Module Access Control [#35459]

If a user is granted access to "edit pages" (or survey, etc) but is denied "create pages" - they should not be able to see "create content > page".

- user is granted access to "edit page".
- user should not see "create content > page".

This also occurs with some other modules as well (survey is my other example).

Comments

Comment #1

greggles

he/him

English

Denver, Colorado, USA

CreditAttribution: greggles commented 26 January 2006 at 22:09

Component:	module system	» base system
Priority:	Critical	» Normal

This seems like "normal" priority rather than "critical". In order to be "critical" it has to really break the system.

Also, can you be more explicit what the access control settings are required to get to this point?

I tried to reproduce the bug but couldn't create the set of permissions that you mention.

Comment #2

Shane Birley CreditAttribution: Shane Birley commented 26 January 2006 at 23:04

To clarify, let's say we have a web site that has blogs and forums. If a non-administrator user is allowed to blog, but not create a forum topic, the menu system is set to:

create content
  -- blog entry

BUT, the information displayed on the main column of the site, the page that lists the types of content with their definitions, also displays the fact the web site can also make forum topics.

*  forum topic
A forum is a threaded discussion, enabling users to communicate about a particular topic.
* personal blog entry
A blog is a regularly updated journal or diary made up of individual posts shown in reversed chronological order. A blog is tightly coupled to the author so each user will have his 'own' blog.

So, if a non-administrator user clicks on it, they get an access denied error. I think the definitions list should also remove the "forum topic" information as the menu does. If the user can't create those content types, nor should they see the information listed and have a chance to see a denied message.

Does that help?