From 7f109e940d54c6afc669cb3eb9e7f328de2a412c Mon Sep 17 00:00:00 2001
From: Liam Morland <lkmorlan@uwaterloo.ca>
Date: Wed, 13 Oct 2021 12:46:35 -0400
Subject: [PATCH] ISTWCMS-5085: Prevent non-admin access to menu add, edit, and
 delete pages

---
 src/Access/UwNodeAccessCheck.php            |  7 +++++++
 src/Routing/UwNodeAccessRouteSubscriber.php | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/Access/UwNodeAccessCheck.php b/src/Access/UwNodeAccessCheck.php
index 9c3fac18..1d0a61e7 100644
--- a/src/Access/UwNodeAccessCheck.php
+++ b/src/Access/UwNodeAccessCheck.php
@@ -52,6 +52,13 @@ class UwNodeAccessCheck implements AccessInterface {
       case 'dashboards.dashboards_settings_form':
         return $account->hasPermission('access dashboard config') ? AccessResult::allowed() : AccessResult::forbidden();
 
+      // Menu link add, edit, and delete pages.
+      case 'entity.menu.add_link_form':
+      case 'entity.menu_link_content.canonical':
+      case 'entity.menu_link_content.edit_form':
+      case 'entity.menu_link_content.delete_form':
+        return $account->hasPermission('administer menu') ? AccessResult::allowed() : AccessResult::forbidden();
+
     }
 
     // Get the node object, which is in the route match variable.
diff --git a/src/Routing/UwNodeAccessRouteSubscriber.php b/src/Routing/UwNodeAccessRouteSubscriber.php
index 2036afa7..ce6845ff 100644
--- a/src/Routing/UwNodeAccessRouteSubscriber.php
+++ b/src/Routing/UwNodeAccessRouteSubscriber.php
@@ -24,6 +24,16 @@ class UwNodeAccessRouteSubscriber extends RouteSubscriberBase {
       'entity.node.delete_form',
       // Menu link edit pages.
       'menu_ui.link_edit',
+      // Menu link add page.
+      // Path admin/structure/menu/manage/{menu}/add.
+      'entity.menu.add_link_form',
+      // Menu link edit page.
+      // Path admin/structure/menu/item/{menu_link_content}/edit.
+      'entity.menu_link_content.canonical',
+      'entity.menu_link_content.edit_form',
+      // Menu link delete page.
+      // Path admin/structure/menu/item/{menu_link_content}/delete.
+      'entity.menu_link_content.delete_form',
     ];
     foreach ($access_route_names as $route_name) {
       if ($route = $collection->get($route_name)) {
-- 
GitLab