currently, the access perm for admin/content is 'administer site configuration'. now that the menu bubbling is gone, users cannot admin nodes unless they have both 'administer nodes' and 'administer site configuration' -- that's too much power to have to grant just to enable a user to admin nodes!

attached patch changes the menu perm for admin/content to the generic 'access administration pages', which i think is a more sensible perm level for that menu path

CommentFileSizeAuthor
#5 admin_content_perm_2.patch1.43 KBpwolanin
#4 admin_content_perm_1.patch1.38 KBpwolanin
#2 admin_perm.patch770 byteshunmonk
admin_content_perm.patch710 byteshunmonk
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

keith.smith’s picture

keith.smith CreditAttribution: keith.smith commented
Status: Needs review » Needs work

Patch no longer applies.

# patch -p0 < admin_content_perm.patch
patching file modules/node/node.module
Hunk #1 FAILED at 1127.
1 out of 1 hunk FAILED -- saving rejects to file modules/node/node.module.rej

hunmonk’s picture

hunmonk CreditAttribution: hunmonk commented
Status: Needs work » Needs review
FileSize
admin_perm.patch770 bytes

updated patch attached.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Needs review » Reviewed & tested by the community

Tested and works. This makes a lot more sense. RTBC.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Reviewed & tested by the community » Needs review
FileSize
admin_content_perm_1.patch1.38 KB

Note that while menu links no longer "bubble", you *can* still make a link directly to admin/content/node and put it in the Navigation menu or a custom menu without this patch. The access to the page is not blocked, the user just can't see the link.

Actually a more sensible change for the permission might be to just remove that line. The user won't be able to see that link unless they have 'access administration pages', and this page will still inherit that permission from /admin. This makes more sense, otherwise users with 'administer comments', etc. won't be able to see their links without 'administer nodes' permission too.

However, we then need to apply the 'administer site configuration' permission to the RSS feed settings page, otherwise a user with just 'access administration pages' (or per the patch above, 'administer nodes') will be able to change the feed settings at admin/content/rss-publishing.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
FileSize
admin_content_perm_2.patch1.43 KB

per feedback from chx on IRC - patch above is a bad idea, since then users may see a link to an empty page. This patch combines the two above - admin/content requires 'administer nodes' while admin/content/rss-publishing now explicitly requires 'administer site configuration' (before it inherited it from admin/content).

dww’s picture

dww
we/he/they
CreditAttribution: dww commented
Status: Needs review » Reviewed & tested by the community

logic in the issue is sound, patch is clean (applies with minor offset), tested and works as expected. important bug fix. definitely RTBC.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Reviewed & tested by the community » Fixed

Committed!

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)