Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Child of #2124749: [meta] Stop using $request->attributes->get(MAGIC_KEY) as a public API. Any ideas what to replace it with?
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | menu_admin-2239001-2.patch | 7.22 KB | dawehner |
Comments
Comment #1
dawehnerThis variable is used currently that links in admin/structure/menu also appear, even the admin don't have access. /user/register or user/login are the basic examples in core for that. Once we have the route match object we somehow could add an additional metadata to that.
In general we though cannot drop all access checking on there.
Comment #2
dawehnerI really wonder how crazy this idea can get.
Comment #3
dawehnerThis is solved properly by #2323721: [sechole] Link field item and menu link information leakage already.