Menus editable without permission
Alexander Langer - April 29, 2009 - 15:29
| Project: | OG Menu |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
Just stumbled upon on issue in og_menu's code where filtering of menu items may not sort out all menus for which you should not have access rights for.
Look at this line:
strpos($key, $menu['menu_name']
Now consider a case where you have two separate og menus called 'menu-abc' and 'menu-abcd'. In this case the group admin of group 'abc' would also get 'menu-abcd' displayed.
Attached you'll find patches for both og_menu 6.x-1.3 und 6.x-1.x-dev created from within the og_menu directory.
I'd also like to mention that it also would make sense to use hook_form_alter() to alter the menu settings in node edit forms which might expose the whole menu structure and not just the subtrees of groups where a user has admin permission.
| Attachment | Size |
|---|---|
| og_menu-dev.patch | 678 bytes |
| og_menu-1.3.patch | 678 bytes |