Download & Extend
MySite » Issues

Weird permissions behaviour

Posted by patchak on November 5, 2007 at 8:47am
Project:MySite
Version:5.x-2.15
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (won't fix)

Issue Summary

Hey there, just a quick comment about some weird permissions behaviour I noticed using the module. What I noticed is that all the users have a "Mysite" link in the navigation menu even though thy don't have the access permissions to either create or even see mysites.

Furthermore, when a user that does not have permission actually clicks on the link, there is a message saying that he should login to the site to create a mysite page, even though the user is already logged in...

Seems to me that if users don't have any permissions for the module, the menu element should not be seen at all?

What do you think?

Patchak

Login or register to post comments

Comments

#1

Posted by agentrickard on November 5, 2007 at 2:16pm

I'm tempted to say that this is not a bug, but I can see cases where some roles could not create MySite pages.

By design, users have access to the 'MySite' menu item is they can access content -- remember that MySite is intended to be a motivation to join the site. As a result, users can 'see' MySite pages is they have the 'access content' permission.

Check the logic inside of mysite_view() if you have a chance. It sounds like logged in users are invoking the anonymous help when they shouldn't be. It's this section of the code:

<?php
  // we're not showing a list, then go to the right user page
  if ($user->uid > 0 && user_access('edit mysite')) {
    drupal_goto('mysite/'. $user->uid .'/view');
    return;
  }
  else {
    $output = theme('mysite_anonymous_help');
    return $output;
  }
?>

Perhaps it should be:

<?php
  // we're not showing a list, then go to the right user page
  if ($user->uid > 0) {
    if (user_access('edit mysite')) {
      drupal_goto('mysite/'. $user->uid .'/view');
    }
    else {
      drupal_access_denied();
    }
  }
  else {
    $output = theme('mysite_anonymous_help');
    return $output;
  }
?>

Or we should change this menu item:

<?php
    // default page view items
    $items[] = array('path' => 'mysite',
      'title' => mysite_sitename(),
      'callback' => 'mysite_view',
      'access' => user_access('access content'));
?>

To:

<?php
    // default page view items
    $items[] = array('path' => 'mysite',
      'title' => mysite_sitename(),
      'callback' => 'mysite_view',
      'access' => user_access('view all mysites'));
?>

#2

Posted by patchak on November 10, 2007 at 6:23pm

Yes I think there should be a permission to show mysites to certain roles, since in this case it does not really make sense cause users cannot create mysite pages, but they can see them, which causes the bug I described earlier. In my case I only want a certain beta test role to be able to use mysite, and it's not possible at this point.

thanks

#3

Posted by agentrickard on November 10, 2007 at 9:13pm

Yes. I'm cleaning up the menu for the 5.x.3 release, so this will get in then.

#4

Posted by agentrickard on November 10, 2007 at 10:02pm
Status:active» postponed

#5

Posted by agentrickard on August 5, 2011 at 6:13pm
Status:postponed» closed (won't fix)
nobody click here