuts"))) . '</p>';
         return $output;
       }
@@ -61,6 +61,9 @@ function shortcut_permission() {
       'title' => t('Select any shortcut set'),
       'description' => t('From all shortcut sets, select one to be own active set. Without this permission, an administrator selects shortcut sets for users.'),
     ),
+    'access shortcuts' => array(
+      'title' => t('Use shortcuts'),
+    ),
   );
 }
 
@@ -77,11 +80,17 @@ function shortcut_permission() {
  */
 function shortcut_set_edit_access(ShortcutSetInterface $shortcut_set = NULL) {
   $account = \Drupal::currentUser();
-  // Sufficiently-privileged users can edit their currently displayed shortcut
-  // set, but not other sets. Shortcut administrators can edit any set.
+
+  // Shortcut administrators can edit any set.
   if ($account->hasPermission('administer shortcuts')) {
     return TRUE;
   }
+  // Access to shortcuts is required for non-administrators.
+  if (!$account->hasPermission('access shortcuts')) {
+    return FALSE;
+  }
+  // Sufficiently-privileged users can edit their currently displayed shortcut
+  // set, but not other sets.
   if ($account->hasPermission('customize shortcut links')) {
     return !isset($shortcut_set) || $shortcut_set == shortcut_current_displayed_set();
   }
@@ -108,6 +117,11 @@ function shortcut_set_switch_access($account = NULL) {
     return TRUE;
   }
 
+  if (!$user->hasPermission('access shortcuts')) {
+    // The user has no permission to use shortcuts.
+    return FALSE;
+  }
+
   if (!$user->hasPermission('switch shortcut sets')) {
     // The user has no permission to switch anyone's shortcut set.
     return FALSE;
@@ -397,43 +411,47 @@ function shortcut_preprocess_page(&$variables) {
  * Implements hook_toolbar().
  */
 function shortcut_toolbar() {
+  $user = \Drupal::currentUser();
+
   $items = array();
-  $links = shortcut_renderable_links();
-  $shortcut_set = shortcut_current_displayed_set();
-  $configure_link = NULL;
-  if (shortcut_set_edit_access($shortcut_set)) {
-    $configure_link = array(
-      '#type' => 'link',
-      '#title' => t('Edit shortcuts'),
-      '#route_name' => 'shortcut.set_customize',
-      '#route_parameters' => array('shortcut_set' => $shortcut_set->id()),
-      '#options' => array('attributes' => array('class' => array('edit-shortcuts'))),
-    );
-  }
-  if (!empty($links) || !empty($configure_link)) {
-    $items['shortcuts'] = array(
-      '#type' => 'toolbar_item',
-      'tab' => array(
+  if ($user->hasPermission('access shortcuts')) {
+    $links = shortcut_renderable_links();
+    $shortcut_set = shortcut_current_displayed_set();
+    $configure_link = NULL;
+    if (shortcut_set_edit_access($shortcut_set)) {
+      $configure_link = array(
         '#type' => 'link',
-        '#title' => t('Shortcuts'),
-        '#href' => 'admin/config/user-interface/shortcut',
-        '#attributes' => array(
-          'title' => t('Shortcuts'),
-          'class' => array('toolbar-icon', 'toolbar-icon-shortcut'),
+        '#title' => t('Edit shortcuts'),
+        '#route_name' => 'shortcut.set_customize',
+        '#route_parameters' => array('shortcut_set' => $shortcut_set->id()),
+        '#options' => array('attributes' => array('class' => array('edit-shortcuts'))),
+      );
+    }
+    if (!empty($links) || !empty($configure_link)) {
+      $items['shortcuts'] = array(
+        '#type' => 'toolbar_item',
+        'tab' => array(
+          '#type' => 'link',
+          '#title' => t('Shortcuts'),
+          '#href' => 'admin/config/user-interface/shortcut',
+          '#attributes' => array(
+            'title' => t('Shortcuts'),
+            'class' => array('toolbar-icon', 'toolbar-icon-shortcut'),
+          ),
         ),
-      ),
-      'tray' => array(
-        '#heading' => t('User-defined shortcuts'),
-        'shortcuts' => $links,
-        'configure' => $configure_link,
-      ),
-      '#weight' => -10,
-      '#attached' => array(
-        'library' => array(
-          'shortcut/drupal.shortcut',
+        'tray' => array(
+          '#heading' => t('User-defined shortcuts'),
+          'shortcuts' => $links,
+          'configure' => $configure_link,
         ),
-      ),
-    );
+        '#weight' => -10,
+        '#attached' => array(
+          'library' => array(
+            'shortcut/drupal.shortcut',
+          ),
+        ),
+      );
+    }
   }
 
   return $items;

core/modules/shortcut/src/Access/ShortcutSetSwitchAccessCheck.php

@@ -33,6 +33,11 @@ public function access(UserInterface $user, AccountInterface $account) {
       return static::ALLOW;
     }
 
+    if (!$account->hasPermission('access shortcuts')) {
+      // The user has no permission to use shortcuts.
+      return static::DENY;
+    }
+
     if (!$account->hasPermission('switch shortcut sets')) {
       // The user has no permission to switch anyone's shortcut set.
       return static::DENY;

core/modules/shortcut/src/ShortcutSetAccessController.php

@@ -25,6 +25,9 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
         if ($account->hasPermission('administer shortcuts')) {
           return TRUE;
         }
+        if (!$account->hasPermission('access shortcuts')) {
+          return FALSE;
+        }
         if ($account->hasPermission('customize shortcut links')) {
           return $entity == shortcut_current_displayed_set($account);
         }
@@ -44,7 +47,15 @@ protected function checkAccess(EntityInterface $entity, $operation, $langcode, A
    * {@inheritdoc}
    */
   protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
-    return $account->hasPermission('administer shortcuts') || $account->hasPermission('customize shortcut links');
+    if ($account->hasPermission('administer shortcuts')) {
+      return TRUE;
+    }
+    if (!$account->hasPermission('access shortcuts')) {
+      return FALSE;
+    }
+    if ($account->hasPermission('customize shortcut links')) {
+      return TRUE;
+    }
   }
 
 }

core/modules/shortcut/src/Tests/ShortcutCacheTagsTest.php

@@ -37,6 +37,7 @@ public function setUp() {
     // can verify the cache tags of cached versions of shortcuts.
     $user_role = entity_load('user_role', DRUPAL_ANONYMOUS_RID);
     $user_role->grantPermission('customize shortcut links');
+    $user_role->grantPermission('access shortcuts');
     $user_role->save();
   }
 

core/modules/shortcut/src/Tests/ShortcutLinksTest.php

@@ -215,4 +215,62 @@ public function testNoShortcutLink() {
     $this->assertTrue(!empty($result), 'Add to shortcuts link was shown on a page the user does have access to.');
   }
 
+  /**
+   * Tests that the 'access shortcuts' permissions works properly.
+   */
+  public function testAccessShortcutsPermission() {
+    // Change to a theme that displays shortcuts.
+    \Drupal::service('theme_handler')->enable(array('seven'));
+    \Drupal::config('system.theme')
+      ->set('default', 'seven')
+      ->save();
+
+    // Add cron to the default shortcut set.
+    $this->drupalLogin($this->root_user);
+    $this->drupalGet('admin/config/system/cron');
+    $this->clickLink('Add to Default shortcuts');
+
+    // Verify that users without the 'access shortcuts' permission can't see the
+    // shortcuts.
+    $this->drupalLogin($this->drupalCreateUser(array('access toolbar')));
+    $this->assertNoLink('Shortcuts', 0, 'Shortcut link not found on page.');
+
+    // Verify that users with the 'access shortcuts' permission can see the
+    // shortcuts.
+    $this->drupalLogin($this->drupalCreateUser(array('access toolbar', 'access shortcuts')));
+    $this->clickLink('Shortcuts', 0, 'Shortcut link found on page.');
+    $this->assertLink('Cron', 0, 'Cron shortcut link found on page.');
+
+    $this->verifyAccessShortcutsPermissionForEditPages();
+  }
+
+  /**
+   * Tests that the 'access shortcuts' permission is required for shortcut set
+   * administration page access.
+   */
+  private function verifyAccessShortcutsPermissionForEditPages() {
+    // Create a user with customize links and switch sets permissions  but
+    // without the 'access shortcuts' permission.
+    $test_permissions = array(
+      'customize shortcut links',
+      'switch shortcut sets',
+    );
+    $noaccess_user = $this->drupalCreateUser($test_permissions);
+    $this->drupalLogin($noaccess_user);
+
+    // Verify that set administration pages are inaccessible without the
+    // 'access shortcuts' permission.
+    $edit_paths = array(
+      'admin/config/user-interface/shortcut/manage/default/customize',
+      'admin/config/user-interface/shortcut/manage/default',
+      'user/' . $noaccess_user->id() . '/shortcuts',
+    );
+
+    foreach ($edit_paths as $path) {
+      $this->drupalGet($path);
+      $message = format_string('Access is denied on %s', array('%s' => $path));
+      $this->assertResponse(403, $message);
+    }
+  }
+
 }

core/profiles/standard/standard.install

@@ -51,6 +51,9 @@ function standard_install() {
   user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access site-wide contact form'));
   user_role_grant_permissions(DRUPAL_AUTHENTICATED_RID, array('access site-wide contact form'));
 
+  // Allow authenticated users to use shortcuts.
+  user_role_grant_permissions(DRUPAL_AUTHENTICATED_RID, array('access shortcuts'));
+
   // Populate the default shortcut set.
   $shortcut = entity_create('shortcut', array(
     'shortcut_set' => 'default',