Implement access controller for the menu and menu link entity [#2012916]

Comment	File	Size	Author
#42	interdiff.txt	1.58 KB	andypost
#42	access-controllers-2012916-42.patch	12.67 KB	andypost

#38	interdiff.txt	2.08 KB	andypost
#38	access-controllers-2012916-38.patch	12.42 KB	andypost

#36	interdiff.txt	470 bytes	andypost
#36	access-controllers-2012916-36.patch	12.16 KB	andypost

#34	interdiff.txt	4.03 KB	andypost
#34	access-controllers-2012916-34.patch	12.16 KB	andypost

#33	interdiff.txt	1.24 KB	andypost
#33	access-controllers-2012916-33.patch	12.54 KB	andypost

#28	interdiff.txt	3.79 KB	andypost
#28	access-controllers-2012916-28.patch	12.54 KB	andypost

#27	interdiff.txt	765 bytes	andypost
#27	access-controllers-2012916-27.patch	10.59 KB	andypost

#26	interdiff.txt	3.03 KB	andypost
#26	access-controllers-2012916-26.patch	11.34 KB	andypost

#22	menu-access-controllers-2012916-22.patch	10.39 KB	pwieck

#16	access-controllers-2012916-15.patch	10.42 KB	andypost

#15	menu-access-controllers-2012916-15.patch	10.42 KB	Berdir

#11	account-interface-ups-2012916.patch	2.08 KB	Berdir

#1	access-controllers-2012916-1.patch	10.39 KB	andypost

Comment #1

andypost

he/him

Russian

CreditAttribution: andypost commented 5 June 2013 at 17:43

Status:

Active

» Needs review

File	Size
access-controllers-2012916-1.patch	10.39 KB

Re-roll of #1842850-8: Untangle menu_link access control from _menu_link_translate() and friends

Log in or register to post comments

Comment #2

5 June 2013 at 22:59

Status:	Needs review	» Needs work
Issue tags:	-Entity Access, -Entity Field API

The last submitted patch, access-controllers-2012916-1.patch, failed testing.

Log in or register to post comments

Comment #3

andypost

he/him

Russian

CreditAttribution: andypost commented 6 June 2013 at 00:06

Status:

Needs work

» Needs review

#1: access-controllers-2012916-1.patch queued for re-testing.

Log in or register to post comments

Comment #4

6 June 2013 at 00:48

Status:	Needs review	» Needs work
Issue tags:		+Entity Access, +Entity Field API

The last submitted patch, access-controllers-2012916-1.patch, failed testing.

Log in or register to post comments

Comment #5

andypost

he/him

Russian

CreditAttribution: andypost commented 6 June 2013 at 02:00

Status:

Needs work

» Needs review

Test passes locally

Log in or register to post comments

Comment #6

amateescu CreditAttribution: amateescu commented 6 June 2013 at 13:07

Status:

Needs review

» Reviewed & tested by the community

Looks good to me as a first step. We can deal with gutting _menu_link_translate() in the other issue.

Log in or register to post comments

Comment #7

catch

he/him

English

CreditAttribution: catch commented 12 June 2013 at 11:17

Status:

Reviewed & tested by the community

» Fixed

Looks good to me, following the other issue. Committed/pushed to 8.x.

Log in or register to post comments

Comment #8

andypost

he/him

Russian

CreditAttribution: andypost commented 12 June 2013 at 14:46

Status:

Fixed

» Reviewed & tested by the community

This one was not pushed

Log in or register to post comments

Comment #9

catch

he/him

English

CreditAttribution: catch commented 12 June 2013 at 14:52

Status:

Reviewed & tested by the community

» Fixed

git errored out on me with access denied... Now pushed.

Log in or register to post comments

Comment #10

andypost

he/him

Russian

CreditAttribution: andypost commented 12 June 2013 at 15:00

now ok

Log in or register to post comments

Comment #11

Berdir

German

Switzerland

CreditAttribution: Berdir commented 12 June 2013 at 16:37

Title:	Implement access controller for the menu and menu link entity	» HEAD BROKEN: Implement access controller for the menu and menu link entity
Status:	Fixed	» Needs review

File	Size
account-interface-ups-2012916.patch	2.08 KB

Not so ok :)

Wasn't retested and conflicted with AccountInterface. This should fix it, but it's untested.

Log in or register to post comments

Comment #12

catch

he/him

English

CreditAttribution: catch commented 12 June 2013 at 16:40

Status:

Needs review

» Fixed

Whoops and thanks, committed/pushed.

Log in or register to post comments

Comment #13

catch

he/him

English

CreditAttribution: catch commented 12 June 2013 at 16:46

Status:

Fixed

» Needs work

Actually reverted both the follow-up and the original patch, let's start back from this morning...

Log in or register to post comments

Comment #14

tim.plunkett

he/him

English

Philadelphia

CreditAttribution: tim.plunkett commented 12 June 2013 at 16:51

Title:

HEAD BROKEN: Implement access controller for the menu and menu link entity

» Implement access controller for the menu and menu link entity

Log in or register to post comments

Comment #15

Berdir

German

Switzerland

CreditAttribution: Berdir commented 12 June 2013 at 17:38

Status:

Needs work

» Needs review

File	Size
menu-access-controllers-2012916-15.patch	10.42 KB

Combined the two patches.

Log in or register to post comments

Comment #16

andypost

he/him

Russian

CreditAttribution: andypost commented 12 June 2013 at 17:43

File	Size
access-controllers-2012916-15.patch	10.42 KB

There was collision with #1825332: Introduce an AccountInterface to represent the current user

EDIT sorry, x-post

Log in or register to post comments

Comment #17

andypost

he/him

Russian

CreditAttribution: andypost commented 12 June 2013 at 17:43

patches are identical

Log in or register to post comments

Comment #18

andypost

he/him

Russian

CreditAttribution: andypost commented 14 June 2013 at 20:04

#15: menu-access-controllers-2012916-15.patch queued for re-testing.

Log in or register to post comments

Comment #19

andypost

he/him

Russian

CreditAttribution: andypost commented 14 June 2013 at 20:04

Status:

Needs review

» Reviewed & tested by the community

Patches are identical so Retest berdir's one

Log in or register to post comments

Comment #21

pwieck CreditAttribution: pwieck commented 17 June 2013 at 23:30

Working on reroll of #15

Log in or register to post comments

Comment #22

pwieck CreditAttribution: pwieck commented 17 June 2013 at 23:40

Status:

Needs work

» Needs review

File	Size
menu-access-controllers-2012916-22.patch	10.39 KB

rerolled.

Log in or register to post comments

Comment #23

Berdir

German

Switzerland

CreditAttribution: Berdir commented 18 June 2013 at 05:48

+++ b/core/modules/menu_link/lib/Drupal/menu_link/MenuLinkAccessController.phpundefined
@@ -0,0 +1,33 @@
+    $access = user_access('administer menu', $account);
+    if ($access && $operation == 'delete') {
+      // Only items created by the menu module can be deleted.
+      return $entity->module == 'menu';

Hm, so we have code for menu.module in the required menu_link.module.

We introduced a generic hook_$type_access() in the access controller base class, wondering if menu.module could implement this through that hook. Although I'm not quite sure how, maybe disallow delete by default and then menu.module allows to delete it's own menu links?

Log in or register to post comments

Comment #24

amateescu CreditAttribution: amateescu commented 18 June 2013 at 09:01

maybe disallow delete by default and then menu.module allows to delete it's own menu links?

Yes, I think that's a good plan.

Log in or register to post comments

Comment #25

Berdir

German

Switzerland

CreditAttribution: Berdir commented 18 June 2013 at 09:27

Status:	Needs review	» Needs work
Issue tags:	-Needs reroll

Let's do that then :)

Log in or register to post comments

Comment #26

andypost

he/him

Russian

CreditAttribution: andypost commented 30 July 2013 at 11:56

Status:

Needs work

» Needs review

File	Size
access-controllers-2012916-26.patch	11.34 KB

interdiff.txt	3.03 KB

New patch, reverted this questionable place to previous implementation!
... and removed deprecated user_access() calls

#24 Not sure it possible because 'administer menus' permission is defined in menu module which depends on menu_link

+++ /dev/nullundefined
@@ -1,37 +0,0 @@
-class DeleteLinkAccessCheck implements AccessCheckInterface {
...
-  public function access(Route $route, Request $request) {
-    if (user_access('administer menu') && $menu_link = $request->attributes->get('menu_link')) {
-      // Links defined via hook_menu may not be deleted. Updated items are an
-      // exception, as they can be broken.
-      return $menu_link->module !== 'system' || $menu_link->updated;

so it's a conversion

Log in or register to post comments

Comment #27

andypost

he/him

Russian

CreditAttribution: andypost commented 30 July 2013 at 12:01

File	Size
access-controllers-2012916-27.patch	10.59 KB

interdiff.txt	765 bytes

access check for delete now lives in EntityListController

Log in or register to post comments

Comment #28

andypost

he/him

Russian

CreditAttribution: andypost commented 30 July 2013 at 12:44

File	Size
access-controllers-2012916-28.patch	12.54 KB

interdiff.txt	3.79 KB

Digging deeper I found that _menu_overview_tree_form() uses different permissions. So introduced them and cleaned-up useless code.

Log in or register to post comments

Comment #29

30 July 2013 at 15:19

Status:	Needs review	» Needs work
Issue tags:	-Entity Access, -Entity Field API

The last submitted patch, access-controllers-2012916-28.patch, failed testing.

Log in or register to post comments

Comment #30

andypost

he/him

Russian

CreditAttribution: andypost commented 30 July 2013 at 15:39

Status:	Needs work	» Needs review
Issue tags:		+Entity Access, +Entity Field API

#28: access-controllers-2012916-28.patch queued for re-testing.

Log in or register to post comments

Comment #31

tim.plunkett

he/him

English

Philadelphia

CreditAttribution: tim.plunkett commented 30 July 2013 at 16:51

This looks like it overlaps with the RTBC #1984702: Convert menu.module's page callbacks to Controllers

Log in or register to post comments

Comment #32

30 July 2013 at 17:49

Status:

Needs review

» Needs work

The last submitted patch, access-controllers-2012916-28.patch, failed testing.

Log in or register to post comments

Comment #33

andypost

he/him

Russian

CreditAttribution: andypost commented 30 July 2013 at 18:13

Status:

Needs work

» Needs review

File	Size
access-controllers-2012916-33.patch	12.54 KB

interdiff.txt	1.24 KB

Broken test should pass now

@tim.plunkett I think it's ok, I'll re-roll if this one goes first

Log in or register to post comments

Comment #34

andypost

he/him

Russian

CreditAttribution: andypost commented 2 August 2013 at 17:29

File	Size
access-controllers-2012916-34.patch	12.16 KB

interdiff.txt	4.03 KB

Merge after #1984702: Convert menu.module's page callbacks to Controllers

And a bit more security fixes

Log in or register to post comments

Comment #35

2 August 2013 at 18:37

Status:

Needs review

» Needs work

The last submitted patch, access-controllers-2012916-34.patch, failed testing.

Log in or register to post comments

Comment #36

andypost

he/him

Russian

CreditAttribution: andypost commented 3 August 2013 at 00:46

Status:

Needs work

» Needs review

File	Size
access-controllers-2012916-36.patch	12.16 KB

interdiff.txt	470 bytes

we need stop to mix edit and update

Log in or register to post comments

Comment #37

3 August 2013 at 02:09

Status:

Needs review

» Needs work

The last submitted patch, access-controllers-2012916-36.patch, failed testing.

Log in or register to post comments

Comment #38

andypost

he/him

Russian

CreditAttribution: andypost commented 3 August 2013 at 17:33

Status:

Needs work

» Needs review

File	Size
access-controllers-2012916-38.patch	12.42 KB

interdiff.txt	2.08 KB

should be fine mostly

Log in or register to post comments

Comment #39

dawehner

German

CreditAttribution: dawehner commented 10 August 2013 at 10:15

@@ -0,0 +1,48 @@
+ * @see \Drupal\menu_link\Plugin\Core\Entity\MenuLink

Potentially we should also typehint the MenuLinkInterface

@@ -0,0 +1,34 @@
+    if ($operation == 'delete') {
...
+      $system_menus = menu_list_system_menus();
+      return !isset($system_menus[$entity->id()]);

Just wondering why we do not check for 'administer menu' as well.

@@ -0,0 +1,34 @@
+    return user_access('administer menu', $account);

This should be $account->hasPermission.

Log in or register to post comments

Comment #40

amateescu CreditAttribution: amateescu commented 10 August 2013 at 10:17

Status:

Needs review

» Reviewed & tested by the community

Looks great to me.

Log in or register to post comments

Comment #41

amateescu CreditAttribution: amateescu commented 10 August 2013 at 10:19

Status:

Reviewed & tested by the community

» Needs work

Except that I didn't catch that user_access() call.

Log in or register to post comments

Comment #42

andypost

he/him

Russian

CreditAttribution: andypost commented 10 August 2013 at 10:49

Status:	Needs work	» Needs review
Issue tags:		+CodeSprintCIS

File	Size
access-controllers-2012916-42.patch	12.67 KB

interdiff.txt	1.58 KB

MenuAccessController should live in system module where the entity defined, so moved current implementation with clean-up

Log in or register to post comments

Comment #43

amateescu CreditAttribution: amateescu commented 10 August 2013 at 12:42

Status:

Needs review

» Reviewed & tested by the community

Thanks!

Log in or register to post comments

Comment #44

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott commented 13 August 2013 at 14:32

Status:

Reviewed & tested by the community

» Fixed

Committed 972406d and pushed to 8.x. Thanks!

Log in or register to post comments

Comment #45

27 August 2013 at 14:41

Automatically closed -- issue fixed for 2 weeks with no activity.

Log in or register to post comments

Implement access controller for the menu and menu link entity

Problem/Motivation

Proposed resolution

API changes

Comments