Home » Download » Drupal project » Drupal » Issues

access perms too strong at admin/content

hunmonk - April 16, 2007 - 00:46
Project:Drupal
Version:6.x-dev
Component:node.module
Category:bug report
Priority:normal
Assigned:hunmonk
Status:closed
Description

currently, the access perm for admin/content is 'administer site configuration'. now that the menu bubbling is gone, users cannot admin nodes unless they have both 'administer nodes' and 'administer site configuration' -- that's too much power to have to grant just to enable a user to admin nodes!

attached patch changes the menu perm for admin/content to the generic 'access administration pages', which i think is a more sensible perm level for that menu path

AttachmentSizeStatusTest resultOperations
admin_content_perm.patch710 bytesIgnoredNoneNone
» Login or register to post comments

#1

keith.smith - June 24, 2007 - 01:34
Status:needs review» needs work

Patch no longer applies.

# patch -p0 < admin_content_perm.patch
patching file modules/node/node.module
Hunk #1 FAILED at 1127.
1 out of 1 hunk FAILED -- saving rejects to file modules/node/node.module.rej

Login or register to post comments

#2

hunmonk - June 24, 2007 - 02:27
Status:needs work» needs review

updated patch attached.

AttachmentSizeStatusTest resultOperations
admin_perm.patch770 bytesIgnoredNoneNone
Login or register to post comments

#3

webchick - June 24, 2007 - 03:10
Status:needs review» reviewed & tested by the community

Tested and works. This makes a lot more sense. RTBC.

Login or register to post comments

#4

pwolanin - June 24, 2007 - 15:39
Status:reviewed & tested by the community» needs review

Note that while menu links no longer "bubble", you *can* still make a link directly to admin/content/node and put it in the Navigation menu or a custom menu without this patch. The access to the page is not blocked, the user just can't see the link.

Actually a more sensible change for the permission might be to just remove that line. The user won't be able to see that link unless they have 'access administration pages', and this page will still inherit that permission from /admin. This makes more sense, otherwise users with 'administer comments', etc. won't be able to see their links without 'administer nodes' permission too.

However, we then need to apply the 'administer site configuration' permission to the RSS feed settings page, otherwise a user with just 'access administration pages' (or per the patch above, 'administer nodes') will be able to change the feed settings at admin/content/rss-publishing.

AttachmentSizeStatusTest resultOperations
admin_content_perm_1.patch1.38 KBIgnoredNoneNone
Login or register to post comments

#5

pwolanin - June 24, 2007 - 22:04

per feedback from chx on IRC - patch above is a bad idea, since then users may see a link to an empty page. This patch combines the two above - admin/content requires 'administer nodes' while admin/content/rss-publishing now explicitly requires 'administer site configuration' (before it inherited it from admin/content).

AttachmentSizeStatusTest resultOperations
admin_content_perm_2.patch1.43 KBIgnoredNoneNone
Login or register to post comments

#6

dww - June 25, 2007 - 22:01
Status:needs review» reviewed & tested by the community

logic in the issue is sound, patch is clean (applies with minor offset), tested and works as expected. important bug fix. definitely RTBC.

Login or register to post comments

#7

Gábor Hojtsy - June 28, 2007 - 00:53
Status:reviewed & tested by the community» fixed

Committed!

Login or register to post comments

#8

Anonymous - July 12, 2007 - 01:16
Status:fixed» closed
Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.