Issue #2135445 by dww, Sam152, jessebeach, Mile23, Kristen Pol, Wim Leers, larowlan: Toolbar displays Manage tab even if the user is not permitted to see it

(cherry picked from commit 211c664)

Author: larowlan

modules/settings_tray/tests/src/FunctionalJavascript/SettingsTrayBlockFormTest.php

@@ -30,6 +30,7 @@ protected function setUp() {
 
     $user = $this->createUser([
       'administer blocks',
+      'access administration pages',
       'access contextual links',
       'access toolbar',
       'administer nodes',

modules/toolbar/tests/src/Functional/ToolbarAdminMenuTest.php

@@ -394,6 +394,23 @@ public function testExternalLink() {
     $this->assertRaw('title="External URL & escaped"');
   }
 
+  /**
+   * Tests that there is no Manage tab in the Toolbar for authenticated users.
+   *
+   * The authorized user should not have a Manage tab simply with the 'access
+   * toolbar' permission. They need 'access administration pages' for that.
+   */
+  public function testEmptyMenuTray() {
+    // Log out the admin user because we're testing restricted access.
+    $this->drupalLogout();
+    $this->drupalLogin($this->drupalCreateUser(['access toolbar']));
+    $this->assertResponse(200);
+    // @todo The toolbar div itself still has the id "toolbar-administration".
+    // @see https://www.drupal.org/project/drupal/issues/1044090
+    $this->assertSession()->elementExists('css', 'div[id=toolbar-administration]');
+    $this->assertSession()->elementNotExists('css', 'a[id=toolbar-item-administration]');
+  }
+
   /**
    * Get the hash value from the admin menu subtrees route path.
    *

modules/toolbar/tests/src/FunctionalJavascript/ToolbarIntegrationTest.php

@@ -22,6 +22,7 @@ class ToolbarIntegrationTest extends WebDriverTestBase {
   public function testToolbarToggling() {
     $admin_user = $this->drupalCreateUser([
       'access toolbar',
+      'access administration pages',
       'administer site configuration',
       'access content overview',
     ]);

modules/toolbar/toolbar.module

@@ -159,6 +159,18 @@ function toolbar_toolbar() {
     '#weight' => -20,
   ];
 
+  // If the current user cannot access administration pages, we can save a large
+  // amount of unnecessary work by ending here. It'd be better to actually know
+  // if the admin menu tree is empty for them, but trying to load that tree only
+  // happens in a #pre_render callback, and at that point, it's too late. The
+  // entire toolbar is rendered with the 'user.permissions' #cache context, so
+  // we can safely do this here and it'll still be cached correctly.
+  // @see toolbar_prerender_toolbar_administration_tray()
+  // @see toolbar_page_top()
+  if (!\Drupal::currentUser()->hasPermission('access administration pages')) {
+    return $items;
+  }
+
   // To conserve bandwidth, we only include the top-level links in the HTML.
   // The subtrees are fetched through a JSONP script that is generated at the
   // toolbar_subtrees route. We provide the JavaScript requesting that JSONP