If a user does not have access to the target of a link, the Views Link Area link still renders, and a user who clicks it gets "access denied". Based on the project description, I would expect this module checks permissions before rendering, but it does not:

"a real link ... gets all of the special handling and clean URL friendliness and base-path portability that any Drupal link gets."
project description

This patch adds a check for access permissions to the menu router item, but only if the path actually has a menu router item. So it will not check access permissions for paths that are external URLs or not handled by Drupal's menu router.

This feature (if it is not a bug) could possibly use a checkbox in the options form to enable/disable the permissions-check. However I can not think of a use-case where it would be desirable to disable the check for access permissions and so have excluded the options form setting in favour of simplicity for now.

These related issues have patches that are much more complicated and require non-trivial options forms and configuration compared to this patch.

Comments

kaido.toomingas’s picture

StatusFileSize
new2.14 KB

patch worked as designed :) Thanks. I did included file which includes your changes and http://drupal.org/node/996974. I dont know should I do it but it helps some people if there is some package which is patched and downloadable. Including myself.

Bevan’s picture

Thanks Kaido. Uploading patched versions of modules is generally a bad idea as it encourages less experienced developers to use "forked" modules, and they have no way of tracking the patches that are applied when they upgrade the module.

geek-merlin’s picture

Status: Needs review » Reviewed & tested by the community

a big thank you @kaido for this patch.
i wholeheartedly support the design decisions you explain in the description and appreciate the effort that you explain it.

patch applies cleanly and works like a charm.
code looks fine.
(at first i was puzzled about strtr($this->options['path'], $tokens); but this had to move some lines up which is fine)

Bevan’s picture

Status: Reviewed & tested by the community » Needs review

axel.rutz; To test this, did you apply the patch from the issue description or download the module from comment #1?

Can you add more detail about what exactly you reviewed and tested? E.g. code logic review, code style review, links to external sites, internal links to non-drupal resources, links that drupal path aliases, links that are drupal system paths, as user with access permission, as user without access permission, etc.

Thank you.

geek-merlin’s picture

Status: Needs review » Reviewed & tested by the community

* took the patch from the issue description
* reviewed the code as of: it does what it announces and has no serious style issues
(hey, it's 5 lines + comments, no big deal!)
* tested: link is rendered for user with access permission, not rendered if no permission

Bevan’s picture

Thanks! :)

geek-merlin’s picture

Priority: Normal » Major

daring to raise prio as i wouold call this expected behavior

Bevan’s picture

Thanks Axel; I somewhat agree, but the project homepage does not specify this as a feature or expected behaviour. Though I agree that it seems within the realms of something this module should do.

However the real bottle neck here is that the maintainer is working on other more significant contributions to Drupal. He may be open to co-maintainers. I might be interested.

geek-merlin’s picture

+1 for your application ;-)
you may count me in for limited help.

anybody’s picture

Patch works great and should be integrated into the next release!!

Perhaps this would have been an alternative:
http://api.drupal.org/api/drupal/includes!path.inc/function/drupal_valid_path/7

Bevan’s picture

Indeed. Thanks for highlighting that.

anybody’s picture

Assigned: Unassigned » anybody
Status: Reviewed & tested by the community » Needs review

The patch has been integrated into the latest 7.x-1.x DEV release.

Please test and review it. If everything is fine with this dev release I will create a new stable release asap!

geek-merlin’s picture

You are right in #10 - our code essentially tries to duplicate drupal_valid_path().
So factoring that out is most kitten friendly.

geek-merlin’s picture

Here's a followup patch for that.
I'm using it in production.

joachim’s picture

Status: Needs review » Needs work

Patch makes sense, though as it's a cleanup it does confuse this issue a bit.

Needs a couple of tweaks to conform to coding standards though:

+++ b/views_handler_area_link.inc
@@ -86,11 +86,8 @@ class views_handler_area_link extends views_handler_area {
+      if(!drupal_valid_path($path)) {

You need a space after the 'if'. Also the comment should be wrapped to 80 lines.

minoroffense’s picture

Status: Needs work » Needs review
StatusFileSize
new1.76 KB

Ran the patch from #14 through the Drupal coding standards fixer tool in TextMate. Should be good now.

geek-merlin’s picture

Issue summary: View changes
Status: Needs review » Reviewed & tested by the community

Patch applies cleanly and access is (still) honored.

joachim’s picture

Status: Reviewed & tested by the community » Needs work

Just needs a few tweaks, sorry!

  1. +++ b/views_handler_area_link.inc
    @@ -1,7 +1,5 @@
     <?php
    -
     class views_handler_area_link extends views_handler_area {
    -
    
    @@ -139,3 +135,4 @@ class views_handler_area_link extends views_handler_area {
     }
    +
    

    Patch has surplus whitespace changes I'm afraid.

  2. +++ b/views_handler_area_link.inc
    @@ -86,11 +85,8 @@ class views_handler_area_link extends views_handler_area {
    +      // Check that path is valid and user has access to it. External paths are fine.
    

    This line needs to be wrapped to 80 chars.

minoroffense’s picture

You mean the comment needs to be trimmed to 80? Not the class definition right?

As for the whitespace I'll remove it.

joachim’s picture

Yup, comments need to be wrapped to 80. The class def is fine.

mariacha1’s picture

Status: Needs work » Needs review
StatusFileSize
new1.66 KB
new708 bytes

Quick reroll of the patch with phpcs errors avoided with an interdiff between this and #16.

joachim’s picture

Status: Needs review » Needs work

Patch has unrelated changes I'm afraid:

  1. +++ b/views_handler_area_link.inc
    @@ -1,7 +1,5 @@
    -
     class views_handler_area_link extends views_handler_area {
    -
    

    Still has these whitespace fixes which aren't relevant.

  2. +++ b/views_handler_area_link.inc
    @@ -45,7 +43,8 @@ class views_handler_area_link extends views_handler_area {
    -    $count = 0; // This lets us prepare the key as we want it printed.
    +    // This lets us prepare the key as we want it printed.
    +    $count = 0;
    

    This is a fix, but again an unrelated one.

mariacha1’s picture

Status: Needs work » Needs review
StatusFileSize
new841 bytes
new639 bytes

Ah! I think I finally understand what you're talking about. :)

Here's hopefully the last patch, which really and truly solves the problem (as was done in #14) without adding unrelated PHPCS changes AND without adding any new PHPCS errors.

I'm including an interdiff between 14 and this as well.

geek-merlin’s picture

Code is beautiful ;-)

maxplus’s picture

Hi Thanks!

it works for me,
did not know that patch #23 was already included in the current dev.

geek-merlin’s picture

Status: Needs review » Fixed

so this is fixed as of #23.

We really need #2455609: Create 7.x-1.1 release...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.