Empty admin categories are not hidden

The same problem is also reproducible for the "Site Building" menu - ie., even if the role has no permissions for any of the menu items in the menu, the menu itself is still displayed. I suspect the same thing might happen also for the "Site Configuration" menu.

This *is* a serious problem to me, as one of the main tasks I have when setting up a Drupal site is to 'dumb down' the admin interface for newbie users. Not being able to easily hide these menus means that the interface ends up being overly complicated for low-level admin users - like site editors, who have no business managing users, or playing around with the site configuration.

Currently, the only way to overcome this bug is to split the Administer menu into several menus (one for each role needed), and use the BLOCK permissions for each menu block individually. In my case, for instance, I ended up having to split the menu into "RegisteredUser", "SiteEditor" and "SiteAdmin" menus. This is not a proper solution, it is a time-consuming, inelegant hack. I end up with 3 or 4 separate menus, containing totally related functions that had to be split in order for me to be able to control role access to them - when they really should be under just a single menu.

I do not need several different menus. I need just ONE menu, that properly restricts its items' visibility according to the user's permissions.

I hope this will be fixed for D7.

That issue has been identified several months ago. Here is a first patch for it.

Confirmed this problem. Would be nice to back-port fix to 6.x as well.

Steps to reproduce:
- Create a role called "editor" and an "editor" user assigned to that role.
- Give the role both "administer nodes" and "access administration pages" permissions.
- Log in as "editor" and go to "Administration"
You'll see entries for Site building, etc. in the navigation menu even though those result in "Access denied" when you try to go there. See attached screenshot.

Let's get tests with this patch though to make sure this bug doesn't recur.

The code in #2 uses system_admin_menu_block() which does allot of extra stuff then is necessary to determine if there are children. Plus _system_settings_access doesn't seem like the right name for the access callback for two reasons.
1) It could be used by contrib, no need for private declaration (_).
2) It relates to other items besides settings.

In my attempt at this in #263616: Move SimpleTest out of "Site building" I used the following code:

Which alleviates the call to the other function.

Should think about the name of the function. The reasoning behind my choice is that the items that only display a list of children use system_admin_menu_block_page so it would only seem nature that system_admin_menu_block_page_access would be used for them.

@boomatower: Ok for the name change, it makes sense and I don't really care :)

The objective of using system_admin_menu_block() was to limit code duplication and database queries as most as possible. Your solution was not enough, because we also need to check for access of each menu item, not just count them.

I turned that issue around over and over, and came to the conclusion there is no better way.

I forgot to add: "... but of course, I only want to be proven wrong!"

Working on writing the test, and a few cleanup items along with it.

Thank you, everyone, for your superhumanly quick response to this!

I was wondering, if we are going to see a back-port of the fix in D6, as mentioned by webchick.

Adds test and changes access callback name per #4 and #5.

@icouto: Depends on what this is considered. If this is considered a bug/or necessary feature then it most likely will be. It would be useful as SimpleTest 6.x-2.x would use this and I'm sure there are others, not to mention default use-cases as per #3.

The test needs assertLink and assertNoLink: #297894: Add assertLink and assertNoLink to SimpleTest
which requires: #297869: Add xpath method to Simpletest and refactor existing tests

Will need those to get in first, but we can still review this patch. (although you will need to apply those.)

After patches applies test passes.

After applying the above patches and then applying this one tests pass.

Ran entire test suite with all passes.

Still applies after dbtng.

There is a bug with the last patch :

1. Give anonymous user these permissions :

access administration pages and administer blocks or access site reports.

2. Clear cache

3. Logout

4. Go to admin page >> Access denied, and no menu link

5. Refresh >> Notice error :

Hmmmm...two interesting things:

• The notice only comes up once...at least for me.
• Adding debug code it becomes clear that user_access() returns TRUE, but the $content is empty.

It would seem the issue is in the existing code not the new code, but yet it works without the new code....

When I run the site as anonymous I get:

There are three bugs here:

* Drupal don't use absolute paths for loading include files, and the current path can change, especially during the execution of shutdown functions. This is solved in #259623: Broken autoloader: convert includes/requires to use absolute paths. Please try that patch.
* Access control on /admin don't work properly, probably because system_admin_menu_block_page_access() recursively calls itself. For now, I disabled that access control on /admin.
* Hide descriptions/Show descriptions toggles didn't work for anonymous users (it was relying on a $user parameter). I changed this to use session for anonymous users.

Not to be overly picky on code comments, but:

An extra "that" or something?

I see this is another good use of compact mode, which I wholeheartedly approve. We don't use setting enough.

These are minor, so I'll leave at CNR and you can take care of them during the next substantive re-roll.

The last submitted patch failed testing.

Subscribing and marking for later review. Administration menu module users are suffering from this.

Here is an updated patch which applies against HEAD and fixes the comments in #16. It's working as expected for me.

- Renamed menu item access callback to system_admin_menu_block_access(), since the additional "page" suggested that it would be used for determining access to a page, but we are just checking admin block/category access here.

- Optimized system_admin_menu_block_access() to check for the user permissions first.

- Removed all changes related to compact mode, as those are unrelated to this issue. (please create a new issue, since the changes make sense)

- Renamed test case.

Also ran tests, tested manually with a test user (and having admin menu module installed) and everything seems to working properly.

This is a annoying bug - better title.

Changes in #20 make sense, but this is an old patch, and its test doesn't comply at all with our (relatively new) Test Writers Guidelines.

^^ Missing PHPDoc above the class.

^^ We don't PHPDoc overriden functions anymore.

^^ The PHPDoc description should probably better start with test*...

testEmptyHide() is a badly choosen function name.

As an end note: it's quite fun to shoot down one of your own old patches :)

After a BIG support session with Damien in IRC, this should (hopefully) be properly. :) (Thanks again!)

FYI: Damien moved the compact mode fixes to #352734: "Compact mode" switch doesn't work for anonymous users...

The last submitted patch failed testing.

The last submitted patch failed testing.

While working at #362834: Move statistics out of the administration pages and add permissions I noticed that MENU_ITEM_GROUPING has not been added to the new menu system in D7. As a result, we now have several functions that do pretty much the same. node_add_page() and system_admin_menu_block_page(). I think node_add_page() is a good candidate for a new MENU_ITEM_GROUPING. It needs some changes, but then it will do fine (See the patch in #362834).

However, that patch is not complete yet, since it displays a MENU_ITEM_GROUPING parent item even if there are no child items or if the user has no permission to access any of its child items. This is the point where chx told me to check out this issue.

1. I believe the names system_admin_menu_block() and system_admin_menu_block_page() are improper. They don't describe what the functions do in a short and simple fashion, nor do they make the functionality appear available to non-admin pages, which should be.
2. I suggest I suggest putting MENU_ITEM_GROUPING back in and let menu.inc automatically set menu_item_grouping() (as seen below) as the page callback. Menu.inc should also set special access callback that returns FALSE if there are no children or if the user has no permission to access them.
3. The access callback as described in #4 only checks if there are no child items, but it should also check if the user has permission to access those children. This could perhaps be done the easiest by creating a user_access_multiple() (issue), so multiple permissions can be checked at once.
<?php
/**
* List a menu item's children.
*
* @return string
*/
function menu_item_grouping() {
  $item = menu_get_item();
  $items = system_admin_menu_block($item);
  // Bypass the listing if only one child is available.
  if (count($items) == 1) {
    $item = array_shift($items);
    drupal_goto($item['href']);
  }
  return theme('menu_item_grouping', $items);
}

/**
* Theme a list of menu items.
*
* @param $items
*   The items as returned from system_admin_menu_block().
*
* @return string
*/
function theme_menu_item_grouping($items) {
  $output = '';

  if ($items) {
    $output = '<dl class="menu-item-grouping">';
    foreach ($items as $item) {
      $output .= '<dt>' . l($item['title'], $item['href'], $item['localized_options']) . '</dt>';
      $output .= '<dd>' . filter_xss_admin($item['description']) . '</dd>';
    }
    $output .= '</dl>';
  }
  return $output;
}
?>

The attached patch reintroduces MENU_ITEM_GROUPING as a menu item type. Such menu items automatically get a page callback that lists all the item's children, or redirects the user if there is only one child.

1. To do: Hide the menu item if there are no children. I must say I'm not sure if this is the way to go, since it could cause some links not to be visible anywhere, although they have been enabled at admin/build/menu.
2. To do: Check if the user has permission to access any children, otherwise hide the item.
3. Custom access callbacks should be used in parallel with the access callbacks from points 1 and 2.

See this patch in action at /node/add. See anything different? No? Exactly!

By the way: node_add_page() and similar obsolete functions have not yet been removed to keep this initial patch simple.

The attached patch also performs access control and should hide the item if a user has no access to child items. All issues pointed out in #29 are dealt with. I haven't yet tested the patch thoroughly, but it seems to work. Will do more testing as soon as I'm done with my other work here.

To do: display a message if there are no children to list.

The code responsible for the access check:

Benchmarks?

I have split the patch in two. After #363951: Reintroduction of MENU_ITEM_GROUPING gets submitted I'll post a new patch taking care of access control here. This will make benchmarking easier.

subscribe

Suscribe using Drupal 6.10.
Will drupal fix this to 6 version or will it be a solution for Drupal 7?

Subscribing too, if a Drupal 6 backport is on the cards.

Subscribing.

Subscribing and looking forward for d6 patch

Since #363951: Reintroduction of MENU_ITEM_GROUPING won't be committed (marked as won't fix), does this mean we're back to the patch in #20 above?

Rework of #23 (no longer applied and outdated).

• Make use of drupal_static().
• Implement callback for admin/development.
• Updated test for admin/development.

Patch looks good and works quite well. However there's still one edge case that isn't covered - if the user has the 'access administration pages' permission, but doesn't have access to _any_ of the sub menus, and if the help module is not enabled, then the 'Administer' menu item still appears in the navigation block and the message "You do not have any administrative items." appears when clicked.

It's an edge case (why would anyone give that permission to a user without giving them access to at least one sub-menu?!) and the message displayed is useful, but shouldn't that menu item not appear at all?

Actually this also change also needs to be implemented for the new top level admin menu admin/international in locale.module

I am not sure that is an issue since technically there is a menu item under "Administration". When help module is disabled the Administration menu item still displays. I attempted to add the check the the root "admin" item, but it causes an issue, possibly due to excessive looping.

Not sure we want to deal with that issue or perhaps save for follup patch. Either way this patch contains admin/international alteration.

I think it's good to go as is, just to summarise what this patch does:

• For each of the top level admin menu items (admin/build, admin/user, etc), it changes the access callback to be a new function system_admin_menu_block_page and gives it the params: path (e.g. 'admin/build') and the access permission.
• The function first checks that the user has the appropriate access, and if not returns FALSE.
• then checks if the user has access to any of the sub-menus, and if not it returns FALSE, which prevents the user from seeing the menu item

Yes. 'admin' & 'access administration pages' we need to tackle elsewhere.

Kick ass! I'm so happy to finally see this fixed! :D

Committed to HEAD! Marking "needs work" until it's documented in the 6.x => 7.x upgrade page.

Ultimately this is up to Gábor, of course, but given what was required to fix this in 7.x, I'm pretty sure we can't backport this to 6.x. It's an API change that requires module developers to make changes to their menu items' access callbacks. In addition to this being a mean thing to ask people 1.5 years after D6's initial release, it will result in hackish "if function_exists" workarounds in order for this to work for people not using the latest versions of Drupal 6. Granted, it'd only affect the handful of modules that define their own top-level admin blocks like OG, Panels, and Project. But still. Stable means stable.

Documentation added: http://drupal.org/node/224333#system_admin_menu_block_access

The last submitted patch failed testing.

Guess I'll just mark fixed unless anyone says otherwise.

Followup patch: #475348: Move admin/development menu category into system.module

Automatically closed -- issue fixed for 2 weeks with no activity.

should any fix be expected for drupal 6? In a different issue maybe?