Hi.

There is at least two manager interfaces receiving the option "update url alias" without checking the user permissions.

The interfaces are the core manager for contents (nodes) and the core manager for users.

The code below is a suggested way to check the user permission and remove the option if the user doesn't have administer and create url aliases permissions. We might work with the code and instead of removing it should avoid to add the option "update url alias" in the action's menu.

Credits for the code: @bember.

Please review it.


/**
 * Implements hook_form_alter().
 */
function pathauto_update_url_alias_form_alter(&$form, &$form_state, $form_id) {

  /* Remove the option from the node_admin_content's form if the user doesn't have the proper permissions. */
  if ( $form_id == 'node_admin_content' &&
       !user_access('administer url aliases') &&
       !user_access('create url aliases') &&
       isset($form['admin']['options']['operation']['#options']['pathauto_update_alias']) ) {
    unset($form['admin']['options']['operation']['#options']['pathauto_update_alias']);
  }

  /* Remove the option from the user_admin_account's form if the user doesn't have the proper permissions. */
  if ( $form_id == 'user_admin_account' &&
       !user_access('administer url aliases') &&
       !user_access('create url aliases') &&
       isset($form['options']['operation']['#options']['pathauto_update_alias']) ) {
    unset($form['options']['operation']['#options']['pathauto_update_alias']);
  }

}

Regards,
Gilsberty