Problem/Motivation
In #2323721-24: [sechole] Link field item and menu link information leakage this check was added.
This is caused by following code \Drupal\Core\Menu\DefaultMenuLinkTreeManipulators::menuLinkCheckAccess()
protected function menuLinkCheckAccess(MenuLinkInterface $instance) {
if ($this->account->hasPermission('link to any page')) {
return TRUE;
}
// Use the definition here since that's a lot faster than creating a Url
// object that we don't need.
$definition = $instance->getPluginDefinition();
// 'url' should only be populated for external links.
if (!empty($definition['url']) && empty($definition['route_name'])) {
$access = TRUE;
}
else {
$access = $this->accessManager->checkNamedRoute($definition['route_name'], $definition['route_parameters'], $this->account);
}
return $access;
}
In D7 there was hook_translated_menu_link_alter() but it was removed according CR https://www.drupal.org/node/2226481
So there's no way except overriding menu.default_tree_manipulators service (protected method) to hide menu links.
Background: working on masquerade module port for 8.x I need to hide Unmasquerade link while there's no flag in session pointing that user masqueraded.
Proposed resolution
Remove this check, and try to separate render access permissions from route.
Remaining tasks
duscus, patch
User interface changes
Menu links could be hidden for users with link to any page permissions and UID1 too.
API changes
tbd