ISTWCMS-5333: better access control for content moderation form

src/Form/UwContentModerationForm.php

@@ -76,9 +76,27 @@ class UwContentModerationForm extends ConfirmFormBase {
    *   A AccessResult object.
    */
   public function access(int $nid, AccountInterface $account): AccessResult {
+
+    // Ensure that anonymous users can not
+    // access this form.
+    if ($account->isAnonymous()) {
+      return AccessResult::forbidden();
+    }
+
+    // Ensure that home page access is respected.
     if (UWService::nodeIsHomePage($nid) && !$account->hasPermission('bypass home page protection')) {
       return AccessResult::forbidden();
     }
+
+    // Get the node.
+    $node = $this->entityTypeManager->getStorage('node')->load($nid);
+
+    // If the user does not have permission to edit the node
+    // forbid them from the link.
+    if (!$account->hasPermission('edit any ' . $node->bundle() . ' content')) {
+      return AccessResult::forbidden();
+    }
+
     return AccessResult::allowed();
   }
 

uw_cfg_common.routing.yml

@@ -12,7 +12,6 @@ uw_content_moderation.form:
     _form: '\Drupal\uw_cfg_common\Form\UwContentModerationForm'
   requirements:
     _custom_access: '\Drupal\uw_cfg_common\Form\UwContentModerationForm::access'
-    _permission: 'access administration pages'
 uw_cfg_common.analytics_ownership.form:
   path: '/admin/config/google_analytics_settings'
   defaults: