Contextual links are displayed (although unstyled) when the permission 'contextual admin links' is not granted (in rc1 and dev).

The only access check for 'contextual admin links' is hook_init() for determining if the CSS file is loaded:

/**
 * Implementation of hook_init().
 */
function contextual_init() {
  // Don't do anything if the user has no access.
  if (!user_access('contextual admin links')) {
    return;
  }

  $path = drupal_get_path('module', 'contextual');
  drupal_add_css($path .'/contextual.css');

}

While the user_access() call should also be placed here:

/**
 * Retrieve the admin links for a given object.
 */
function contextual_get_links($type, $object) {
   $links = array();
+  if (user_access('contextual admin links')) {
     $links = module_invoke_all('admin_link', $type, $object);
     drupal_alter('admin_link', $links, $type, $object);
+  }
   return $links;
 }

Reproduce by creating a user with a role that has 'administer nodes' permission or permission to update/delete a certain node type but doesn't have 'contextual admin links' permission. Create a node with that user account and view the node in (for example) Garland.

See attached patch.

CommentFileSizeAuthor
#1 contextual.module.patch462 bytesteezee

Comments

teezee’s picture

teezee commented
StatusFileSize
new contextual.module.patch462 bytes

Patch.

philbar’s picture

philbar commented
Status: Needs review » Fixed

http://drupal.org/cvs?commit=431368

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.