In the file uc_advanced_catalog.pages.inc you find this code:

Line 121:

<?php
    // modded: add taxonomy edit link
    if ($catalog->tid != 0) {
      $output .= '<div class="uac-edit">'. l(t('Edit category'), 'admin/content/taxonomy/edit/term/'. $catalog->tid, array('query' => array('destination' => $_GET['q']))) .'</div>';
    }
    // end of mod
?>

and on line 266:

<?php
  // catalog description
  if ($catalog->tid != 0) {
    $output .= '<div class="uac-edit">'. l(t('Edit category'), 'admin/content/taxonomy/edit/term/'. $catalog->tid, array('query' => array('destination' => $_GET['q']))) .'</div>';
  }
?>

This created the issue that users without "administer taxonomy" who clicked on the link as well as search engines (assuming anonymous users had access to the catalog) would end up at an Access Denied page.

I made this minor modification.

On the first section:

<?php
// modded: add taxonomy edit link
    if ($catalog->tid != 0 && user_access('administer taxonomy')) {
      $output .= '<div class="uac-edit">'. l(t('Edit category'), 'admin/content/taxonomy/edit/term/'. $catalog->tid, array('query' => array('destination' => $_GET['q']))) .'</div>';
    }
?>

and on the second section:

<?php
  // catalog description
  if ($catalog->tid != 0 && user_access('administer taxonomy')) {
    $output .= '<div class="uac-edit">'. l(t('Edit category'), 'admin/content/taxonomy/edit/term/'. $catalog->tid, array('query' => array('destination' => $_GET['q']))) .'</div>';
  }
?>

This prevents the link from being displayed to users which cannot visit the page it leads to.

CommentFileSizeAuthor
#2 user-access-taxonomy-1302822-1.patch1.46 KBbonked

Comments

bonked’s picture

Will be uploading a patch for this.

bonked’s picture

StatusFileSize
new1.46 KB

This patch makes the changes described above against 6.x-2.x

bonked’s picture

Status: Active » Needs review
okokokok’s picture

Patch in #2 works for me.

mogtofu33’s picture

Assigned: Unassigned » mogtofu33
Category: task » bug
Status: Needs review » Fixed

This patch has been added on next dev snapshot (December 13, 2011).
Thank you for the report.
Regards.
Mog.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.