Merge branch 'feature/ISTWCMS-5085-lkmorlan-menu-link-admin-access' into '1.0.x'

ISTWCMS-5085: Prevent non-admin access to menu add, edit, and delete

See merge request !153

src/Access/UwNodeAccessCheck.php

@@ -27,37 +27,38 @@ class UwNodeAccessCheck implements AccessInterface {
    *   The access result.
    */
   public function access(RouteMatchInterface $route_match, AccountInterface $account): AccessResult {
-    $route_name = $route_match->getRouteName();
-
-    // Menu link edit pages.
-    if ($route_name === 'menu_ui.link_edit') {
-      $menu_link_plugin = $route_match->getParameter('menu_link_plugin');
-      // Only those with permission may edit home page menu entry.
-      if ($menu_link_plugin->getPluginId() === 'uw_base_profile.front_page') {
-        return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
-      }
-      else {
+    switch ($route_match->getRouteName()) {
+      // Menu link edit pages.
+      case 'menu_ui.link_edit':
+        $menu_link_plugin = $route_match->getParameter('menu_link_plugin');
+        // Only those with permission may edit home page menu entry.
+        if ($menu_link_plugin->getPluginId() === 'uw_base_profile.front_page') {
+          return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
+        }
         // Otherwise, default to access set in menu_admin_per_menu.
         $menu_admin_per_menu = new MenuAdminPerMenuAccess();
         return $menu_admin_per_menu->menuLinkAccess($account, $menu_link_plugin);
-      }
-    }
 
-    // Node delete pages.
-    if ($route_name === 'entity.node.delete_form') {
-      $node = $route_match->getParameter('node');
-      // Only those with permission may delete the home page.
-      if ($node && UWService::nodeIsHomePage((int) $node->id())) {
-        return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
-      }
-      else {
+      // Node delete pages.
+      case 'entity.node.delete_form':
+        $node = $route_match->getParameter('node');
+        // Only those with permission may delete the home page.
+        if ($node && UWService::nodeIsHomePage((int) $node->id())) {
+          return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
+        }
         return AccessResult::allowed();
-      }
-    }
 
-    // Dashboard config: admin/config/dashboards/dashboardssettings.
-    if ($route_name === 'dashboards.dashboards_settings_form') {
-      return $account->hasPermission('access dashboard config') ? AccessResult::allowed() : AccessResult::forbidden();
+      // Dashboard config: admin/config/dashboards/dashboardssettings.
+      case 'dashboards.dashboards_settings_form':
+        return $account->hasPermission('access dashboard config') ? AccessResult::allowed() : AccessResult::forbidden();
+
+      // Menu link add, edit, and delete pages.
+      case 'entity.menu.add_link_form':
+      case 'entity.menu_link_content.canonical':
+      case 'entity.menu_link_content.edit_form':
+      case 'entity.menu_link_content.delete_form':
+        return $account->hasPermission('administer menu') ? AccessResult::allowed() : AccessResult::forbidden();
+
     }
 
     // Get the node object, which is in the route match variable.

src/Routing/UwNodeAccessRouteSubscriber.php

@@ -24,6 +24,16 @@ class UwNodeAccessRouteSubscriber extends RouteSubscriberBase {
       'entity.node.delete_form',
       // Menu link edit pages.
       'menu_ui.link_edit',
+      // Menu link add page.
+      // Path admin/structure/menu/manage/{menu}/add.
+      'entity.menu.add_link_form',
+      // Menu link edit page.
+      // Path admin/structure/menu/item/{menu_link_content}/edit.
+      'entity.menu_link_content.canonical',
+      'entity.menu_link_content.edit_form',
+      // Menu link delete page.
+      // Path admin/structure/menu/item/{menu_link_content}/delete.
+      'entity.menu_link_content.delete_form',
     ];
     foreach ($access_route_names as $route_name) {
       if ($route = $collection->get($route_name)) {

uw_cfg_common.module

@@ -9,6 +9,7 @@ use Drupal\Component\Utility\Html;
 use Drupal\Core\Access\AccessResult;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Render\Element;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\Core\Url;
 use Drupal\media_library\MediaLibraryState;
@@ -470,11 +471,18 @@ function uw_cfg_common_form_node_uw_ct_web_page_edit_form_alter(array &$form, Fo
 /**
  * Implements hook_form_FORM_ID_alter().
  *
- * Menu edit form: admin/structure/menu/manage/main.
- *
- * Prevent certain changes to the home page.
+ * Menu edit form: admin/structure/menu/manage/{menu}.
  */
 function uw_cfg_common_form_menu_edit_form_alter(array &$form, FormStateInterface $form_state, string $form_id): void {
+  // Hide links to menu edit and delete for non-admin.
+  if (!\Drupal::currentUser()->hasPermission('administer menu')) {
+    foreach (Element::children($form['links']['links']) as $element_key) {
+      $form['links']['links'][$element_key]['operations']['#access'] = FALSE;
+    }
+  }
+
+  // Prevent certain changes to the home page.
+  //
   // No changes for those with access.
   if (\Drupal::currentUser()->hasPermission('bypass home page protection')) {
     return;