Merge branch 'feature/ISTWCMS-4229-lkmorlan-protect-home-page' into '8.x-1.x'

ISTWCMS-4229: Protect home page See merge request !63

Merge branch 'feature/ISTWCMS-4229-lkmorlan-protect-home-page' into '8.x-1.x'
9f40db23 · Lily Yan · 73d8e962 · 84793d16 · 9f40db23 · 9f40db23
Commit 9f40db23 authored 4 years ago by Lily Yan
--- a/src/Access/UwNodeAccessCheck.php
+++ b/src/Access/UwNodeAccessCheck.php
@@ -6,6 +6,8 @@ use Drupal\Core\Access\AccessResult;
 use Drupal\Core\Routing\Access\AccessInterface;
 use Drupal\Core\Routing\RouteMatchInterface;
 use Drupal\Core\Session\AccountInterface;
+use Drupal\menu_admin_per_menu\Access\MenuAdminPerMenuAccess;
+use Drupal\uw_cfg_common\Service\UWService;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 /**
@@ -21,10 +23,37 @@ class UwNodeAccessCheck implements AccessInterface {
   * @param \Drupal\Core\Session\AccountInterface $account
   *   Run access checks for this account.
   *
-   * @return \Drupal\Core\Access\AccessResultInterface
+   * @return \Drupal\Core\Access\AccessResult
   *   The access result.
   */
-  public function access(RouteMatchInterface $route_match, AccountInterface $account) {
+  public function access(RouteMatchInterface $route_match, AccountInterface $account): AccessResult {
+    $route_name = $route_match->getRouteName();
+    // Menu link edit pages.
+    if ($route_name === 'menu_ui.link_edit') {
+      $menu_link_plugin = $route_match->getParameter('menu_link_plugin');
+      // Only those with permission may edit home page menu entry.
+      if ($menu_link_plugin->getPluginId() === 'uw_base_profile.front_page') {
+        return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
+      }
+      else {
+        // Otherwise, default to access set in menu_admin_per_menu.
+        $menu_admin_per_menu = new MenuAdminPerMenuAccess();
+        return $menu_admin_per_menu->menuLinkAccess($account, $menu_link_plugin);
+      }
+    }
+    // Node delete pages.
+    if ($route_name === 'entity.node.delete_form') {
+      $node = $route_match->getParameter('node');
+      // Only those with permission may delete the home page.
+      if ($node && UWService::nodeIsHomePage((int) $node->id())) {
+        return $account->hasPermission('bypass home page protection') ? AccessResult::allowed() : AccessResult::forbidden();
+      }
+      else {
+        return AccessResult::allowed();
+      }
+    }
    // Get the node object, which is in the route match variable.
    $node = $route_match->getParameter('node');

--- a/src/Routing/UwNodeAccessRouteSubscriber.php
+++ b/src/Routing/UwNodeAccessRouteSubscriber.php
@@ -3,6 +3,7 @@
 namespace Drupal\uw_cfg_common\Routing;
 use Drupal\Core\Routing\RouteSubscriberBase;
+use Drupal\Core\Routing\RoutingEvents;
 use Symfony\Component\Routing\RouteCollection;
 /**
@@ -14,10 +15,29 @@ class UwNodeAccessRouteSubscriber extends RouteSubscriberBase {
   * {@inheritdoc}
   */
  protected function alterRoutes(RouteCollection $collection) {
-    // Change the route associated with node (/node/{nid}).
+    $access_route_names = [
-    if ($route = $collection->get('entity.node.canonical')) {
+      // Node pages (/node/{nid}).
-      $route->setRequirement('_custom_access', 'Drupal\uw_cfg_common\Access\UwNodeAccessCheck::access');
+      'entity.node.canonical',
+      // Menu link edit pages.
+      'menu_ui.link_edit',
+      // Node delete pages.
+      'entity.node.delete_form',
+    ];
+    foreach ($access_route_names as $route_name) {
+      if ($route = $collection->get($route_name)) {
+        $route->setRequirement('_custom_access', 'Drupal\uw_cfg_common\Access\UwNodeAccessCheck::access');
+      }
    }
  }
+  /**
+   * {@inheritdoc}
+   */
+  public static function getSubscribedEvents(): array {
+    // Run this implementation of alterRoutes() after menu_admin_per_menu, which
+    // has priority -220.
+    $events[RoutingEvents::ALTER] = ['onAlterRoutes', -300];
+    return $events;
+  }
 }
--- a/uw_cfg_common.module
+++ b/uw_cfg_common.module
@@ -7,6 +7,7 @@
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\uw_cfg_common\Service\UWService;
 use Drupal\webform\WebformInterface;
 use Drupal\webform\WebformSubmissionStorageInterface;
@@ -276,3 +277,86 @@ function uw_cfg_common_form_node_type_add_form_alter(&$form, FormStateInterface
  $form['submission']['preview_mode']['#default_value'] = 0;
 }
+/**
+ * Implements hook_form_FORM_ID_alter().
+ *
+ * Node edit form: node/NID/edit.
+ *
+ * Prevent certain changes to the home page.
+ */
+function uw_cfg_common_form_node_uw_ct_web_page_edit_form_alter(array &$form, FormStateInterface $form_state, string $form_id): void {
+  // No changes for those with access.
+  if (\Drupal::currentUser()->hasPermission('bypass home page protection')) {
+    return;
+  }
+  // Do not allow the home page to be parent of any item.
+  unset($form['menu']['link']['menu_parent']['#options']['main:uw_base_profile.front_page']);
+  // Early return if not editing home page.
+  $nid = (int) \Drupal::routeMatch()->getRawParameter('node');
+  if (!UWService::nodeIsHomePage($nid)) {
+    return;
+  }
+  // Remove access to certain controls.
+  $form['path']['#access'] = FALSE;
+  $form['promote']['#access'] = FALSE;
+  $form['sticky']['#access'] = FALSE;
+  // For 'menu', setting #access did not work for non-admins. So, also hide the
+  // sub-components and make it a container so that nothing appears on the page.
+  $form['menu']['#access'] = FALSE;
+  $form['menu']['#type'] = 'container';
+  $form['menu']['enabled']['#access'] = FALSE;
+  $form['menu']['link']['#access'] = FALSE;
+  // Hide delete link if no access. This should happen by itself, but does not.
+  if (!$form['actions']['delete']['#url']->access()) {
+    $form['actions']['delete']['#access'] = FALSE;
+  }
+}
+/**
+ * Implements hook_form_FORM_ID_alter().
+ *
+ * Menu edit form: admin/structure/menu/manage/main.
+ *
+ * Prevent certain changes to the home page.
+ */
+function uw_cfg_common_form_menu_edit_form_alter(array &$form, FormStateInterface $form_state, string $form_id): void {
+  // No changes for those with access.
+  if (\Drupal::currentUser()->hasPermission('bypass home page protection')) {
+    return;
+  }
+  // Return early if not editing "Main navigation" menu.
+  if (!isset($form['links']['links']['menu_plugin_id:uw_base_profile.front_page'])) {
+    return;
+  }
+  // Remove access to home page controls.
+  $form['links']['links']['menu_plugin_id:uw_base_profile.front_page']['enabled']['#access'] = FALSE;
+  $form['links']['links']['menu_plugin_id:uw_base_profile.front_page']['operations']['#access'] = FALSE;
+  $form['links']['links']['menu_plugin_id:uw_base_profile.front_page']['weight']['#access'] = FALSE;
+  // Make home page not draggable.
+  $key = array_search('draggable', $form['links']['links']['menu_plugin_id:uw_base_profile.front_page']['#attributes']['class'], TRUE);
+  unset($form['links']['links']['menu_plugin_id:uw_base_profile.front_page']['#attributes']['class'][$key]);
+}
+/**
+ * Implements hook_form_FORM_ID_alter().
+ *
+ * Menu link edit form: admin/structure/menu/link/LINK/edit.
+ *
+ * Do not allow the home page to be parent of any item.
+ */
+function uw_cfg_common_form_menu_link_edit_alter(array &$form, FormStateInterface $form_state, string $form_id): void {
+  // No changes for those with access.
+  if (\Drupal::currentUser()->hasPermission('bypass home page protection')) {
+    return;
+  }
+  // Do not allow the home page to be parent of any item.
+  unset($form['menu_parent']['#options']['main:uw_base_profile.front_page']);
+}