From 84793d169d36f51a4e6e980fd496fef99bfb8d3e Mon Sep 17 00:00:00 2001
From: Liam Morland <lkmorlan@uwaterloo.ca>
Date: Fri, 26 Feb 2021 14:32:48 -0500
Subject: [PATCH] ISTWCMS-4229: Protect home page delete page

---
 src/Access/UwNodeAccessCheck.php            | 13 +++++++++++++
 src/Routing/UwNodeAccessRouteSubscriber.php |  2 ++
 uw_cfg_common.module                        |  5 +++++
 3 files changed, 20 insertions(+)

diff --git a/src/Access/UwNodeAccessCheck.php b/src/Access/UwNodeAccessCheck.php
index 3bb22e44..af8a0b17 100644
--- a/src/Access/UwNodeAccessCheck.php
+++ b/src/Access/UwNodeAccessCheck.php
@@ -7,6 +7,7 @@ use Drupal\Core\Routing\Access\AccessInterface;
 use Drupal\Core\Routing\RouteMatchInterface;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\menu_admin_per_menu\Access\MenuAdminPerMenuAccess;
+use Drupal\uw_cfg_common\Service\UWService;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
@@ -42,6 +43,18 @@ class UwNodeAccessCheck implements AccessInterface {
       }
     }
 
+    // Node delete pages.
+    if ($route_name === 'entity.node.delete_form') {
+      $node = $route_match->getParameter('node');
+      // Only those with permission may delete the home page.
+      if ($node && UWService::nodeIsHomePage((int) $node->id())) {
+        return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
+      }
+      else {
+        return AccessResult::allowed();
+      }
+    }
+
     // Get the node object, which is in the route match variable.
     $node = $route_match->getParameter('node');
 
diff --git a/src/Routing/UwNodeAccessRouteSubscriber.php b/src/Routing/UwNodeAccessRouteSubscriber.php
index 0822a9bb..d9a15672 100644
--- a/src/Routing/UwNodeAccessRouteSubscriber.php
+++ b/src/Routing/UwNodeAccessRouteSubscriber.php
@@ -20,6 +20,8 @@ class UwNodeAccessRouteSubscriber extends RouteSubscriberBase {
       'entity.node.canonical',
       // Menu link edit pages.
       'menu_ui.link_edit',
+      // Node delete pages.
+      'entity.node.delete_form',
     ];
     foreach ($access_route_names as $route_name) {
       if ($route = $collection->get($route_name)) {
diff --git a/uw_cfg_common.module b/uw_cfg_common.module
index 17719beb..3695fbdb 100644
--- a/uw_cfg_common.module
+++ b/uw_cfg_common.module
@@ -310,6 +310,11 @@ function uw_cfg_common_form_node_uw_ct_web_page_edit_form_alter(array &$form, Fo
   $form['menu']['#type'] = 'container';
   $form['menu']['enabled']['#access'] = FALSE;
   $form['menu']['link']['#access'] = FALSE;
+
+  // Hide delete link if no access. This should happen by itself, but does not.
+  if (!$form['actions']['delete']['#url']->access()) {
+    $form['actions']['delete']['#access'] = FALSE;
+  }
 }
 
 /**
-- 
GitLab