The file admin_views/plugins/views_plugin_display_system.inc has had a hardcoded "access administration pages" permission added to its option definition (with the comment "This isn't actually used,").
This permission is checked during AJAX page refreshes, which means that on the Admin Content Files view provided by the File Entity module (which uses the "administer files" permission) some users cannot use the filters on the view.
Steps to recreate:
1. Create a user role with the "administer files" permission but NOT the "access administration pages" permission.
2. Log in as a user with that role. Visit /admin/content/file. The page will load as you have the correct permission.
3. Select a filter from the view and click "Apply". The results will not change, because the AJAX return rejected the request because the user does not have the "access administration pages" permission.
Comment | File | Size | Author |
---|---|---|---|
#23 | admin_views-n3096612-23.patch | 575 bytes | DamienMcKenna |
| |||
#12 | admin_views-n3096612-12.patch | 1.05 KB | DamienMcKenna |
| |||
#10 | admin_views-ajax_fails_permission-3096612-8-D7-1.7.patch | 1.01 KB | fprevos2 |
| |||
#8 | admin_views-ajax_fails_permission-3096612-6.patch | 1.08 KB | fprevos2 |
|
Comments
Comment #2
oskylark CreditAttribution: oskylark commentedAh good, glad I wasn't going crazy and someone else is seeing this. In my case I'm using the Views Autocomplete Filters module and that had stopped working in my System display views since upgrading to 7.x-1.7. Thanks for tracking down the permission in question.
The only way the AJAX autocomplete functionality is available now for any System display views is for roles that have the "access administration pages" permission (aka "Use the administration pages and help") or alternatively, the Views "Bypass views access control" permission set.
Comment #3
newaytech CreditAttribution: newaytech commentedI came across this too. I looked at enabling the extra permission - but those opened up too many admin pages for our users. Instead - as a temporary workaround for now - I've simply disabled the AJAX option in the system view definition. Slightly slower UI - but no worries of users accessing things we'd rather not... I had to do the same for the admin/content view also.
Comment #4
GaëlGA quick and dirty way to disable AJAX on admin views, if you have many websites to maintain:
Comment #5
marameodesignThank you for reporting this.
We have just updated a bunch of sites and will definitely use the quick and dirty way before they start emailing things aren't working.
One question though: Is this something will get solved in subsequent versions or should we simply disable Ajax for all admin views for users that we don't want to have "Use the administration pages and help" or "Bypass views access control"?
Thanks again!
Comment #6
MrDaleSmith CreditAttribution: MrDaleSmith at CTI Digital commentedSo far this ticket hasn't been acknowledged by the new maintainer of the module @marameodesign so there's no way of knowing.
Comment #7
drupalevangelist CreditAttribution: drupalevangelist as a volunteer commentedI am having the exact same issue with my users as well. Hope someone will be able to assist.
Thank you in advance.
Comment #8
fprevos2 CreditAttribution: fprevos2 at University of Ottawa commentedHi,
Here is quick patch for the dev version to at least uses a custom permission. I'll upload the patch for the 7.x-1.7 version soon.
Comment #9
DamienMcKennaComment #10
fprevos2 CreditAttribution: fprevos2 at University of Ottawa commentedHere is a patch for the 7.x-1.7 version.
Comment #11
DamienMcKennaComment #12
DamienMcKennaRerolled after #2411193 was committed.
Comment #14
DamienMcKennaCommitted. Thank you all.
Comment #15
fprevos2 CreditAttribution: fprevos2 at University of Ottawa commentedThis patch works as a work around to fix this issue for everyone that updated to the secure version. But for a long term solution, should we not try to use the access control defined in the view configuration?
Comment #16
DamienMcKenna@fprevos2: Let's handle that in a follow-up issue.
Comment #17
coranda CreditAttribution: coranda as a volunteer commentedI have updated to the dev version but I'm still seeing this problem on /admin/people. Our Membership Secretary, who only has admin permission for users, can no longer filter the view to find particular members.
Anyone have any ideas? Is this a separate bug or have I misunderstood that the dev version is now patched?
Comment #18
MrDaleSmith CreditAttribution: MrDaleSmith at CTI Digital commentedThe patch provides a new permission which needs to be granted to users who need to access admin views in order for AJAX to work.
Comment #19
coranda CreditAttribution: coranda as a volunteer commentedHmm, there's something I'm not getting here. I can see that the code implements hook_premission() but I can't find that permission anywhere on the permissions page. Where should it be? Under Views?
Comment #20
coranda CreditAttribution: coranda as a volunteer commentedI've loaded the permissions page, opened the page source and done a search for 'ajax' and the new permission is definitely not there. Any idea what I might have done wrong?
Comment #21
coranda CreditAttribution: coranda as a volunteer commentedI've put a Devel dd() call into admin_views_system_display_views_permission() but it appears that, when I go to the permissions page, this hook is not being called for some reason.
Comment #22
coranda CreditAttribution: coranda as a volunteer commentedI've now got the new permission to appear on the permissions page but to do that I had to change the name of the hook from
admin_views_system_display_views_permission()
to
admin_views_system_display_permission()
Can anyone explain to me why the original name has the '_views' included in it?
Comment #23
DamienMcKennaAre you kidding me?
Sorry, that was my fault, when I moved the change to the admin_views_system_display submodule I didn't rename the function correctly.
Comment #24
coranda CreditAttribution: coranda as a volunteer commentedI thought I was going mad for while there. :-)
Comment #26
DamienMcKennaCommitted. Thank you coranda.
Comment #27
drupalevangelist CreditAttribution: drupalevangelist as a volunteer commentedThanks for you help!
Comment #28
drupalevangelist CreditAttribution: drupalevangelist as a volunteer commentedThank you @fprevos2. #10 worked for me in D7.
Comment #30
cdmo CreditAttribution: cdmo commentedAh, glad this is a known issue and a fix is already committed. Thanks! Now a tagged release would be icing on top :)