Merge branch 'feature/ISTWCMS-5085-lkmorlan-menu-link-admin-access' into '3.0.x'

ISTWCMS-5085: Prevent non-admin access to menu add, edit, and delete

See merge request !243

composer.json

@@ -78,7 +78,7 @@
         "drupal/media_entity_browser": "2.0-alpha3",
         "drupal/media_library_edit": "2.0",
         "drupal/media_library_form_element": "2.0.3",
-        "drupal/menu_admin_per_menu": "1.3",
+        "drupal/menu_admin_per_menu": "dev-8.x-1.3+4-dev-uw_wcms1",
         "drupal/metatag": "1.16",
         "drupal/module_filter": "3.2",
         "drupal/node_revision_delete": "dev-1.0-rc3-uw_wcms1",

tests/src/Functional/UwWcmsBasicTest.php

@@ -1563,17 +1563,18 @@ class UwWcmsBasicTest extends BrowserTestBase {
     $this->assertSession()->statusCodeEquals(200);
     $this->assertSession()->elementExists('css', 'input#edit-weight[value="-51"]');
 
-    $this->drupalLogin($this->drupalUsers['uw_role_site_manager']);
+    // Menu admin. These are tested again below as site manager who does not
+    // have access.
+    // Edit link for home page.
+    $this->drupalGet('admin/structure/menu/manage/main');
+    $path = 'admin/structure/menu/link/uw_base_profile.front_page/edit';
+    $this->assertSession()->elementExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');
+    // Menu add item link.
+    $this->drupalGet('admin/structure/menu');
+    $path = 'admin/structure/menu/manage/main/add';
+    $this->assertSession()->elementExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');
 
-    // No access to edit home page menu entry.
-    $this->drupalGet('admin/structure/menu/link/uw_base_profile.front_page/edit');
-    $this->assertSession()->statusCodeEquals(403);
-    // Test that the home page cannot be the parent of any item. Using first
-    // menu item that was created.
-    $this->drupalGet('admin/structure/menu/item/1/edit');
-    $this->assertSession()->statusCodeEquals(200);
-    $this->assertSession()->elementExists('css', 'select#edit-menu-parent');
-    $this->assertSession()->elementNotExists('css', 'select#edit-menu-parent > option[value="main:uw_base_profile.front_page"]');
+    $this->drupalLogin($this->drupalUsers['uw_role_site_manager']);
 
     // Test that main menu has disabled Catalogs menu link.
     $this->drupalGet('admin/structure/menu/manage/main');
@@ -1585,6 +1586,19 @@ class UwWcmsBasicTest extends BrowserTestBase {
     // to validate if checkbox is unchecked.
     $menu_uuid = $this->getSession()->getPage()->findLink('Catalogs')->getParent()->getParent()->getAttribute('data-drupal-selector');
     $this->assertSession()->checkboxNotChecked($menu_uuid . '-enabled');
+
+    // No access to menu admin.
+    // No access to edit home page menu entry.
+    $path = 'admin/structure/menu/link/uw_base_profile.front_page/edit';
+    $this->assertSession()->elementNotExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');
+    $this->drupalGet($path);
+    $this->assertSession()->statusCodeEquals(403);
+    // Menu add item link.
+    $this->drupalGet('admin/structure/menu');
+    $path = 'admin/structure/menu/manage/main/add';
+    $this->assertSession()->elementNotExists('xpath', '//ul[@class="dropbutton"]/li/a[@href="' . base_path() . $path . '"]');
+    $this->drupalGet($path);
+    $this->assertSession()->statusCodeEquals(403);
   }
 
   /**