If a user does not have access to the target of a link, the Views Link Area link still renders, and a user who clicks it gets "access denied". Based on the project description, I would expect this module checks permissions before rendering, but it does not:
"a real link ... gets all of the special handling and clean URL friendliness and base-path portability that any Drupal link gets."
— project description
This patch adds a check for access permissions to the menu router item, but only if the path actually has a menu router item. So it will not check access permissions for paths that are external URLs or not handled by Drupal's menu router.
This feature (if it is not a bug) could possibly use a checkbox in the options form to enable/disable the permissions-check. However I can not think of a use-case where it would be desirable to disable the check for access permissions and so have excluded the options form setting in favour of simplicity for now.
These related issues have patches that are much more complicated and require non-trivial options forms and configuration compared to this patch.
| Comment | File | Size | Author |
|---|---|---|---|
| #23 | interdiff-14-to-23.txt | 639 bytes | mariacha1 |
| #23 | 1451266-23-link-render-access.patch | 841 bytes | mariacha1 |
| #21 | interdiff.txt | 708 bytes | mariacha1 |
| #21 | 1451266-21-link-render-access.patch | 1.66 KB | mariacha1 |
| #16 | 1451266-16-link-render-access.patch | 1.76 KB | minoroffense |
Comments
Comment #1
kaido.toomingas commentedpatch worked as designed :) Thanks. I did included file which includes your changes and http://drupal.org/node/996974. I dont know should I do it but it helps some people if there is some package which is patched and downloadable. Including myself.
Comment #2
Bevan commentedThanks Kaido. Uploading patched versions of modules is generally a bad idea as it encourages less experienced developers to use "forked" modules, and they have no way of tracking the patches that are applied when they upgrade the module.
Comment #3
geek-merlina big thank you @kaido for this patch.
i wholeheartedly support the design decisions you explain in the description and appreciate the effort that you explain it.
patch applies cleanly and works like a charm.
code looks fine.
(at first i was puzzled about strtr($this->options['path'], $tokens); but this had to move some lines up which is fine)
Comment #4
Bevan commentedaxel.rutz; To test this, did you apply the patch from the issue description or download the module from comment #1?
Can you add more detail about what exactly you reviewed and tested? E.g. code logic review, code style review, links to external sites, internal links to non-drupal resources, links that drupal path aliases, links that are drupal system paths, as user with access permission, as user without access permission, etc.
Thank you.
Comment #5
geek-merlin* took the patch from the issue description
* reviewed the code as of: it does what it announces and has no serious style issues
(hey, it's 5 lines + comments, no big deal!)
* tested: link is rendered for user with access permission, not rendered if no permission
Comment #6
Bevan commentedThanks! :)
Comment #7
geek-merlindaring to raise prio as i wouold call this expected behavior
Comment #8
Bevan commentedThanks Axel; I somewhat agree, but the project homepage does not specify this as a feature or expected behaviour. Though I agree that it seems within the realms of something this module should do.
However the real bottle neck here is that the maintainer is working on other more significant contributions to Drupal. He may be open to co-maintainers. I might be interested.
Comment #9
geek-merlin+1 for your application ;-)
you may count me in for limited help.
Comment #10
anybodyPatch works great and should be integrated into the next release!!
Perhaps this would have been an alternative:
http://api.drupal.org/api/drupal/includes!path.inc/function/drupal_valid_path/7
Comment #11
Bevan commentedIndeed. Thanks for highlighting that.
Comment #12
anybodyThe patch has been integrated into the latest 7.x-1.x DEV release.
Please test and review it. If everything is fine with this dev release I will create a new stable release asap!
Comment #13
geek-merlinYou are right in #10 - our code essentially tries to duplicate drupal_valid_path().
So factoring that out is most kitten friendly.
Comment #14
geek-merlinHere's a followup patch for that.
I'm using it in production.
Comment #15
joachim commentedPatch makes sense, though as it's a cleanup it does confuse this issue a bit.
Needs a couple of tweaks to conform to coding standards though:
You need a space after the 'if'. Also the comment should be wrapped to 80 lines.
Comment #16
minoroffense commentedRan the patch from #14 through the Drupal coding standards fixer tool in TextMate. Should be good now.
Comment #17
geek-merlinPatch applies cleanly and access is (still) honored.
Comment #18
joachim commentedJust needs a few tweaks, sorry!
Patch has surplus whitespace changes I'm afraid.
This line needs to be wrapped to 80 chars.
Comment #19
minoroffense commentedYou mean the comment needs to be trimmed to 80? Not the class definition right?
As for the whitespace I'll remove it.
Comment #20
joachim commentedYup, comments need to be wrapped to 80. The class def is fine.
Comment #21
mariacha1 commentedQuick reroll of the patch with phpcs errors avoided with an interdiff between this and #16.
Comment #22
joachim commentedPatch has unrelated changes I'm afraid:
Still has these whitespace fixes which aren't relevant.
This is a fix, but again an unrelated one.
Comment #23
mariacha1 commentedAh! I think I finally understand what you're talking about. :)
Here's hopefully the last patch, which really and truly solves the problem (as was done in #14) without adding unrelated PHPCS changes AND without adding any new PHPCS errors.
I'm including an interdiff between 14 and this as well.
Comment #24
geek-merlinCode is beautiful ;-)
Comment #25
maxplus commentedHi Thanks!
it works for me,
did not know that patch #23 was already included in the current dev.
Comment #26
geek-merlinso this is fixed as of #23.
We really need #2455609: Create 7.x-1.1 release...