Module Development

Add Access Checking to a Route for Drupal 8, 9, and 10

Every route should define its access control parameters. When you define routes in a module, you can limit who has access to those routes via different access control options. Route-level access control applies to the path. If your route defines a path like /journey/example, the access control configuration will determine whether to show the current user the page at the path defined by the route, or to have Drupal serve an "HTTP 403 Access Denied" message instead.

In this tutorial we'll look at different ways of adding access control to a route including:

  • Access based on the current user's roles and permissions
  • Access based on custom logic in a callback method
  • Logic in an access checker service

By the end of this tutorial, you should be able to add access control logic to your custom routes that will meet any requirement.