Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This fieldset can be seen on Taxonomy term's edit page even for users without 'administer xmlsitemap'
permission (when user_access('administer xmlsitemap')
returns FALSE
), so I had to set my own module's weight to be higher than XML Sitemap module's weight, and then in a MYMODULE_form_taxonomy_form_term_alter()
, putting in a
$form['#after_build'][] = 'MYMODULE_form_taxonomy_form_term_alter_after_build';
and then in MYMODULE_form_taxonomy_form_term_alter_after_build()
, hide it with the following code:
if(!user_access('administer xmlsitemap')){
unset($form['xmlsitemap']);
}
But this should be done inside the module.
Comment | File | Size | Author |
---|---|---|---|
#12 | xmlsitemap-taxonomy-permission-1817124-6.patch | 1 KB | makangus |
#6 | xmlsitemap-taxonomy-permission-1817124-4.patch | 1.03 KB | makangus |
#2 | xmlsitemap-taxonomy-permission-1817124.patch | 1.76 KB | makangus |
XML_Sitemap_Taxonomy_edit_page.png | 6.15 KB | Sk8erPeter |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedThanks for the report.
Comment #2
makangus CreditAttribution: makangus commentedHow about this? The patch adds permission checking on the taxonomy vocab and taxonomy term forms.
Comment #3
Anonymous (not verified) CreditAttribution: Anonymous commentedDave this looks good to me, how about you?
Comment #4
Dave ReidI'm not sure why this is actually showing up. The function xmlsitemap_add_link_bundle_settings() specifically has this code:
Is another module ignoring the '#access' property of the fieldset?
Comment #5
Dave ReidComment #6
makangus CreditAttribution: makangus commentedI think I found the issue. In xmlsitemap_add_form_link_options(), the #access translates to permission for "administer xmlsitemap" OR "administer taxonomy". It should be "administer xmlsitemap" AND "administer taxonomy" instead. Attached a patch, please let me know if that breaks other things.
Comment #8
Sk8erPeter CreditAttribution: Sk8erPeter commented@makangus: I haven't tried applying this patch yet, but I think that's correct: the user who sees the mentioned fieldset HAS the "administer taxonomy" right, BUT does NOT have the "administer xmlsitemap" right, which means he shouldn't see the XML Sitemap settings. Thanks for creating the patch!
Comment #9
makangus CreditAttribution: makangus commented#6: xmlsitemap-taxonomy-permission-1817124-4.patch queued for re-testing.
Comment #11
makangus CreditAttribution: makangus commentedSeems the the patch and simpletest pointed out another issue in xmlsitemap_menu. The second part of the #access
xmlsitemap_link_bundle_access($bundle_info)
becomesuser_access('administer menus')
, but the permission to check for should be 'administer menu' (without the s) instead.Comment #12
makangus CreditAttribution: makangus commentedJust had a thought. The xmlsitemap_add_form_link_options() function is only called in hook_form_alter() functions, which means the user already has access to the form. I think we only need to check if the user has the 'administer xmlsitemap' permission for the fieldset. Thoughts?
Comment #13
Anonymous (not verified) CreditAttribution: Anonymous commentedNeither of these are correct. You need to concentrate on why xmlsitemap_link_bundle_access() is returning true. The or logic is correct.
Comment #14
makangus CreditAttribution: makangus commentedxmlsitemap_link_bundle_access() is returning true because the user has the access to 'Administer vocabularies and terms', but the user does not have access to 'Administer xmlsitemap'. Unless, it is by design that if the user has access to the taxonomy term he/she should have access to the xmlsitemap even without the 'Adminster xmlsitemap' permission.
My point for the last patch is, if the user does not have access to the taxonomy term, we wouldn't have gotten to the part where we need to check xmlsitemap_link_bundle_access(); on the other hand if the user does have access to the taxonomy term, we don't have to check xmlsitemap_link_bundle_access(), we already know the user has access.
Comment #15
Anonymous (not verified) CreditAttribution: Anonymous commentedIMO, xmlsitemap_link_bundle_access() should check for "administer xmlsitemap" privileges and we drop the specific check for it in xmlsitemap_add_form_link_options(). One of the problems I have is that these are generic functions that affect more than just taxonomy and a bundle could have more fine grained permissions to not allow the xmlsitemap fieldset to show on their specific form entries.
Comment #16
makangus CreditAttribution: makangus commentedearnie, maybe I am not understanding the issue correctly. Could you explain to me why the original OR logic is correct? Don't we want to give permission only when a user has access to administer xmlsitemap AND access to administer the bundle. The OR logic means a user can access without the administer xmlsitemap permission as long as they can administer the bundle.
Comment #17
Sk8erPeter CreditAttribution: Sk8erPeter commentedI don't understand why it would be good.
Isn't it in a contradiction with what you said later?
I agree with the bold quoted text. Which means the patch you created earlier should be fine in my opinion (haven't tried that yet).
Comment #18
makangus CreditAttribution: makangus commentedRight, the first quote I am describing what's happening(I said UNLESS IT IS BY DESIGN) and the second is what I think should happen.
Comment #19
Sk8erPeter CreditAttribution: Sk8erPeter commentedOh, OK, sorry, I misunderstood you. ;)
I agree with your opinion!
Comment #20
Anonymous (not verified) CreditAttribution: Anonymous commentedI've been on vacation, I need to review this further.
Comment #20.0
Anonymous (not verified) CreditAttribution: Anonymous commentedexplaining how to hide this stuff