It appears to me that the Web File Manager settings page, i.e., http://xxx.org/admin/settings/webfm, is available to users with permission to "access administration pages," without regard to their "administer webfm" permissions setting.

I would think these settings are part of the administration of webfm. In any event, I believe there should be a setting to remove permission to view or change settings on this page.

I have users who I would like to authorize to perform some admin tasks, e.g., changing user settings such as blocked and active, but who I do not want to play with OS level settings like web settings.

Comments

nhck’s picture

nhck commented
Status: Active » Closed (fixed)

Thanks for reporting this, imho this has been fixed?

$items['admin/settings/webfm'] = array(
    'title' => 'Web File Manager',
    'description' => 'Configure root directories, default file permissions for uploads, upload size limits, attachments, permitted file extensions and formatting.',
    'file' => 'webfm.admin.inc',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('webfm_admin_settings'),
    'access arguments' => array('administer webfm'),
    'type' => MENU_NORMAL_ITEM,
  );