Commit 6c37e3ed authored by alexpott's avatar alexpott

Issue #2492513 by JeroenT, Nitesh Pawar, wturrell, Jo Fitzgerald, rashidkhan,...

Issue #2492513 by JeroenT, Nitesh Pawar, wturrell, Jo Fitzgerald, rashidkhan, alx_benjamin, gaurav.kapoor, NikitaJain, amit.drupal, Shabbir, alexpott, xjm, cilefen: Cannot edit the user/login menu link as an admin
parent 36c53a27
......@@ -59,11 +59,12 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
return AccessResult::neutral("The 'administer menu' permission is required.")->cachePerPermissions();
}
else {
// If there is a URL, this is an external link so always accessible.
// Assume that access is allowed.
$access = AccessResult::allowed()->cachePerPermissions()->addCacheableDependency($entity);
/** @var \Drupal\menu_link_content\MenuLinkContentInterface $entity */
// We allow access, but only if the link is accessible as well.
if (($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
// If the link is routed determine whether the user has access unless
// they have the 'link to any page' permission.
if (!$account->hasPermission('link to any page') && ($url_object = $entity->getUrlObject()) && $url_object->isRouted()) {
$link_access = $this->accessManager->checkNamedRoute($url_object->getRouteName(), $url_object->getRouteParameters(), $account, TRUE);
$access = $access->andIf($link_access);
}
......
......@@ -2,6 +2,7 @@
namespace Drupal\menu_link_content\Tests;
use Drupal\menu_link_content\Entity\MenuLinkContent;
use Drupal\simpletest\WebTestBase;
/**
......@@ -20,13 +21,53 @@ class MenuLinkContentFormTest extends WebTestBase {
'menu_link_content',
];
/**
* User with 'administer menu' and 'link to any page' permission.
*
* @var \Drupal\user\Entity\User
*/
protected $adminUser;
/**
* User with only 'administer menu' permission.
*
* @var \Drupal\user\Entity\User
*/
protected $basicUser;
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$web_user = $this->drupalCreateUser(['administer menu']);
$this->drupalLogin($web_user);
$this->adminUser = $this->drupalCreateUser(['administer menu', 'link to any page']);
$this->basicUser = $this->drupalCreateUser(['administer menu']);
$this->drupalLogin($this->adminUser);
}
/**
* Tests the 'link to any page' permission for a restricted page.
*/
public function testMenuLinkContentFormLinkToAnyPage() {
$menu_link = MenuLinkContent::create([
'title' => 'Menu link test',
'provider' => 'menu_link_content',
'menu_name' => 'admin',
'link' => ['uri' => 'internal:/user/login'],
]);
$menu_link->save();
// The user should be able to edit a menu link to the page, even though
// the user cannot access the page itself.
$this->drupalGet('/admin/structure/menu/item/' . $menu_link->id() . '/edit');
$this->assertResponse(200);
$this->drupalLogin($this->basicUser);
$this->drupalGet('/admin/structure/menu/item/' . $menu_link->id() . '/edit');
$this->assertResponse(403);
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment