Commit 99288cbc authored by Lily Yan's avatar Lily Yan
Browse files

Merge branch 'feature/ISTWCMS-5085-lkmorlan-menu-link-admin-access' into '1.0.x'

ISTWCMS-5085: Prevent non-admin access to menu add, edit, and delete

See merge request !153
parents 23cce581 0547eb8b
......@@ -27,37 +27,38 @@ class UwNodeAccessCheck implements AccessInterface {
* The access result.
*/
public function access(RouteMatchInterface $route_match, AccountInterface $account): AccessResult {
$route_name = $route_match->getRouteName();
// Menu link edit pages.
if ($route_name === 'menu_ui.link_edit') {
$menu_link_plugin = $route_match->getParameter('menu_link_plugin');
// Only those with permission may edit home page menu entry.
if ($menu_link_plugin->getPluginId() === 'uw_base_profile.front_page') {
return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
}
else {
switch ($route_match->getRouteName()) {
// Menu link edit pages.
case 'menu_ui.link_edit':
$menu_link_plugin = $route_match->getParameter('menu_link_plugin');
// Only those with permission may edit home page menu entry.
if ($menu_link_plugin->getPluginId() === 'uw_base_profile.front_page') {
return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
}
// Otherwise, default to access set in menu_admin_per_menu.
$menu_admin_per_menu = new MenuAdminPerMenuAccess();
return $menu_admin_per_menu->menuLinkAccess($account, $menu_link_plugin);
}
}
// Node delete pages.
if ($route_name === 'entity.node.delete_form') {
$node = $route_match->getParameter('node');
// Only those with permission may delete the home page.
if ($node && UWService::nodeIsHomePage((int) $node->id())) {
return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
}
else {
// Node delete pages.
case 'entity.node.delete_form':
$node = $route_match->getParameter('node');
// Only those with permission may delete the home page.
if ($node && UWService::nodeIsHomePage((int) $node->id())) {
return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
}
return AccessResult::allowed();
}
}
// Dashboard config: admin/config/dashboards/dashboardssettings.
if ($route_name === 'dashboards.dashboards_settings_form') {
return $account->hasPermission('access dashboard config') ? AccessResult::allowed() : AccessResult::forbidden();
// Dashboard config: admin/config/dashboards/dashboardssettings.
case 'dashboards.dashboards_settings_form':
return $account->hasPermission('access dashboard config') ? AccessResult::allowed() : AccessResult::forbidden();
// Menu link add, edit, and delete pages.
case 'entity.menu.add_link_form':
case 'entity.menu_link_content.canonical':
case 'entity.menu_link_content.edit_form':
case 'entity.menu_link_content.delete_form':
return $account->hasPermission('administer menu') ? AccessResult::allowed() : AccessResult::forbidden();
}
// Get the node object, which is in the route match variable.
......
......@@ -24,6 +24,16 @@ class UwNodeAccessRouteSubscriber extends RouteSubscriberBase {
'entity.node.delete_form',
// Menu link edit pages.
'menu_ui.link_edit',
// Menu link add page.
// Path admin/structure/menu/manage/{menu}/add.
'entity.menu.add_link_form',
// Menu link edit page.
// Path admin/structure/menu/item/{menu_link_content}/edit.
'entity.menu_link_content.canonical',
'entity.menu_link_content.edit_form',
// Menu link delete page.
// Path admin/structure/menu/item/{menu_link_content}/delete.
'entity.menu_link_content.delete_form',
];
foreach ($access_route_names as $route_name) {
if ($route = $collection->get($route_name)) {
......
......@@ -9,6 +9,7 @@ use Drupal\Component\Utility\Html;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Render\Element;
use Drupal\Core\Session\AccountInterface;
use Drupal\Core\Url;
use Drupal\media_library\MediaLibraryState;
......@@ -470,11 +471,18 @@ function uw_cfg_common_form_node_uw_ct_web_page_edit_form_alter(array &$form, Fo
/**
* Implements hook_form_FORM_ID_alter().
*
* Menu edit form: admin/structure/menu/manage/main.
*
* Prevent certain changes to the home page.
* Menu edit form: admin/structure/menu/manage/{menu}.
*/
function uw_cfg_common_form_menu_edit_form_alter(array &$form, FormStateInterface $form_state, string $form_id): void {
// Hide links to menu edit and delete for non-admin.
if (!\Drupal::currentUser()->hasPermission('administer menu')) {
foreach (Element::children($form['links']['links']) as $element_key) {
$form['links']['links'][$element_key]['operations']['#access'] = FALSE;
}
}
// Prevent certain changes to the home page.
//
// No changes for those with access.
if (\Drupal::currentUser()->hasPermission('bypass home page protection')) {
return;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment