Merge branch 'feature/ISTWCMS-4631-lkmorlan-toolbar' into '8.x-1.x'

ISTWCMS-4631: Toolbar permissions instead of role checks

See merge request !70

src/Service/UWService.php

@@ -5,7 +5,6 @@ namespace Drupal\uw_cfg_common\Service;
 use Drupal\Core\Database\Connection;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Entity\EntityTypeManagerInterface;
-use Drupal\Core\Session\AccountInterface;
 use Drupal\node\NodeInterface;
 use Drupal\simplify_menu\MenuItems;
 
@@ -418,24 +417,4 @@ class UWService implements UWServiceInterface {
     }
   }
 
-  /**
-   * Determine whether the user is in an administrator group.
-   *
-   * @param \Drupal\Core\Session\AccountInterface $user
-   *   The user object.
-   *
-   * @return bool
-   *   TRUE if the user is in an administrator group, FALSE otherwise.
-   */
-  public static function userIsAdmin(AccountInterface $user): bool {
-    $user_roles = $user->getRoles();
-
-    // Based on core/modules/user/src/AccountSettingsForm.php.
-    $admin_roles = \Drupal::service('entity_type.manager')->getStorage('user_role')->getQuery()
-      ->condition('is_admin', TRUE)
-      ->execute();
-
-    return (bool) array_intersect($user_roles, $admin_roles);
-  }
-
 }

uw_cfg_common.module

@@ -183,19 +183,8 @@ function uw_cfg_common_toolbar_alter(&$items) {
     return;
   }
 
-  // Get the roles of the user.
-  $roles = $current_user->getRoles();
-
-  // If there is only 1 role and that first role is authenticated, remove the
-  // manage link. If there are multiple roles then we know that they will have
-  // the Manage link, we are only removing the manage link for strictly
-  // authenticated users only.
-  if (count($roles) == 1 && $roles[0] == 'authenticated') {
-    // Remove the manage link.
-    unset($items['administration']);
-  }
   // Adjust toolbar for non-admin users.
-  elseif (!UWService::userIsAdmin($current_user)) {
+  if (!$current_user->hasPermission('access manage toolbar item')) {
     // Remove "Manage" toolbar item.
     unset($items['administration']);
     // Add links to "Workbench". 'dashboards' is renamed in

uw_cfg_common.permissions.yml

@@ -8,6 +8,9 @@
   title: 'Administer role expire configuration'
   description: 'Allows access to admin/config/system/role-expire.'
   restrict access: true
+'access manage toolbar item':
+  title: 'Access "Manage" toolbar item'
+  description: 'Allows access to the toolbar item "Manage". Without this, "People" and "Reports" will appear under "Workbench" to those who have access.'
 'bypass home page protection':
   title: 'Bypass home page protection'
   description: 'Allows taking actions that are not normally allowed for the home page, such as unpublishing.'