Commit f458f5a2 authored by larowlan's avatar larowlan

Issue #2135445 by dww, Sam152, jessebeach, Mile23, Kristen Pol, Wim Leers,...

Issue #2135445 by dww, Sam152, jessebeach, Mile23, Kristen Pol, Wim Leers, larowlan: Toolbar displays Manage tab even if the user is not permitted to see it

(cherry picked from commit 211c6641)
parent 11fc8005
......@@ -30,6 +30,7 @@ protected function setUp() {
$user = $this->createUser([
'administer blocks',
'access administration pages',
'access contextual links',
'access toolbar',
'administer nodes',
......@@ -394,6 +394,23 @@ public function testExternalLink() {
$this->assertRaw('title="External URL & escaped"');
* Tests that there is no Manage tab in the Toolbar for authenticated users.
* The authorized user should not have a Manage tab simply with the 'access
* toolbar' permission. They need 'access administration pages' for that.
public function testEmptyMenuTray() {
// Log out the admin user because we're testing restricted access.
$this->drupalLogin($this->drupalCreateUser(['access toolbar']));
// @todo The toolbar div itself still has the id "toolbar-administration".
// @see
$this->assertSession()->elementExists('css', 'div[id=toolbar-administration]');
$this->assertSession()->elementNotExists('css', 'a[id=toolbar-item-administration]');
* Get the hash value from the admin menu subtrees route path.
......@@ -22,6 +22,7 @@ class ToolbarIntegrationTest extends WebDriverTestBase {
public function testToolbarToggling() {
$admin_user = $this->drupalCreateUser([
'access toolbar',
'access administration pages',
'administer site configuration',
'access content overview',
......@@ -159,6 +159,18 @@ function toolbar_toolbar() {
'#weight' => -20,
// If the current user cannot access administration pages, we can save a large
// amount of unnecessary work by ending here. It'd be better to actually know
// if the admin menu tree is empty for them, but trying to load that tree only
// happens in a #pre_render callback, and at that point, it's too late. The
// entire toolbar is rendered with the 'user.permissions' #cache context, so
// we can safely do this here and it'll still be cached correctly.
// @see toolbar_prerender_toolbar_administration_tray()
// @see toolbar_page_top()
if (!\Drupal::currentUser()->hasPermission('access administration pages')) {
return $items;
// To conserve bandwidth, we only include the top-level links in the HTML.
// The subtrees are fetched through a JSONP script that is generated at the
// toolbar_subtrees route. We provide the JavaScript requesting that JSONP
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment