Closed (fixed)
Project:
Menu Access
Version:
6.x-1.7
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
30 Aug 2009 at 06:12 UTC
Updated:
4 Jan 2010 at 13:32 UTC
Jump to comment: Most recent file
Hi,
I'm deploying this module on a site for a client, the goal is for him not to be able to delete parent menus and menu items.
It's all working great, (he's not able to delete menu items anymore, add them.. the settings are good) except for one CRITICAL problem. When editing a menu item, he is able to see both the panels, to set permissions for the menu item, and grant permissions to users, even though he does not have access permissions to do so. He can easily set permissions to delete the item right from that panel!!!
Pictures tell 1000 words, so a few screenshots are attached.
This was one of the last modules I installed (was tweaking the access settings before handing the site over for the clients use.) Just gotta fix this, then I can hand it over! Any ideas?
Jon.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | menu_item_access.patch | 497 bytes | emptyvoid |
| access_settings_problem.png | 174.88 KB | JonGirard-1 | |
| access_permissions_ok.png | 264.23 KB | JonGirard-1 |
Comments
Comment #1
emptyvoid commentedComment #2
emptyvoid commentedOk I am researching the security checks for the control panel.
The role should have the ability to create, edit, and maybe delete menu items. otherwise they can't access it at all.. or that is what is should be doing. (need to review logic)
How I understand the business rules
The key logic is if the user is not assigned the "administer menu item access settings" one would assume that means that users can't administer security roles.
however this assumes the permission right for the whole site not an individual menu or menu item.
Extended security ideas
I think I may need to add an additional setting per menu and menu item to specify if a role or user can set the security permissions for that individual item. If I do provide this it would have higher execution weight then the global settings.
So to explain the weight rules it would be:
2) Menu item Global Permissions (default settings)
1) Menu Item Permissions (per menu item)
Where layer 1 would always have priority over layer 2.
I also think it may be nice to have a button to clear the menu or menu item security to default to the global settings. hmm.. ideas abound.
Comment #3
emptyvoid commentedok I created a very simple patch please apply to your build and test it.
Comment #4
emptyvoid commented